[CentOS] Can TFTPD run in a chroot jail?

Sun Jan 13 19:22:50 UTC 2008
mouss <mlist.only at free.fr>

Eric B. wrote:
> Hi,
> 
> I've been struggling with this problem for the last couple of hours and am 
> nowhere near solving the problem.  I am trying to run a tftp server in a 
> chroot jail.  Now perhaps I am being paranoid, but I would like to have it 
> launched from within its own jail even if it supposedly does a chroot itself 
> and runs with a parameterizable user.

there is only one chroot under unix (you can't chroot from the shell
then in the daemon).

If a service implements chroot correctly, then it is better to use it
(because it can load the necessary stuff before, so you don't need to
copy a whole system to the jail).

> 
> I downloaded the atftp-server package and tried to set up my own tftpd jail. 
> I copied over the linked libs to the proper place, the /etc/passwd, 
> /etc/groups, /etc/hosts, /etc/nsswitch.conf, /etc/resolv, /etc/services 
> files.  I even created the dev/null device and set up syslog to read from 
> the jail/dev/log device.
> 
> However, I can't seem to launch it from within the jail.  It works fine when 
> I try from the regular prompt, but when I try to launch from within the 
> jail, I doesn't want to start:
> 
> [root at apollo tftpd]# /usr/sbin/chroot  /chroot/tftpd/ 
>  /usr/sbin/atftpd --daemon --no-fork
> 
> in /var/log/messages:
> Jan 12 23:09:02 apollo atftpd[17479]: atftpd: udp/tftp, unknown service
> 
> 
> So it apparently is unable to read my /chroot/tftpd/etc/services file.  If I 
> set the port number manually:
> [root at apollo tftpd]# /usr/sbin/chroot  /chroot/tftpd/ 
>  /usr/sbin/atftpd --daemon --no-fork --port 69 -user eric.eric
> 
> Jan 12 23:16:05 apollo atftpd[17556]: atftpd: can't change identity to 
> eric.eric, exiting.
> 
> 
> I know the tftpd daemon is able to read the /chroot/tftpd/etc/ directory as 
> it is properly reading my /etc/localtime file (if i remove /etc/localtime 
> the logged timestamp changes).
> 
> Can anyone point me in the right direction as to things to try?  I've tried 
> everything I can think of, and even then some things, but just can't figure 
> it out...
> 
> Thanks!
> 
> Eric
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>