Re: Still no TFTP client?

From: Mark Berryman <mark@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Apr 2007 10:57:52 -0600

Bob Koehler wrote:

In article <462cb5b2$1@xxxxxxxxxxxx>, Mark Berryman <mark@xxxxxxxxxxxxxxxx> writes:
Please re-familiarize yourself with the VMS security model. The TFTP process will read files with world read access ***in the directory that the TFTP server has access to***. Neither you nor Joe down the hall has access to that directory so the protection on the files within that directory is meaningless to you. You can't get to them (except via the TFTP server). It is most definitely NOT all or nothing.

And what is to prevent them from running a TFTP client and accessing
them?

He was claiming that, because the files needed to be set world-readable, then anyone on the system could read them. I replied indicating that was not true. Only the TFTP server had access to them and the only way to get to them was via the TFTP server. If you have a TFTP client you can get to them as long as:

1. You know the full filename.
2. You are coming from one of the addresses the TFTP server is willing to talk to.

What they likely do _not_ want is the ability for a stranger to fill
their disk.

But they can. :-)
No, they can't. Tell you what, I've got a TFTP server running here at home that I've just opened up to the internet. Go ahead and try to fill up my disk. Go ahead and try to read or write even one file. I guarantee that you will fail.

If you set up one writeable file and I figure out what it is, I can
fill up the disk quota allocated to that files UIC. But do you
really want my data using up that quota?

Therein lies the challenge. Figure out what file(s) you can write to and what file(s) you can read from and I lose the bet. Otherwise, the claim that TFTP is so insecure that no one should ever use it becomes a little silly. (If someone wanted to claim that it should only be used carefully, that would be entirely different.)

About as secure as that file containing passwords.

Good point, since it's clearly subject to one of the same attacks.
You do lock up your backup tapes, don't you?

My backup tapes are encrypted and rotated through secure off-site storage. My encryption keys are locked up elsewhere.

Mark Berryman
.

Follow-Ups:
- Re: Still no TFTP client?
  - From: JF Mezei
- Re: Still no TFTP client?
  - From: Bob Koehler

References:
- Re: Still no TFTP client?
  - From: Bill Gunshannon
- Re: Still no TFTP client?
  - From: Larry Kilgallen
- Re: Still no TFTP client?
  - From: Bill Gunshannon
- Re: Still no TFTP client?
  - From: Mark Berryman
- Re: Still no TFTP client?
  - From: Bob Koehler

Prev by Date: Re: Democrats destroying America ...
Next by Date: Re: Microvax II Disgnostics
Previous by thread: Re: Still no TFTP client?
Next by thread: Re: Still no TFTP client?
Index(es):
- Date
- Thread