in.tftpd[683]: chroot: Operation not permitted

[coolstm]

hello.
I'm trying to build a tftp server, but I'm having a lot of trouble because I don't know why it's not working.
I am writing this because I would like to hear the opinions of experts.

It works fine when running as a client, but doesn't work well when running as a server.
- When operating as tftp get in window cmd, when operating as a client
There is no firewall and I think I have given all the permissions, but I don't know why it doesn't work.


We will capture and send you the relevant information below.

----------------------------------------------------------
sudo vi /etc/xinetd.d/tftp

service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -p -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}

--------------
sudo vi /usr/lib/systemd/system/tftp.service

[Unit]
Description=Tftp Server
Requires=tftp.socket
Documentation=man:in.tftpd

[Service]
ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot
StandardInput=socket

[Install]
Also=tftp.socket


---------------

bash-4.4# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-04-26 01:50:06 UTC; 24min ago
Docs: man:xinetd
man:xinetd.conf
man:xinetd.log
Process: 662 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid (code=exited, status=0/SUCCESS)
Main PID: 663 (xinetd)
CGroup: /system.slice/libvirtd.service/system.slice/xinetd.service
└─663 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

Apr 26 01:50:57 guestshell xinetd[663]: START: tftp pid=670 from=192.168.1.16
Apr 26 01:50:57 guestshell in.tftpd[671]: chroot: Operation not permitted
Apr 26 01:51:04 guestshell in.tftpd[674]: chroot: Operation not permitted
Apr 26 01:51:20 guestshell in.tftpd[680]: chroot: Operation not permitted
Apr 26 02:06:44 guestshell xinetd[663]: EXIT: tftp status=0 pid=670 duration=947(sec)
------
bash-4.4# systemctl status tftp
● tftp.service - Tftp Server
Loaded: loaded (/usr/lib/systemd/system/tftp.service; indirect; vendor preset: disabled)
Active: active (running) since Fri 2024-04-26 02:07:59 UTC; 8min ago
Docs: man:in.tftpd
Main PID: 695 (in.tftpd)
CGroup: /system.slice/libvirtd.service/system.slice/tftp.service
└─695 /usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot

Apr 26 01:50:05 guestshell systemd[1]: Started Tftp Server.
---

bash-4.4# systemctl status tftp.socket
● tftp.socket - Tftp Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/tftp.socket; enabled; vendor preset: disabled)


-------

bash-4.4# ls -al | grep tftpboot
drwxrwxrwx. 2 root root 1024 Apr 26 01:31 tftpboot


bash-4.4# sudo cat /var/log/messages | grep tftp
Apr 26 01:50:57 localhost xinetd[663]: START: tftp pid=670 from=192.168.1.16
Apr 26 01:50:57 localhost in.tftpd[671]: chroot: Operation not permitted
Apr 26 01:50:58 localhost in.tftpd[672]: chroot: Operation not permitted
Apr 26 01:51:00 localhost in.tftpd[673]: chroot: Operation not permitted
Apr 26 01:51:04 localhost in.tftpd[674]: chroot: Operation not permitted
Apr 26 01:51:12 localhost in.tftpd[679]: chroot: Operation not permitted
Apr 26 01:51:20 localhost in.tftpd[680]: chroot: Operation not permitted
Apr 26 01:51:28 localhost in.tftpd[681]: chroot: Operation not permitted
Apr 26 01:51:36 localhost in.tftpd[682]: chroot: Operation not permitted
Apr 26 01:51:44 localhost in.tftpd[683]: chroot: Operation not permitted
Apr 26 02:05:05 localhost systemd[1]: tftp.service: Succeeded.
Apr 26 02:06:44 localhost xinetd[663]: EXIT: tftp status=0 pid=670 duration=947(sec)

--------

bash-4.4# systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
~~~~
tftp.service loaded active running Tftp Server
user-runtime-dir@0.service loaded active exited /run/user/0 mount wrapper
user@0.service loaded active running User Manager for UID 0
vartmpfs.service loaded active exited vartmpfs.service
xinetd.service loaded active running Xinetd A Powerful Replacement For Inetd

----------
bash-4.4# getenforce
Disabled

----


bash-4.4# netstat -anu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:69 0.0.0.0:*
udp6 0 0 :::69 :::*

[TrevorH]

First you seem to have set this up in two separate and mutually incompatible ways. Either pick xinetd to start a connection OR run tftpd as a service all the time. Not both. I'd recommend dumping the xinetd bit and disabling that and concentrating on getting it running as a service first. After it works that way you can review whether you want it running all the time or started on connection using xinetd.

Also I suspect that on newer CentOS STream you should not use xinetd at all as it probably has a systemd socket to activate it.

[jlehtone]

One could also ask "Why TFTP?" Is it for PXEboot?
If yes, are the DHCP and DNS needs "simple"?

If yes, then I would use 'dnsmasq', because that can act as DHCP, DNS, and TFTP server.

[coolstm]

First you seem to have set this up in two separate and mutually incompatible ways. Either pick xinetd to start a connection OR run tftpd as a service all the time. Not both. I'd recommend dumping the xinetd bit and disabling that and concentrating on getting it running as a service first. After it works that way you can review whether you want it running all the time or started on connection using xinetd.

Also I suspect that on newer CentOS STream you should not use xinetd at all as it probably has a systemd socket to activate it.

Thank you for your reply.

As you said, even if you delete xinetd, the tftp client service works.

However, the server service is still not available.
The change is that the phrase shown in xinetd.service is "in.tftpd: chroot: Operation not permitted" in tftp.service.

[coolstm]

One could also ask "Why TFTP?" Is it for PXEboot?
If yes, are the DHCP and DNS needs "simple"?

If yes, then I would use 'dnsmasq', because that can act as DHCP, DNS, and TFTP server.

Thank you for your reply.

Yes, tftp service is absolutely necessary for pxe booting.

[TrevorH]

What are your permissions on /var/lib/tftpboot. Easiest way to show that is to run namei -l /var/lib/tftpboot. Also include the output from ls -laZ /var/lib/tftpboot

[coolstm]

What are your permissions on /var/lib/tftpboot. Easiest way to show that is to run namei -l /var/lib/tftpboot. Also include the output from ls -laZ /var/lib/tftpboot

bash-4.4# namei -l /var/lib/tftpboot
f: /var/lib/tftpboot
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root lib
drwxr-xr-x root root tftpboot

bash-4.4# ls -laZ /var/lib/tftpboot
total 2
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Jan 4 16:00 .
drwxr-xr-x. 15 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Apr 27 15:41 ..
-rwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c128,c144 6477 Apr 27 15:48 test.txt

[TrevorH]

bash-4.4# ls -laZ /var/lib/tftpboot
total 2
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Jan 4 16:00 .
drwxr-xr-x. 15 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Apr 27 15:41 ..
-rwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c128,c144 6477 Apr 27 15:48 test.txt

Run restorecon -RFv /var/lib/tftpboot

[coolstm]

bash-4.4# ls -laZ /var/lib/tftpboot
total 2
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Jan 4 16:00 .
drwxr-xr-x. 15 root root system_u:object_r:container_file_t:s0:c128,c144 1024 Apr 27 15:41 ..
-rwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c128,c144 6477 Apr 27 15:48 test.txt

Run restorecon -RFv /var/lib/tftpboot

Selinux disable
Even if you enter the above command, it does not work the same way.

[TrevorH]

Is this a real system or a container?