Cygwin tftpd cannot drop privileges?

Question

I am running Cygwin64 on two Win10 machines, one Home and one Pro. My software uses tftpd to receive a CSV from a network peer. tftpd is run from init (package sysvinit) with this line:

td:2345:respawn:/usr/sbin/tftpd -vvvvv -L -c -p -u Larry -U 000 -s /tmp

There is no xinetd running, no xinetd or tftp configuration file that I know of. On the Win10 Home system, which is my development system, this works. On the Win10 Pro system, it fails. The client times out. There is no entry in /var/log/messages (syslog-ng). Windows Application Log says "Cannot drop privileges: operation not permitted"

When I stop init and run that command line in a shell, it works and clients can transfer files in. But my system needs the respawn management of init. The pattern was set 12 years ago with Cygwin32 on Win7. My customer is now updating the PC and we have this glitch. If I were developing now, I would put the function on a raspi, but this is just a PC change.

Can anyone recommend a configuration to get the execution of tftpd under init under cygwin under Win10 Pro closer to that of the same command line in a user shell?

Edit 1: I also tried suid. tftpd.exe is owned by the user account, not SYSTEM or whatever cygwin has for root. Suid does not set permissions in a way that solves the problem.

Edit 2: adding cygdrop to the inittab line does not help.

Answer 1

Short version: Remove tftp and tftp-server, and install inetutils-server and inetutils for the old version. Remove -u USER flag when running tftpd. The old tftp version doesn't require dropping privilege.

Longer story:

I tried picking up where you left off, found some resources... wasted hours.

From /usr/share/doc/Cygwin/tftp.README

run tftpd-config to create the unprivileged local account tftpd.

$ /usr/bin/tftpd-config
*** Info: Initially, tftpd runs as a privileged user in order to
*** Info: chroot for security. However, it immediately drops privileges
*** Info: but needs an ordinary, unprivileged user account to do so.
*** Query: Create an unprivileged user 'tftpd' for this purpose? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'tftpd'? (yes/no) yes
*** Query: Overwrite existing /etc/inetd.d/tftp file? (yes/no) yes
*** Info: Creating default /etc/inetd.d/tftp file
*** Info: Updated /etc/inetd.d/tftp

*** Info: tftpd configuration finished. Have fun!
*** Info: If you did NOT install tftpd as a standalone service, then
*** Info: you may need to modify /etc/inetd.d/tftp or /etc/xinetd.d/tftp
*** Info: depending on which superserver you wish to use to control
*** Info: tftpd

After this, I still couldn't run it. I tried net user tftpd /active:YES and found that the user is now created but needs the password updated to meet policy requirements. I created a password and was able to enable the user.

$ net user tftpd /active:YES
The command completed successfully.

Still fails: $ /usr/sbin/tftpd -vvv -c -L -p -U 022 -u tftpd -s /tftpboot. Windows still says no user tftpd. From my xinetd install, I recall that the service nomenclature is computername+account. I modify my command to $ /usr/sbin/tftpd -vvv -c -L -p -U 022 -u mycomputer+tftpd -s /tftpboot and it now runs!

Attempting to push a file to my computer still fails. Windows application logs now say tftpd: PID 2467: cannot drop privileges: Operation not permitted

I gave up too.

I did find in the /usr/share/doc/Cygwin/tftp.README

The tftp-hpa tftpd server differs from inetutils one, with respect to how
user privileges are handled.  The inetutils tftpd requires that tftpd be

So I removed tftp, and installed inetutils-server and inetutils in favor of the old version of tftpd. Removed -u USER flag BOOM! Works.

Answer 2

Guess this one will be another tumbleweed. I found no good answers in 3 days of grinding. The problem seems to involve domain vs. local users in Windows, and how Cygwin interacts with the Windows user database, whatever that is. I ended up running the tftp server in an infinite-looping batch file that starts at user login, but is vulnerable to somebody killing the top level shell. Along the way, I recompiled tftpd-hpa for Cygwin and commented out the user ID change - that worked on my PC but not the customer's. If they have problems with the solution I may just retarget to raspi.