From: Paul Lalonde <plalonde@acm.org>
Date: Mon, 07 Apr 2025 21:29:35 +0000
Subject: [PATCH] Change user/namespace on connection instead of ahead of listening.


This means not losing any network setup in the parent namespace before listening for connections,
but still adequately limiting service to files accessible by "none".
---
diff 8a8a271fe4f2ea935c733c1ccd14ef9a51ed3ea9 e392db19c1c49befd5e3a79f0aa26b8f72208046
--- a/sys/src/cmd/ip/tftpd.c
+++ b/sys/src/cmd/ip/tftpd.c
@@ -170,14 +170,6 @@
 	fmtinstall('E', eipfmt);
 	fmtinstall('I', eipfmt);
 
-	/*
-	 * setuser calls newns, and typical /lib/namespace files contain
-	 * "cd /usr/$user", so call setuser before chdir.
-	 */
-	setuser();
-	if(chdir(homedir) < 0)
-		sysfatal("can't get to directory %s: %r", homedir);
-
 	if(!dbg)
 		switch(rfork(RFNOTEG|RFPROC|RFFDG)) {
 		case -1:
@@ -210,6 +202,13 @@
 			pid = getpid();
 			syslog(0, flog, "tftpd %d connection from %s dir %s",
 				pid, raddr, ldir);
+			/*
+			 * setuser calls newns, and typical /lib/namespace files contain
+			 * "cd /usr/$user", so call setuser before chdir.
+			 */
+			setuser();
+			if(chdir(homedir) < 0)
+				sysfatal("can't get to directory %s: %r", homedir);
 			doserve(dfd);
 			exits("done");
 			break;