Provided by: tftpd-hpa_5.2+20150808-1ubuntu1.16.04.1_amd64 bug


       tftpd - Trivial File Transfer Protocol server


       in.tftpd [options...]  directory...


       tftpd  is  a  server  for  the  Trivial  File  Transfer  Protocol.   The  TFTP protocol is
       extensively used to support remote booting of diskless devices.  The  server  is  normally
       started by inetd, but can also run standalone.


       --ipv4, -4
              Connect with IPv4 only, even if IPv6 support was compiled in.

       --ipv6, -6
              Connect with IPv6 only, if compiled in.

       -l, --listen
              Run  the server in standalone (listen) mode, rather than run from inetd.  In listen
              mode, the --timeout option is ignored, and the --address  option  can  be  used  to
              specify a specific local address or port to listen to.

       --foreground, -L
              Similar  to  --listen  but  do  not  detach  from  the foreground process.  Implies

       --address [address][:port], -a [address][:port]
              Specify a specific address and port to listen to when called with the  --listen  or
              --foreground  option.   The  default  is  to  listen  to the tftp port specified in
              /etc/services on all local addresses.

              Please note: Numeric IPv6 adresses must be enclosed in  square  brackets  to  avoid
              ambiguity with the optional port information.

       --create, -c
              Allow  new  files to be created.  By default, tftpd will only allow upload of files
              that already exist.  Files are created with default permissions allowing anyone  to
              read or write them, unless the --permissive or --umask options are specified.

       --secure, -s
              Change root directory on startup.  This means the remote host does not need to pass
              along the directory as part of the transfer, and may add security.   When  --secure
              is  specified,  exactly one directory should be specified on the command line.  The
              use of this option is recommended for security as well as compatibility  with  some
              boot ROMs which cannot be easily made to include a directory name in its request.

       --user username, -u username
              Specify  the  username  which tftpd will run as; the default is "nobody".  The user
              ID, group ID, and (if possible on the platform) the supplementary group IDs will be
              set to the ones specified in the system permission database for this username.

       --umask umask, -U umask
              Sets the umask for newly created files to the specified value.  The default is zero
              (anyone can read or  write)  if  the  --permissive  option  is  not  specified,  or
              inherited from the invoking process if --permissive is specified.

       --permissive, -p
              Perform  no  additional  permissions checks above the normal system-provided access
              controls for the user specified via the --user option.

       --pidfile pidfile, -P pidfile
              When run in standalone mode, write the process ID  of  the  listening  server  into
              pidfile.   On  normal termination (SIGTERM or SIGINT) the pid file is automatically

       --timeout timeout, -t timeout
              When run from inetd this specifies how long, in  seconds,  to  wait  for  a  second
              connection  before terminating the server.  inetd will then respawn the server when
              another request comes in.  The default is 900 (15 minutes.)

       --retransmit timeout, -T timeout
              Determine the  default  timeout,  in  microseconds,  before  the  first  packet  is
              retransmitted.   This  can  be  modified  by  the client if the timeout or utimeout
              option is negotiated.  The default is 1000000 (1 second.)

       --map-file remap-file, -m remap-file
              Specify the use of filename remapping.  The remap-file is  a  file  containing  the
              remapping rules.  See the section on filename remapping below.  This option may not
              be compiled in, see the output of in.tftpd -V  to  verify  whether  or  not  it  is

       --verbose, -v
              Increase the logging verbosity of tftpd.  This flag can be specified multiple times
              for even higher verbosity.

       --verbosity value
              Set the verbosity value to value.

       --refuse tftp-option, -r tftp-option
              Indicate that a specific RFC 2347 TFTP option should never be accepted.

       --blocksize max-block-size, -B max-block-size
              Specifies the maximum permitted block size.  The permitted range for this parameter
              is  from  512 to 65464.  Some embedded clients request large block sizes and yet do
              not handle fragmented packets correctly; for these clients, it  is  recommended  to
              set this value to the smallest MTU on your network minus 32 bytes (20 bytes for IP,
              8 for UDP, and 4 for TFTP; less if you  use  IP  options  on  your  network.)   For
              example, on a standard Ethernet (MTU 1500) a value of 1468 is reasonable.

       --port-range port:port, -R port:port
              Force  the  server port number (the Transaction ID) to be in the specified range of
              port numbers.

       --version, -V
              Print  the  version  number  and  configuration  to  standard  output,  then   exit


       This  version of tftpd supports RFC 2347 option negotation.  Currently implemented options

       blksize (RFC 2348)
              Set the transfer block size to anything less than or equal to the specified option.
              This  version  of tftpd can support any block size up to the theoretical maximum of
              65464 bytes.

       blksize2 (nonstandard)
              Set the transfer block size to anything less than or equal to the specified option,
              but  restrict  the  possible  responses to powers of 2.  The maximum is 32768 bytes
              (the largest power of 2 less than or equal to 65464.)

       tsize (RFC 2349)
              Report the size of the file that is about to be transferred.  This version of tftpd
              only supports the tsize option for binary (octet) mode transfers.

       timeout (RFC 2349)
              Set the time before the server retransmits a packet, in seconds.

       utimeout (nonstandard)
              Set the time before the server retransmits a packet, in microseconds.

       rollover (nonstandard)
              Set  the  block number to resume at after a block number rollover.  The default and
              recommended value is zero.

       The --refuse option can be used to disable specific options; this may be necessary to work
       around  bugs in specific TFTP client implementations.  For example, some TFTP clients have
       been found to request the blksize option, but crash with an error if they actually get the
       option accepted by the server.


       The --map-file option specifies a file which contains filename remapping rules.  Each non-
       comment line (comments begin with hash marks, #) contains an operation, specified below; a
       regex,  a  regular expression in the style of egrep; and optionally a replacement pattern.
       The operation indicated by operation is performed if the regex matches all or part of  the
       filename.   Rules are processed from the top down, and by default, all rules are processed
       even if there is a match.

       The operation can be any combination of the following letters:

       r      Replace the substring matched by regex by the replacement pattern.  The replacement
              pattern may contain escape sequences; see below.

       g      Repeat this rule until it no longer matches.  This is always used with r.

       i      Match the regex case-insensitively.  By default it is case sensitive.

       e      If this rule matches, end rule processing after executing the rule.

       s      If  this  rule  matches,  start rule processing over from the very first rule after
              executing this rule.

       a      If this rule matches, refuse the request and send an access  denied  error  to  the

       G      This rule applies to GET (RRQ) requests only.

       P      This rule applies to PUT (WRQ) requests only.

       4      This rule applies to IPv4 sessions only.

       6      This rule applies to IPv6 sessions only.

       ~      Inverse  the  sense  of  this  rule,  i.e.  execute the operation only if the regex
              doesn't match.  Cannot used together with r.

       The following escape sequences are recognized as part of the replacement pattern:

       \0     The entire string matched by the regex.

       \1 to \9
              The strings matched by each of the first nine parenthesized subexpressions, \(  ...
              \), of the regex pattern.

       \i     The  IP  address  of  the  requesting  host, in dotted-quad notation for IPv4 (e.g.
     or conventional colon form for IPv6 (e.g. 2001:db8::1).

       \x     The IP address of the requesting  host,  in  expanded  hexadecimal  notation  (e.g.
              C00002A9 for IPv4, or 20010DB8000000000000000000000001 for IPv6).

       \\     Literal backslash.

              Literal whitespace.

       \#     Literal hash mark.

       \U     Turns all subsequent letters to upper case.

       \L     Turns all subsequent letters to lower case.

       \E     Cancels the effect of \U or \L.

       If the mapping file is changed, you need to send SIGHUP to any outstanding tftpd process.


       The  use  of  TFTP  services does not require an account or password on the server system.
       Due to the lack of authentication information, tftpd will  allow  only  publicly  readable
       files  (o+r)  to  be  accessed, unless the --permissive option is specified.  Files may be
       written only if they already exist and are publicly writable, unless the  --create  option
       is  specified.   Note  that this extends the concept of ``public'' to include all users on
       all hosts that can be reached through the network; this may  not  be  appropriate  on  all
       systems,  and  its  implications  should  be  considered  before  enabling  TFTP  service.
       Typically, some kind of  firewall  or  packet-filter  solution  should  be  employed.   If
       appropriately  compiled  (see  the  output  of  in.tftpd  --version)  tftpd will query the
       hosts_access(5) database  for  access  control  information.   This  may  be  slow;  sites
       requiring  maximum  performance  may  want  to  compile  without  this  option and rely on
       firewalling or kernel-based packet filters instead.

       The server should be set to run as the user with the lowest possible privilege; please see
       the  --user flag.  It is probably a good idea to set up a specific user account for tftpd,
       rather than letting  it  run  as  "nobody",  to  guard  against  privilege  leaks  between

       Access  to  files  can,  and  should,  be  restricted  by  invoking  tftpd  with a list of
       directories by including pathnames as server program arguments on the  command  line.   In
       this  case  access  is  restricted  to  files whole names are prefixed by one of the given
       directories.  If possible, it is recommended that the --secure flag is used to  set  up  a
       chroot() environment for the server to run in once a connection has been set up.

       Finally, the filename remapping (--map-file flag) support can be used to provide a limited
       amount of additional access control.


       RFC 1123, Requirements for Internet Hosts - Application and Support.
       RFC 1350, The TFTP Protocol (revision 2).
       RFC 2347, TFTP Option Extension.
       RFC 2348, TFTP Blocksize Option.
       RFC 2349, TFTP Timeout Interval and Transfer Size Options.


       This version of tftpd is maintained by H. Peter Anvin  <>.   It  was  derived
       from,  but  has substantially diverged from, an OpenBSD source base, with added patches by
       Markus Gutschke and Gero Kulhman.


       tftp(1), egrep(1), umask(2), hosts_access(5), regex(7), inetd(8).