Monday, December 13, 2010

tftpd 


TFTPD(8)                    System Manager's Manual                   TFTPD(8)



NAME
       tftpd - IPv4 Trivial File Transfer Protocol server

SYNOPSIS
       in.tftpd [options...]  directory...

DESCRIPTION
       tftpd  is  a  server  for the Trivial File Transfer Protocol.  The TFTP
       protocol is extensively used to  support  remote  booting  of  diskless
       devices.   The  server  is  normally started by inetd, but can also run
       standalone.

OPTIONS
       --ipv4, -4
              Connect with IPv4 only, even if IPv6 support was compiled in.

       --ipv6, -6
              Connect with IPv6 only, if compiled in.

       -l, --listen
              Run the server in standalone (listen) mode, rather than run from
              inetd.  In listen mode, the --timeout option is ignored, and the
              --address option can be used to specify a specific local address
              or port to listen to.

       --foreground, -L
              Similar  to  --listen  but  do  not  detach  from the foreground
              process.  Implies --listen.

       --address [address][:port], -a [address][:port]
              Specify a specific address and port to  listen  to  when  called
              with  the  --listen  or  --foreground option.  The default is to
              listen to the tftp port specified in /etc/services on all  local
              addresses.

              Please  note:  Numeric  IPv6 adresses must be enclosed in square
              brackets to avoid ambiguity with the optional port information.

       --create, -c
              Allow new files to be created.   By  default,  tftpd  will  only
              allow  upload  of  files  that already exist.  Files are created
              with default permissions allowing anyone to read or write  them,
              unless the --permissive or --umask options are specified.

       --secure, -s
              Change  root  directory  on startup.  This means the remote host
              does not need to pass along the directory as part of the  trans‐
              fer,  and may add security.  When --secure is specified, exactly
              one directory should be specified on the command line.  The  use
              of  this  option is recommended for security as well as compati‐
              bility with some boot  ROMs  which  cannot  be  easily  made  to
              include a directory name in its request.

       --user username, -u username
              Specify  the  username  which  tftpd will run as; the default is
              "nobody".  The user ID, group ID, and (if possible on the  plat‐
              form) the supplementary group IDs will be set to the ones speci‐
              fied in the system permission database for this username.

       --umask umask, -U umask
              Sets the umask for newly created files to the  specified  value.
              The  default is zero (anyone can read or write) if the --permis‐
              sive option is not specified, or  inherited  from  the  invoking
              process if --permissive is specified.

       --permissive, -p
              Perform  no  additional permissions checks above the normal sys‐
              tem-provided access controls for  the  user  specified  via  the
              --user option.

       --timeout timeout, -t timeout
              When run from inetd this specifies how long, in seconds, to wait
              for a second connection before terminating  the  server.   inetd
              will then respawn the server when another request comes in.  The
              default is 900 (15 minutes.)

       --retransmit timeout, -T timeout
              Determine the default timeout, in microseconds, before the first
              packet  is retransmitted.  This can be modified by the client if
              the timeout or utimeout option is negotiated.   The  default  is
              1000000 (1 second.)

       --mapfile remap-file, -m remap-file
              Specify the use of filename remapping.  The remap-file is a file
              containing the remapping rules.  See  the  section  on  filename
              remapping  below.   This  option may not be compiled in, see the
              output of in.tftpd -V to verify whether or not it is available.

       --verbose, -v
              Increase the logging verbosity of tftpd.  This flag can be spec‐
              ified multiple times for even higher verbosity.

       --verbosity value
              Set the verbosity value to value.

       --refuse tftp-option, -r tftp-option
              Indicate  that  a  specific RFC 2347 TFTP option should never be
              accepted.

       --blocksize max-block-size, -B max-block-size
              Specifies the maximum permitted block size.  The permitted range
              for  this parameter is from 512 to 65464.  Some embedded clients
              request large block sizes and yet do not handle fragmented pack‐
              ets  correctly; for these clients, it is recommended to set this
              value to the smallest MTU on your network  minus  32  bytes  (20
              bytes  for  IP,  8  for  UDP, and 4 for TFTP; less if you use IP
              options on your network.)  For example, on a  standard  Ethernet
              (MTU 1500) a value of 1468 is reasonable.

       --port-range port:port, -R port:port
              Force  the  server port number (the Transaction ID) to be in the
              specified range of port numbers.

       --version, -V
              Print the version number and configuration to  standard  output,
              then exit gracefully.

RFC 2347 OPTION NEGOTIATION
       This  version  of tftpd supports RFC 2347 option negotation.  Currently
       implemented options are:

       blksize (RFC 2348)
              Set the transfer block size to anything less than  or  equal  to
              the  specified  option.   This  version of tftpd can support any
              block size up to the theoretical maximum of 65464 bytes.

       blksize2 (nonstandard)
              Set the transfer block size to anything less than  or  equal  to
              the  specified  option,  but  restrict the possible responses to
              powers of 2.  The maximum is 32768 bytes (the largest power of 2
              less than or equal to 65464.)

       tsize (RFC 2349)
              Report  the  size  of  the file that is about to be transferred.
              This version of tftpd only supports the tsize option for  binary
              (octet) mode transfers.

       timeout (RFC 2349)
              Set the time before the server retransmits a packet, in seconds.

       utimeout (nonstandard)
              Set  the  time  before  the  server  retransmits  a  packet,  in
              microseconds.

       rollover (nonstandard)
              Set the block number to resume at after a block number rollover.
              The default and recommended value is zero.

       The  --refuse  option can be used to disable specific options; this may
       be necessary to work around bugs in specific  TFTP  client  implementa‐
       tions.   For  example, some TFTP clients have been found to request the
       blksize option, but crash with an error if they actually get the option
       accepted by the server.

FILENAME REMAPPING
       The --mapfile option specifies a file which contains filename remapping
       rules.  Each non-comment line (comments begin with hash marks, #)  con‐
       tains  an  operation, specified below; a regex, a regular expression in
       the style of egrep; and optionally a replacement pattern.   The  opera‐
       tion  indicated  by  operation is performed if the regex matches all or
       part of the filename.  Rules are processed from the top  down,  and  by
       default, all rules are processed even if there is a match.

       The operation can be any combination of the following letters:

       r      Replace  the  substring matched by regex by the replacement pat‐
              tern.  The replacement pattern may contain escape sequences; see
              below.

       g      Repeat  this  rule  until  it no longer matches.  This is always
              used with r.

       i      Match the regex case-insensitively.  By default it is case  sen‐
              sitive.

       e      If  this  rule  matches, end rule processing after executing the
              rule.

       s      If this rule matches, start rule processing over from  the  very
              first rule after executing this rule.

       a      If  this  rule  matches,  refuse  the request and send an access
              denied error to the client.

       G      This rule applies to GET (RRQ) requests only.

       P      This rule applies to PUT (WRQ) requests only.

       ~      Inverse the sense of this rule, i.e. execute the operation  only
              if the regex doesn't match.  Cannot used together with r.

       The  following  escape sequences are recognized as part of the replace‐
       ment pattern:

       \0     The entire string matched by the regex.

       \1 to \9
              The strings matched by each of the first nine parenthesized sub‐
              expressions, \( ... \), of the regex pattern.

       \i     The  IP  address of the requesting host, in dotted-quad notation
              (e.g. 192.0.2.169).

       \x     The IP address of the requesting host, in  hexadecimal  notation
              (e.g. C00002A9).

       \\     Literal backslash.

       \whitespace
              Literal whitespace.

       \#     Literal hash mark.

       \U     Turns all subsequent letters to upper case.

       \L     Turns all subsequent letters to lower case.

       \E     Cancels the effect of \U or \L.

       If  the  mapping  file  is changed, you need to send SIGHUP to any out‐
       standing tftpd process.

SECURITY
       The use of TFTP services does not require an account or password on the
       server  system.   Due  to the lack of authentication information, tftpd
       will allow only publicly readable files (o+r) to  be  accessed,  unless
       the  --permissive  option  is  specified.  Files may be written only if
       they already exist and  are  publicly  writable,  unless  the  --create
       option  is specified.  Note that this extends the concept of ``public''
       to include all users on all hosts that can be reached through the  net‐
       work;  this may not be appropriate on all systems, and its implications
       should be considered before enabling  TFTP  service.   Typically,  some
       kind  of  firewall  or  packet-filter  solution should be employed.  If
       appropriately compiled (see the output  of  in.tftpd  --version)  tftpd
       will query the hosts_access(5) database for access control information.
       This may be slow; sites requiring maximum performance may want to  com‐
       pile without this option and rely on firewalling or kernel-based packet
       filters instead.

       The server should be set to run as the user with  the  lowest  possible
       privilege;  please  see the --user flag.  It is probably a good idea to
       set up a specific user account for tftpd, rather than letting it run as
       "nobody", to guard against privilege leaks between applications.

       Access to files can, and should, be restricted by invoking tftpd with a
       list of directories by including pathnames as server program  arguments
       on  the command line.  In this case access is restricted to files whole
       names are prefixed by one of the given directories.  If possible, it is
       recommended  that  the --secure flag is used to set up a chroot() envi‐
       ronment for the server to run in once a connection has been set up.

       Finally, the filename remapping (--mapfile flag) support can be used to
       provide a limited amount of additional access control.

CONFORMING TO
       RFC 1123, Requirements for Internet Hosts - Application and Support.
       RFC 1350, The TFTP Protocol (revision 2).
       RFC 2347, TFTP Option Extension.
       RFC 2348, TFTP Blocksize Option.
       RFC 2349, TFTP Timeout Interval and Transfer Size Options.

AUTHOR
       This  version of tftpd is maintained by H. Peter Anvin .
       It was derived from, but has substantially diverged  from,  an  OpenBSD
       source base, with added patches by Markus Gutschke and Gero Kulhman.

SEE ALSO
       tftp(1), egrep(1), umask(2), hosts_access(5), regex(7), inetd(8).



tftp-hpa 5.0                     30 July 2008                         TFTPD(8)
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)