TFTP uploads failing

Question

I am running TFTPD via xinetd on a Centos 5.4 server. I am able to access files via tftp fine, so I know the service is running ok. However, whenever I try and upload a file I get a 0 Permission denied message.

I have already created the file in /tftpboot and set the permissions to 666.

My tftpd config has verbose logging (-vvvv), but all I see in my /var/log/messages is:

START: tftp pid=20383 from=192.168.77.4

I have seen some mention that SELinux can prevent TFTPD uploads, but I'd expect to see something in the logs. I have SELinux set in permissive mode.

Any ideas?

Ok - I've now tested running outside of xinetd using the following command: in.tftpd -l -c -v -u root -s /tftpboot This seems to work ok. However, when running with the following xinetd config, which I believe does the same thing, I get the same error with writing files. — dunxd, Jan 26 '10 at 11:51
Aha - a bit of a breakthrough. I installed auditd, and things started to appear in the audit log relating to tftp. I then used grep tftp /var/log/audit/audit.log | audit2allow -M tftpwrite to generate a SELinux rule to allow tftp to write. I then applied this with semodule -i tftpwrite.pp and restarted xinetd. Now I am able to save over existing files, which gets me some of the way there. I am still unable to create new files, despite the presence of the -c flag in the config for xinetd. Would be nice to be able to create from network devices saving their config via TFTP. — dunxd, Jan 26 '10 at 11:56
Nice discussion on some of this here - http://grimwell.wikispaces.com/tftpd — dunxd, Jan 26 '10 at 12:04

score 4 · Accepted Answer · answered Jan 26 '10 at 12:17

Followed the info at http://grimwell.wikispaces.com/tftpd, paying particular attention to "rinse and repeat" in order to get the selinux policies in place. After a few attempts it all started working - uploading, and creation of new files.

In short:

make sure you have audit installed in centos otherwise SELinux may not log anything!
make sure your xinetd.d/tftpd has -c -v -s /tftpboot in the server args line
make sure that the directory tftp will be writing to has 777 permissions
do a tftp localhost and try to put a file in the directory
touch a file in the directoy, chmod 666 it, and then via tftp localhost, try and overwrite the file
do grep tftp /var/log/audit/audit.log | audit2allow -m tftpwrite to create a selinux policy. Make sure that the policy includes write and create lines. If not, try writing and creating again to generate alerts in the audit log and try again.
create an installable policy using grep tftp /var/log/audit/audit.log | audit2allow -M tftpwrite then install it using semodule -i tftpwrite.pp
service xinetd reload and try using tftp.

Splendid. Hope others find this useful!

score 4 · Answer 2 · answered Apr 29 '10 at 23:17

I found another, better solution to this problem. I couldn't believe that the people who wrote the selinux policy files didn't think that people would need tftp uploads so I did some digging. I couldn't find anything on the internet that isn't already referenced here but by searching the selinux policy I was able to find another security context already on the system for tftp writes. Changing the context of /tftpboot fixed the problem.

# sesearch -a | grep tftpdir  |grep tftpd_
   allow tftpd_t tftpdir_t : file { read getattr }; 
   allow tftpd_t tftpdir_t : dir { read getattr search }; 
   allow tftpd_t tftpdir_t : lnk_file { read getattr }; 
   allow tftpd_t tftpdir_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow tftpd_t tftpdir_rw_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; 
   allow tftpd_t tftpdir_rw_t : lnk_file { read create getattr setattr unlink link rename }; 
# ls -Z /tftpboot/ -a
drwxrwxrwx  root root system_u:object_r:tftpdir_t      .
drwxr-xr-x  root root system_u:object_r:root_t         ..
# chcon -t tftpdir_rw_t /tftpboot
# ls -Z /tftpboot/ -a
drwxrwxrwx  root root system_u:object_r:tftpdir_rw_t   .
drwxr-xr-x  root root system_u:object_r:root_t         ..

Nice digging! Would it be necessary to do the same procedure for subdirectories of tftpboot? — dunxd, Apr 30 '10 at 10:28

score 3 · Answer 3 · answered Jan 25 '10 at 14:08

Are you starting tftpd with the -s option? Some clients may be expecting this, e.g. uploading a file called foo to /foo is really intended for /tftpboot/foo on the server. Adding -s /tftpboot essentially tells the server to do a "chroot" to that directory.

Try running tftpd manually, e.g. not via xinetd, and see what the output is. You can also try running it with strace to see exactly which files it is attempting to open and which systems calls it is making.

Double check /etc/hosts.allow and /etc/hosts.deny to make sure traffic is being allowed into the server.

With respect to SELinux, depending on how your system is configured it may be logging to /var/log/audit/audit.log if you have enabled auditd. See section 5 of this page.

Unfortunately I do have the -s flag set. Reading files works just fine, so connectivity is functioning. There is no /var/log/audit/audit.log. Not familiar with strace - I guess that is the next thing to try. — dunxd, Jan 26 '10 at 08:46

TFTP uploads failing

3 Answers3