Technical data

ManualsBrandsCompaq ManualsComputer equipmentCompaq TCP/IP Services for OpenVMS

221

222

223

224

225

226

227

228

229

230

Conﬁguring TFTP

10.3 TFTP Security

For security purposes, the server runs as an unprivileged image that can access

only the directories and ﬁles for which it has read access.

Compaq recommends that you safeguard your system’s normal ﬁle protection

mechanisms from unauthorized TFTP access. In particular, ensure the security of

system ﬁles.

A client’s download request can use one of several formats for its ﬁle name

speciﬁcation:

• If the unprivileged TFTP server has read access to the requested ﬁle, the

client uses a fully qualiﬁed ﬁle name, including the device, directory, name,

and extension, to directly access the ﬁle.

• If the client speciﬁes only the ﬁle name and extension, the TFTP server

attempts to locate the ﬁle in the default TFTP directory tree.

You can designate this directory tree with the system logical name

TCPIP$TFTP_ROOT:. This is a concealed device name, usually pointing

to the directory SYS$SYSDEVICE:[TCPIP$TFTP_ROOT]. When looking for a

directory, the TFTP server looks ﬁrst in the TCPIP$TFTP_ROOT: area with

the same name as the requesting client’s host name.

For example, if a client named GULL.SHORE.COM sends a read request

for the ﬁle SERVICE.DAT, the server’s ﬁrst attempt to ﬁnd the ﬁle is in

TCPIP$TFTP_ROOT:[GULL]. If that directory does not exist, the server

next looks in the TCPIP$TFTP_ROOT: root directory, for example, in

TCPIP$TFTP_ROOT:[000000]SERVICE.DAT.

If the TFTP client requests a ﬁle by specifying a name in UNIX format (for

example,

/etc/gull/myfile

), TFTP translates this ﬁle speciﬁcation into

OpenVMS format.

The TFTP server runs as the nonprivileged OpenVMS user accounts

TCPIP$TFTP. When you set up TFTP, follow these security procedures:

• Ensure that neither server has automatic access to any ﬁles.

To make ﬁles accessible to the TFTP server, grant appropriate access to its

account. Use the normal OpenVMS ﬁle protection procedures. For example,

enter the DCL command DIRECTORY/SECURITY.

• Prevent unauthorized access to sensitive system or user data. Before you

enable TFTP, ensure that you have set up all the necessary ﬁle protections.

• Give the TCPIP$TFTP user account read access to the ﬁles in the

TCPIP$TFTP_ROOT: directory tree that might be used for downloading.

10.4 Solving TFTP Problems

The TFTP server is restricted to accessing only ﬁles or directories that OpenVMS

ﬁle system security measures allow. Verify that these ﬁles have the appropriate

protection and ownership so that the TFTP server has access to them. See

Section 10.3 for more information.

• Ensure that the TFTP server has access to directories and ﬁles. Set

protections accordingly.

• Create the target ﬁles to enable TFTP to reply to write requests.

10–4 Conﬁguring TFTP