TFTPd Configuration

Overview

Many network devices are able to upload and download firmware and configurations via the TFTP protocol. I have found it useful to use this feature with Netopia ENT routers, as it enables me to make backups of client configurations and update the firmware directly on my service laptop. OS X comes with tftpd preinstalled. On OS X Server, tftpd is utilized for NetBoot; however, on the standard client the framework still exists.

For Panther (10.3), this service was started by xinetd, whereas, in Tiger (10.4) this is handled by launchd.

Panther Configuration

Overview

OS 10.3 uses xinetd for initiating on demand services, also known as a super server. There is a considerable amount of documentation for xinetd available due to the FreeBSD underpinnings of OS X. Essentially, xinetd is utilized for resources throttling. When a service is started, xinetd consults the appropriate file located in /etc/xinetd.d. For tftpd, this is a file named tftp with the following content:

service tftp
{
	cps		    = 200 5
	disable         = yes
	socket_type     = dgram
	wait            = yes
	user            = nobody
	server          = /usr/libexec/tftpd
	server_args     = /private/tftpboot
	groups          = yes
	flags           = REUSE
}

The server_args value represents the arguments passed to the tftpd command. In 10.3, the man pages indicate there is only a single option for tftpd, -s. This flag is meant to chroot the environment, however, it appears that the path name already provides this functionality and using the -s flag prevents the service from working at all. The default location can be set to an arbitrary location. This path is set in the server_args line. If sticking with the default configuration, you will need to create the tftpboot directory, as it does not exist on the standard client. Perform the following:

	cd /private
	sudo mkdir tftpboot
	sudo chmod 755 tftpboot
	sudo chown root:wheel tftpboot

Starting and Stopping

Starting the service can be done with the following command:
	sudo /sbin/service tftp start

Stoping the service:

	sudo /sbin/service tftp stop

Tiger Configuration

Overview

In Tiger, most services that were previous configured using xinetd have been migrated to launchd. The new launchd service consults the settings located in /System/Library/LaunchDaemons and /Library/LaunchDaemons directories. By default, Tiger has the tftp.plist installed, however, this should be modified to suit your needs.

Back Up Your file

First, backup the default tftp.plist as below.

	cp /System/Library/LaunchDaemons/tftp.plist ~/Desktop/tftp.plist

Modify the tftp.plist

The tftp.plist includes only one program argument: -i. This flag prohibits usage with realpath, which will translate relative links to a full path. I would recommend using this as well as the -s flag, which essentially chroots the environment. The modified tftp.plist is shown below. The entire contents of this file is as follows (note that there is no return within the <!DOCTYPE statement):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
		"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>InitGroups</key>
	<true/>
	<key>Label</key>
	<string>com.apple.tftpd</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/libexec/tftpd</string>
		<string>-i</string>
		<string>-s</string>
		<string>/private/tftpboot</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SockServiceName</key>
			<string>tftp</string>
			<key>SockType</key>
			<string>dgram</string>
		</dict>
	</dict>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<true/>
	</dict>
</dict>
</plist>

You may also wish to add the -l flag in the ProgramArguments block to enable logging requests to syslog. Consult the tftpd man pages for additional arguments.

In 10.4 the tftpboot directory already exists so no other changes are necessary.

Starting and Stopping

The service may be started by the following:

	sudo launchctl load -w /System/Library/LaunchDaemons/tftp.plist

and stopped by:

	sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist

General Usage

The TFTP protocol allows any user to read and write to files on your system, so keep this in mind when choosing the storage directory. As a minimal security measure, the files must already exist before writing to them and must have write access by all users. In general usage, I will store firmware upgrades with read only access. When capturing someone’s firmware configuration, will perform the following:

	cd /private/tftpboot
	sudo touch netopia.conf
	sudo chmod 666 netopia.conf

At this point your ready to start using the service to store configurations as needed. For testing you can perform the following:

	cd ~/Desktop
	echo "THIS IS A TEST" > netopia.conf
	tftp localhost

This will open a tftp connection and switch to an interactive tftp session. Perform the following:

	tftp>verbose
	tftp>put netopia.conf
	tftp>quit

If there are no errors returned, all is working correctly. If not, check your firewall settings to ensure that UDP port 69 is open. Other issues may be due to syntax errors in the tftp.plist, or the xinetd tftp file (depending upon your OS version).