Info Node: (am-utils.info)/tftpboot in a chroot-ed environment
(am-utils.info)/tftpboot in a chroot-ed environment
`/tftpboot' in a chroot-ed environment
======================================
In this complex example, we attempt to run an Amd process _inside_ a
chroot-ed environment. `tftpd' (Trivial FTP) is used to trivially
retrieve files used to boot X-Terminals, Network Printers, Network
routers, diskless workstations, and other such devices. For security
reasons, `tftpd' (and also `ftpd') processes are run using the
chroot(2) system call. This provides an environment for these
processes, where access to any files outside the directory where the
chroot-ed process runs is denied.
For example, if you start `tftpd' on your system with
chroot /tftpboot /usr/sbin/tftpd
then the `tftpd' process will not be able to access any files outside
`/tftpboot'. This ensures that no one can retrieve files such as
`/etc/passwd' and run password crackers on it.
Since the TFTP service works by broadcast, it is necessary to have at
least one TFTP server running on each subnet. If you have lots of files
that you need to make available for `tftp', and many subnets, it could
take significant amounts of disk space on each host serving them.
A solution we implemented at Columbia University was to have every
host run `tftpd', but have those servers retrieve the boot files from
two replicated servers. Those replicated servers have special
partitions dedicated to the many network boot files.
We start Amd as follows:
amd /tftpboot/.amd amd.tftpboot
That is, Amd is serving the directory `/tftpboot/.amd'. The `tftp'
server runs inside `/tftpboot' and is chroot-ed in that directory too.
The `amd.tftpboot' map looks like:
#
# Amd /tftpboot directory -> host map
#
/defaults opts:=nosuid,ro,intr,soft;fs:=/tftpboot/import;type:=nfs
tp host==lol;rfs:=/n/lol/import/tftpboot;type:=lofs \
host==ober;rfs:=/n/ober/misc/win/tftpboot;type:=lofs \
rhost:=ober;rfs:=/n/ober/misc/win/tftpboot \
rhost:=lol;rfs:=/n/lol/import/tftpboot
To help understand this example, I list a few of the file entries
that are created inside `/tftpboot':
$ ls -la /tftpboot
dr-xr-xr-x 2 root 512 Aug 30 23:11 .amd
drwxrwsr-x 12 root 512 Aug 30 08:00 import
lrwxrwxrwx 1 root 33 Feb 27 1997 adminpr.cfg -> ./.amd/tp/hplj/adminpr.cfg
lrwxrwxrwx 1 root 22 Dec 5 1996 tekxp -> ./.amd/tp/xterms/tekxp
lrwxrwxrwx 1 root 1 Dec 5 1996 tftpboot -> .
Here is an explanation of each of the entries listed above:
`.amd'
This is the Amd mount point. Note that you do not need to run a
separate Amd process for the TFTP service. The chroot(2) system
call only protects against file access, but the same process can
still serve files and directories inside and outside the chroot-ed
environment, because Amd itself was not run in chroot-ed mode.
`import'
This is the mount point where Amd will mount the directories
containing the boot files. The map is designed so that remote
directories will be NFS mounted (even if they are already mounted
elsewhere), and local directories are loopback mounted (since they
are not accessible outside the chroot-ed `/tftpboot' directory).
`adminpr.cfg'
`tekxp'
Two manually created symbolic links to directories _inside_ the
Amd-managed directory. The crossing of the component `tp' will
cause Amd to automount one of the remote replicas. Once crossed,
access to files inside proceeds as usual. The `adminpr.cfg' is a
configuration file for an HP Laser-Jet 4si printer, and the `tekxp'
is a directory for Tektronix X-Terminal boot files.
`tftpboot'
This innocent looking symlink is important. Usually, when devices
boot via the TFTP service, they perform the `get file' command to
retrieve FILE. However, some devices assume that `tftpd' does not
run in a chroot-ed environment, but rather "unprotected", and thus
use a full pathname for files to retrieve, as in `get
/tftpboot/file'. This symlink effectively strips out the leading
`/tftpboot/'.