TFTPD as non-root user

[the-moog]

I think the issue with non-root on your readme is because it's always been like that. Here are some things to try:
Not sure there is a universal answer as it will depend on use cases and user permissions.

If your TFTP server program is inside docker (which btw uses namespaces) then you may need a combination of the following.
And also the same or similar settings within the container and give permissions to docker itself. Though docker itself runs as root it is deliberately restricted.

Normally Linux prevents non-root users from runing programs that bind to ports/sockets less than 1024. This is to prevent a non root user on a multi user system from stealing a port, is this could be malicious, e.g. by redirecting login or webpage to a fake terminal or application.
This was before the days of encryption and authentication. These days it's a little more reladed but you need to get under the hood.

To allow an app to bind to a lower port you need to either.

• use network namespaces more here
• redirect ports using iptables though that is not a lot of use if the remote assumes a fixed port and has no means to change it.
• use a privilaged wrapper, e.g. authbind
• use systemd
• use setcap to tell the OS that you want to do this anyway.
• remove the <1024 port restriction using sysctl

Network namespaces would only be useful in a virtual network, e.g. for a VM
systemd is too complicated to write up here and probably not what you need.
as for the others....

iptables

# something like
sudo iptables -t nat -A PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 6969
/path/to/tftpd.binary -p 6969 [command line args]

wrapper

sudo touch /etc/authbind/byport/69
sudo chmod 777 /etc/authbind/byport/69
authbind --deep /path/to/tftpd.binary [command line args]

setcap

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/tftpd.binary
/path/to/tftpd.binary [command line args]

sysctl (not to be confused with systemctl)

# check the default in docker:
docker container exec <container_id> sysctl net.ipv4.ip_unprivileged_port_start
# check the host
grep ip_unprivileged_port_start /etc/sysctl.conf
cat /proc/sys/net/ipv4/ip_unprivileged_port_start

If it still does not play ball in your use case, then take a look at docker itself.
remember to run docker container with the --privileged command

docker (compose)

mytftpapp:
         cap_add:
            - "NET_BIND_SERVICE"
... # and/or perhaps
        sysctls:
           - net.ipv4.ip_unprivileged_port_start=60
...

[kalaksi]

Thanks for the tips. Tftpd is already running in port 1069 inside the container, though, with port mapped to 69 on host by docker (see example docker-compose.yml in repo), so I don't think the port is the issue. Can't really remember what problems I was facing, but it's probably related to how tftpd works and assumes it has root privileges (which it drops later).