/etc/uucp/Permissions File

The /etc/uucp/Permissions file specifies the permissions that remote computers have with respect to login, file access, and command execution. There are options that restrict the remote computer's ability to request files and its ability to receive files queued by the local machine. Another option is available that specifies the commands that a remote machine can execute on the local computer.

Structuring Entries

Each entry is a logical line, with physical lines terminated by a backslash (\) to indicate continuation. Entries are made up of options delimited by blank space. Each option is a name-value pair in the following format:

name=value

Values can be colon-separated lists. No blank space is allowed within an option assignment.

Comment lines begin with a pound sign (#), and they occupy the entire line up to a newline character. Blank lines are ignored (even within multiple-line entries).

There types of Permissions file entries are:

• LOGNAME - Specifies the permissions that take effect when a remote computer logs in to (calls) your computer.

When a remote machine calls you, its identity is questionable unless it has a unique login and verifiable password.

• MACHINE - Specifies permissions that take effect when your computer logs in to (calls) a remote computer.

LOGNAME entries contain a LOGNAME option and MACHINE entries contain a MACHINE option. One entry can contain both options.

Considerations

When using the Permissions file to restrict the level of access granted to remote computers, you should consider the following:

• All login IDs used by remote computers to log in for UUCP communications must appear in one and only one LOGNAME entry.

• Any site that is called whose name does not appear in a MACHINE entry, has the following default permissions or restrictions:

  • Local send and receive requests are executed.

  • The remote computer can send files to your computer's /var/spool/uucppublic directory.

  • The commands sent by the remote computer for execution on your computer must be one of the default commands, usually rmail.

REQUEST Option

When a remote computer calls your computer and requests to receive a file, this request can be granted or denied. The REQUEST option specifies whether the remote computer can request to set up file transfers from your computer. The string REQUEST=yes specifies that the remote computer can request to transfer files from your computer. The string REQUEST=no specifies that the remote computer cannot request to receive files from your computer. This is the default value; it is used if the REQUEST option is not specified. The REQUEST option can appear in either a LOGNAME (remote computer calls you) entry or a MACHINE (you call remote computer) entry.

SENDFILES Option

When a remote computer calls your computer and completes its work, it can attempt to take work your computer has queued for it. The SENDFILES option specifies whether your computer can send the work queued for the remote computer.

The string SENDFILES=yes specifies that your computer can send the work that is queued for the remote computer as long as itis logged in as one of the names in the LOGNAME option. This string is mandatory if you have entered Never in the Time field of /etc/uucp/Systems. This designation sets up your local machine in passive mode; it is not allowed to initiate a call to this particular remote computer. (See "/etc/uucp/Systems File" for more information.)

The string SENDFILES=call specifies that files queued in your computer are sent only when your computer calls the remote computer. The call value is the default for the SENDFILES option. This option is only significant in LOGNAME entries since MACHINE entries apply when calls are made out to remote computers. If the option is used with a MACHINE entry, it is ignored.

MYNAME Option

This option enables you to designate a unique UUCP node name for your computer in addition to its TCP/IP host name, as returned by the hostname command. For instance, if you have unknowingly given your host the same name as that of some other system, you might want to set the MYNAME option of the Permissions file. Or if you want your organization to be known as widget but all your modems are connected to a machine with the host name gadget, you can have an entry in gadget's Permissions file that says:

service=uucico systems=Systems.cico:Systems   
  dialers=Dialers.cico:Dialers \ 
  devices=Devices.cico:Devices   
service=cu systems=Systems.cu:Systems \ 
  dialers=Dialers.cu:Dialers \   
  devices=Devices.cu:Devices

Now the system world can log in to the machine gadget as if it were logging in to widget. In order for machine world to know you also by the aliased name widget when you call it, you can have an entry that says:

MACHINE=world MYNAME=widget

You can also use the MYNAME option for testing purposes, since it allows your machine to call itself. However, since this option could be used to mask the real identity of a machine, you should use the VALIDATE option, as described in "VALIDATE Option".

READ and WRITE Options

These options specify the various parts of the file system that uucico can read from or write to. You can designate READ and WRITE options with either MACHINE or LOGNAME entries.

The default for both the READ and WRITE options is the uucppublic directory, as shown in the following strings:

READ=/var/spool/uucppublic WRITE=/var/spool/uucppublic 

The strings READ=/ and WRITE=/ specify permission to access any file that can be accessed by a local user with Other permissions.

The value of these entries is a colon-separated list of path names. The READ option is for requesting files, and the WRITE option is for depositing files. One of the values must be the prefix of any full path name of a file coming in or going out. To grant permission to deposit files in /usr/news as well as the public directory, use the following values with the WRITE option:

WRITE=/var/spool/uucppublic:/usr/news 

If the READ and WRITE options are used, all path names must be specified because the path names are not added to the default list. For instance, if the /usr/news path name were the only one specified in a WRITE option, permission to deposit files in the public directory would be denied.

You should be careful which directories you make accessible for reading and writing by remote systems. For example, the /etc directory contains many critical system files; remote users should not have permission to deposit files in this directory.

NOREAD and NOWRITE Options

The NOREAD and NOWRITE options specify exceptions to the READ and WRITE options or defaults. The entry:

READ=/ NOREAD=/etc WRITE=/var/spool/uucppublic 

permits reading any file except those in the /etc directory (and its subdirectories--remember, these are prefixes). It permits writing only to the default /var/spool/uucppublic directory. NOWRITE works in the same manner as the NOREAD option. You can use the NOREAD and NOWRITE options in both LOGNAME and MACHINE entries.

CALLBACK Option

You can use the CALLBACK option in LOGNAME entries to specify that no transaction takes place until the calling system is called back. There are two reasons to set up CALLBACK: For security purposes, if you call back a machine, you can be sure it is the right machine. For accounting purposes, if you are doing long data transmissions, you can choose the machine that is billed for the longer call.

The string CALLBACK=yes specifies that your computer must call the remote computer back before any file transfers can take place.

The default for the CALLBACK option is CALLBACK=no. If you set CALLBACK to yes, then the permissions that affect the rest of the conversation must be specified in the MACHINE entry corresponding to the caller. Do not specify these permissions in the LOGNAME, or in the LOGNAME entry that the remote machine might have set for your host.

If two sites have the CALLBACK option set for each other, a conversation never gets started.

COMMANDS Option

The COMMANDS option can compromise the security of your system. Use it with extreme care.

You can use the COMMANDS option in MACHINE entries to specify the commands that a remote computer can execute on your machine. The uux program generates remote execution requests and queue them to be transferred to the remote computer. Files and commands are sent to the target computer for remote execution. This is an exception to the rule that MACHINE entries apply only when your system calls out.

Note that COMMANDS is not used in a LOGNAME entry; COMMANDS in MACHINE entries defines command permissions, whether you call the remote system or it calls you.

The string COMMANDS=rmail specifies the default commands that a remote computer can execute on your computer. If a command string is used in a MACHINE entry, the default commands are overridden. For instance, the entry:

MACHINE=owl:raven:hawk:dove COMMANDS=rmail:rnews:lp 

overrides the COMMAND default so that the computers named owl, raven, hawk, and dove can now execute rmail, rnews, and lp on your computer.

In addition to the names as specified above, there can be full path names of commands. For example:

COMMANDS=rmail:/usr/local/rnews:/usr/local/lp 

specifies that command rmail uses the default search path. The default search path for UUCP is /bin and /usr/bin. When the remote computer specifies rnews or /usr/local/rnews for the command to be executed, /usr/local/rnews is executed regardless of the default path. Likewise, /usr/local/lp is the lp command that is executed.

Including the ALL value in the list means that any command from the remote computers specified in the entry will be executed. If you use this value, you give the remote computers full access to your machine.

This allows far more access than normal users have. You should use this value only when both machines are at the same site, are closely connected, and the users are trusted.

The string:

COMMANDS=/usr/local/rnews:ALL:/usr/local/lp 

illustrates two points:

• The ALL value can appear anywhere in the string.

• The path names specified for rnews and lp are used (instead of the default) if the requested command does not contain the full path names for rnews or lp.

You should use the VALIDATE option whenever you specify potentially dangerous commands like cat and uucp with the COMMANDS option. Any command that reads or writes files is potentially dangerous to local security when executed by the UUCP remote execution daemon (uuxqt).

VALIDATE Option

Use the VALIDATE option in conjunction with the COMMANDS option whenever you specify commands that are potentially dangerous to your machine's security. (VALIDATE is merely an added level of security on top of the COMMANDS option, though it is a more secure way to open command access than ALL.)

VALIDATE provides a certain degree of verification of the caller's identity by cross-checking the host name of a calling machine against the login name it uses. The string:

LOGNAME=Uwidget VALIDATE=widget:gadget 

ensures that if any machine other than widget or gadget tries to log in as Uwidget, the connection is refused. The VALIDATE option requires privileged computers to have a unique login and password for UUCP transactions. An important aspect of this validation is that the login and password associated with this entry are protected. If an outsider gets that information, that particular VALIDATE option can no longer be considered secure.

Carefully consider which remote computers you will grant privileged logins and passwords for UUCP transactions. Giving a remote computer a special login and password with file access and remote execution capability is like giving anyone on that computer a normal login and password on your computer. Therefore, if you cannot trust someone on the remote computer, do not provide that computer with a privileged login and password.

The LOGNAME entry:

LOGNAME=uucpfriend VALIDATE=eagle:owl:hawk 

specifies that if one of the remote computers that claims to be eagle, owl, or hawk logs in on your computer, it must have used the login uucpfriend. If an outsider gets the uucpfriend login and password, masquerading is easy.

But what does this have to do with the COMMANDS option, which appears only in MACHINE entries? It links the MACHINE entry (and COMMANDS option) with a LOGNAME entry associated with a privileged login. This link is needed because the execution daemon is not running while the remote computer is logged in. In fact, it is an asynchronous process that does not know which computer sent the execution request. Therefore, the real question is, how does your computer know where the execution files came from?

Each remote computer has its own spool directory on your local machine. These spool directories have write permission given only to the UUCP programs. The execution files from the remote computer are put in its spool directory after being transferred to your computer. When the uuxqt daemon runs, it can use the spool directory name to find the MACHINE entry in the Permissions file and get the COMMANDS list. Or, if the computer name does not appear in the Permissions file, the default list is used.

This example shows the relationship between the MACHINE and LOGNAME entries:

MACHINE=eagle:owl:hawk REQUEST=yes \ 
COMMANDS=rmail:/usr/local/rnews \ 
READ=/ WRITE=/ 
LOGNAME=uucpz VALIDATE=eagle:owl:hawk \ 
REQUEST=yes SENDFILES=yes \ 
READ=/ WRITE=/ 

The value in the COMMANDS option means that remote users can execute rmail and /usr/local/rnews.

In the first entry, you must assume that when you want to call one of the computers listed, you are really calling either eagle, owl, or hawk. Therefore, any files put into one of the eagle, owl, or hawk spool directories is put there by one of those computers. If a remote computer logs in and says that it is one of these three computers, its execution files are also put in the privileged spool directory. You therefore have to validate that the computer has the privileged login uucpz.

MACHINE Entry for OTHER

You might want to specify different option values for remote machines that are not mentioned in specific MACHINE entries. The need might arise when many computers are calling your host, and the command set changes from time to time. The name OTHER for the computer name is used for this entry as shown in this example:

MACHINE=OTHER \ 
COMMANDS=rmail:rnews:/usr/local/Photo:/usr/local/xp 

All other options available for the MACHINE entry can also be set for the computers that are not mentioned in other MACHINE entries.

Combining MACHINE and LOGNAME

You can combine MACHINE and LOGNAME entries into a single entry where the common options are the same. For example, the two entries:

MACHINE=eagle:owl:hawk REQUEST=yes \ 
READ=/ WRITE=/

and:

LOGNAME=uupz REQUEST=yes SENDFILES=yes \ 
READ=/ WRITE=/

share the same REQUEST, READ, and WRITE options. You can merge them, as shown:

MACHINE=eagle:owl:hawk REQUEST=yes \ 
logname=uucpz SENDFILES-yes \ 
READ=/ WRITE=/

Combining MACHINE and LOGNAME entries makes the Permissions file more manageable and efficient.

Forwarding

When sending files through a series of machines, the intermediary machines must have the command uucp among their COMMANDS options. That is, if you type the command:

% uucp sample.txt oak\!willow\!pine\!/usr/spool/uucppublic

This forwarding operation works only if machine willow permits oak to execute the program uucp, and if oak permits your machine to do the same. The machine pine, being the last machine designated, does not have to permit the command uucp. Machines are not normally set up this way.