Hello,
After beating the paint off the walls with my skull for a few days I finally got through the task of getting my TFTP server working with SELinux turned on and enforcing. Now looking back I can see it really was fairly simple instructions to make it work but the issue was that all the examples I found were either wrong, not with the options I needed or had SELinux turned off.
With that in mind I was hoping to post my steps with a goal for review by all to see if I have any issue I am unaware of and building off that to maybe get instructions from others on how to enable other options. Then the final product could maybe be put over on the wiki.
I searched and found many instructions, several were repost of the same instructions including missing steps or wrong information. I also found bits and pieces on threads some from here but no one had anything complete and concise enough for the newbie (like me sort of) to get them going in a pinch with minimal input.
So once the moderators approve this and sticks it in the correct forum (if it belongs somewhere else), I will post the instructions I have for my setup with an explanation of my understanding of each and what was my goal for this config.
Help creating complete and accurate instructions for TFTP
Re: Help creating complete and accurate instructions for TFTP
Why don't you post your steps here, and people can then comment on it.
(I'm only a junior sort of mod, so if another mod contradicts me, do what they say.)
(I'm only a junior sort of mod, so if another mod contradicts me, do what they say.)
New users should check the FAQ and Read Me First pages
Re: Help creating complete and accurate instructions for TFTP
Hey, first post and I made it past the moderator. Yeah.
On to the topic.
With this I am making some assumptions/omissions.
We will assume the firewall is correctly configured to allow tftp.
All steps are at the command prompt as su.
If I have omitted something or assumed something please chime in.
My configuration was setup on CentOS 7 as a standard server build with all updates. Nothing fancy. My application was for the DHCP snooping files on Cisco switches so I needed both read and write from an anonymous user. This included the ability to create a file.
Install tftp server, tftp client (if you need) and xinetd.
yum install tftp-server* tftp xinetd*
I am not using the default directory so I create a new one.
mkdir /tftpboot
Since we are root no need to chown it.
Set the permissions for my use.
chmod 777 /tftpboot
Edit the /etc/xinetd.d/tftp file to enable the tftp server, change the default directory for the files and enable file creation for my application. Compare to the default file to see the changes. The -c option that is added is for file creation.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
Now for the mysterious SELinux parts that no one seemed to get just right. And yes there are other commands that can accomplish some of the steps but these work for me and are easy to understand.
Tell SELinux that I actually want to allow anonymous writes.
setsebool -P tftp_anon_write 1
Then since I have changed default location in the config file you need to create a new context tag for it.
semanage fcontext -a -t tftpdir_rw_t "/tftpboot(/.*)?"
Once you have the new tag you need to apply it to the directory.
chcon -t tftpdir_rw_t /tftpboot
Tell the system to start up the services on boot.
systemctl enable xinetd tftp
And tell is to start so I can test.
systemctl start xinetd tftp
And enjoy, I think.
With the above step I was able to repeat the setup on a fresh box and it worked without issue. What I would like to accomplish is the following:
1. Ensure my understanding/explanation of the commands are correct.
2. Edits to the instructions for alternate setups such as read only, non root and any other flavor that anyone thinks would be useful.
3. Learn something in the process.
4. Hopefully create something that is worthy of the wiki.
I have found many how to articles but it is obvious that the user did not actually test what was printed and unfortunately it would not work as printed. The other issue is I could find no one that actually had the SELinux commands. Just some of them and always with SELinux enforce turned off.
I have much to learn and only wish to create accurate instructions instead of what appeared to be hype articles posted to get traffic. So with that in mind feel free to contribute and be gentle it is my first time.
On to the topic.
With this I am making some assumptions/omissions.
We will assume the firewall is correctly configured to allow tftp.
All steps are at the command prompt as su.
If I have omitted something or assumed something please chime in.
My configuration was setup on CentOS 7 as a standard server build with all updates. Nothing fancy. My application was for the DHCP snooping files on Cisco switches so I needed both read and write from an anonymous user. This included the ability to create a file.
Install tftp server, tftp client (if you need) and xinetd.
yum install tftp-server* tftp xinetd*
I am not using the default directory so I create a new one.
mkdir /tftpboot
Since we are root no need to chown it.
Set the permissions for my use.
chmod 777 /tftpboot
Edit the /etc/xinetd.d/tftp file to enable the tftp server, change the default directory for the files and enable file creation for my application. Compare to the default file to see the changes. The -c option that is added is for file creation.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
Now for the mysterious SELinux parts that no one seemed to get just right. And yes there are other commands that can accomplish some of the steps but these work for me and are easy to understand.
Tell SELinux that I actually want to allow anonymous writes.
setsebool -P tftp_anon_write 1
Then since I have changed default location in the config file you need to create a new context tag for it.
semanage fcontext -a -t tftpdir_rw_t "/tftpboot(/.*)?"
Once you have the new tag you need to apply it to the directory.
chcon -t tftpdir_rw_t /tftpboot
Tell the system to start up the services on boot.
systemctl enable xinetd tftp
And tell is to start so I can test.
systemctl start xinetd tftp
And enjoy, I think.
With the above step I was able to repeat the setup on a fresh box and it worked without issue. What I would like to accomplish is the following:
1. Ensure my understanding/explanation of the commands are correct.
2. Edits to the instructions for alternate setups such as read only, non root and any other flavor that anyone thinks would be useful.
3. Learn something in the process.
4. Hopefully create something that is worthy of the wiki.
I have found many how to articles but it is obvious that the user did not actually test what was printed and unfortunately it would not work as printed. The other issue is I could find no one that actually had the SELinux commands. Just some of them and always with SELinux enforce turned off.
I have much to learn and only wish to create accurate instructions instead of what appeared to be hype articles posted to get traffic. So with that in mind feel free to contribute and be gentle it is my first time.
Last edited by dop on 2017/07/21 16:13:49, edited 1 time in total.
Re: Help creating complete and accurate instructions for TFTP
Setting up a tftp server has been a recurring topic in this forum, so I welcome your initiative.
All add a number of comments and suggestions. I'll follow the order of your procedure.
First and foremost: setting up a tftp server with anonymous write permissions is a dangerous thing and should only be done in a very restricted environment. This needs to be stated very clearly.
Similar command is: 'su'
I prefer to include in documentation sudo before each individual commands. I don't want to encourage people to run shells as root.
Just in case there is a user which has a non-empty /tftpboot directory at this point.
All add a number of comments and suggestions. I'll follow the order of your procedure.
First and foremost: setting up a tftp server with anonymous write permissions is a dangerous thing and should only be done in a very restricted environment. This needs to be stated very clearly.
Better add the explicit commands for configuration of the firewall. Should be somewhere at the end, once you are sure the thing is working. Don't drill holes in the firewall before your server is set up correctly.We will assume the firewall is correctly configured to allow tftp.
bash: SU: command not found...All steps are at the command prompt as SU.
Similar command is: 'su'
I prefer to include in documentation sudo before each individual commands. I don't want to encourage people to run shells as root.
You also need to install the policycoreutils-python package, since you are using semanage later on. That package is not included in a miminal CentOS installation.yum install tftp-server* tftp xinetd*
Explain the risks of and motivation for using this directory. You create it on the root partition. What are the consequences when the root partitions fills up?I am not using the default directory so I create a new one.
mkdir /tftpboot
Maybe you are root, but some reader in future won't be. Better be explicit on the chown and chmod.Since we are root no need to chown it
Can't this be created more secure? Security specialists: what is best practice? tftpd is run as root, so only root needs write permission.chmod 777 /tftpboot
Since you have added the SElinux context for /tftpboot/(/.*)? , I would usechcon -t tftpdir_rw_t /tftpboot
Code: Select all
sudo restorecon -R -v /tftpbootFirst make sure you can start the service. Then enable on boot later.systemctl enable xinetd tftp
And tell is to start so I can test.
systemctl start xinetd tftp
Code: Select all
sudo systemctl start xinetd tftp
sudo systemctl status xinetd tftp
sudo systemctl enable xinetd tftp
Re: Help creating complete and accurate instructions for TFTP
Thanks pjsr2.
I will roll your recommendation into the instructions. A couple of notes and I will comment on them in the instructions as well. The permissions had to end in 7 to allow anonymous writes to the server and yes my setup is a very restricted and in a protected environment. I will expand on that as well.
Funny note on permissions, one site had the instruction and stated it was for anonymous writes and creations, then went about talking on security and had the chmod set to 644. Unfortunately that does not work. chmod 447 works but nothing less than 7 for the everyone works since it is an anonymous write. I tested multiple combinations of permissions but it had to be a 7 for everyone to work.
I will roll your recommendation into the instructions. A couple of notes and I will comment on them in the instructions as well. The permissions had to end in 7 to allow anonymous writes to the server and yes my setup is a very restricted and in a protected environment. I will expand on that as well.
Funny note on permissions, one site had the instruction and stated it was for anonymous writes and creations, then went about talking on security and had the chmod set to 644. Unfortunately that does not work. chmod 447 works but nothing less than 7 for the everyone works since it is an anonymous write. I tested multiple combinations of permissions but it had to be a 7 for everyone to work.
Re: Help creating complete and accurate instructions for TFTP
Probably the owner needs to be 'nobody' to allow writes without the universal write permission.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke