Add a few feature test macros to benefit Digital Unix

[tftp-hpa.git] / README.security

Starting in version 0.17, tftp-hpa operates in genuine "wait" mode,
which means that an in.tftpd process hangs around for some time after
the last service request has arrived.  This speeds up servicing a
subsequent request, which apparently has been a problem in the past,
resulting in "request storms" as the client keeps retrying, resulting
in multiple connections on the server which the client has already
abandoned.

This also means that spawning tftp via tcpd is useless (in fact, this
indirection seems to be part of the reason for these "request
storms.")  Instead, tftp-hpa supports calling the tcpwrapper library
directly.  Thus, if your /etc/inetd.conf looks like this (all on one
line):

tftp    dgram   udp     wait    root    /usr/sbin/tcpd
/usr/sbin/in.tftpd -s /tftpboot -r blksize

... it's better to change to ...

tftp    dgram   udp     wait    root    /usr/sbin/in.tftpd
in.tftpd -s /tftpboot -r blksize

You should make sure that you are using "wait" option in tftpd; you
also need to have tftpd spawned as root in order for chroot (-s) to
work.  tftpd automatically drops privilege and changes user ID to
"nobody" by default; the appropriate user ID for tftpd can be
specified with the -u option (e.g. "-u tftpuser").

If you are running a busy boot server, I would suggest to instead use
kernel-based firewalling rules, and to compile tftpd without
tcpwrapper support, in order to provide significantly better
performance.  To do so, specify the --without-tcpwrappers option to
configure when compiling; see the INSTALL.tftp file for more information.