![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to AppendixIV CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Research Unix] / researchv10no / cmd / uucp / doc / admin|
Return to AppendixIV CVS log | Up to [Research Unix] / researchv10no / cmd / uucp / doc / admin |
1.1 root 1: .H 1 Introduction
2: The Permissions file replaces the USERFILE for uucp.
3: It's purpose is to specify the permission that remote sites
4: have with respect to login, file access, and command
5: execution.
6: Options provide for restricting the ability to request files and
7: the ability to receive files queued by the local site.
8: In addition, an option is available to specify the commands that a
9: remote site can execute on the local system.
10: .P
11: The next section gives three Permissions' file entries.
12: Taken together, they provide all the entries needed by most
13: sites running the uucp system.
14: Section three gives the basics of the syntax and semantics of the
15: Permissions file.
16: The remainder of the documents gives a detailed explanation of the
17: options available, their uses, and setting up the default values.
18: .H 1 " Starting Examples"
19: The first example is the model of an entry for the public login on
20: your system;
21: it represents the most restrictive access to your system.
22: .HU "Example 1"
23: .sp
24: .nf
25: LOGNAME=nuucp
26: .fi
27: .sp
28: It states that login "nuucp" has all the default permissions/restrictions:
29: .BL
30: .LI
31: The remote site can send files exclusively to the \fIuucp public\fR directory.
32: (usually /usr/spool/uucppublic)
33: .LI
34: The remote site can \fInot\fR request to receive any files.
35: .LI
36: \fINo\fR files that are queued for the remote site will be transferred
37: during the present session.
38: .LI
39: The only commands that can be executed are the defaults--usually
40: "rmail".
41: (See section 6 for details on how to set this default.)
42: .LE
43: .P
44: This entry alone is sufficient to start communications with remote sites,
45: permitting files to be transferred to the uucp public directory by request of
46: the remote site.
47: .HU "Example 2"
48: The next entry is for remote sites that log in, but have fewer restrictions.
49: The login and passwd corresponding to this entry should not be distributed
50: to the general public;
51: it is usually reserved for closely coupled systems where the Systems file
52: information can be tightly controlled.
53: .sp
54: .nf
55: LOGNAME=uucpz REQUEST=yes SENDFILES=yes \\
56: READ=/ WRITE=/
57: .fi
58: .sp
59: This entry provides the following permissions
60: when a remote site logs in as "uucpz":
61: .BL
62: Files can be requested from the local site (REQUEST option).
63: .LI
64: Files can be transferred to any directory or any file
65: that is writable by user "other"--that is
66: a file/directory that is writable by a local user with
67: neither owner nor group permissions.
68: (Option WRITE controls this permission.)
69: .LI
70: Any files readable by user "other" can be requested.
71: (Option READ controls this permission.)
72: .LI
73: Any requests queued by the local site will be executed during
74: the conversation;
75: these are requests by local users that are destined for the
76: site that is calling in.
77: (SENDFILES option).
78: .LI
79: The commands sent for execution on the local system by the remote
80: must be in the default set ( usually "rmail").
81: .LE
82: .HU "Example 3"
83: Thus far, the examples showed entries that referred to remote sites
84: when they log in to the local system.
85: This example is an entry used when calling a remote site.
86: .sp
87: .nf
88: MACHINE=mhtsa:mhtsb:mhtsc:pwbcc \\
89: REQUEST=yes READ=/ WRITE=/
90: .fi
91: .sp
92: When calling any of the systems given in the MACHINE list,
93: the following permissions prevail:
94: .BL
95: .LI
96: The remote site can both request and send files (REQUEST option).
97: .LI
98: The source or destination of the files on the local system can
99: be anywhere in the file system.
100: .LI
101: The only commands that will be executed for the remote site
102: are those in the default list.
103: .LE
104: .P
105: Any site that is called that does not have its name in a MACHINE
106: entry will have the default permissions as stated in "example 1"
107: with the exception that files queued for that site will be sent (the SENDFILES
108: option only has meaning in a LOGNAME entry).
109: .P
110: It is possible to put these
111: three examples together to form a Permissions file that
112: can be used by a system with a public login for remote sites
113: and several closely coupled machines.
114: .H 1 Basics
115: Each \fIentry\fR is a logical line;
116: physical lines are terminated with a "\\" to indicate continuation.
117: Entries are made up of "white space" delimited \fIoptions\fR.
118: Each option is a name/value pair;
119: these are constructed by an option name followed by a "=" followed by
120: the value.
121: Note that \fIno\fR white space is allowed within an option assignment.
122: .P
123: Comment lines begin with '#';
124: they occupy the entire line up to a newline character.
125: Blank lines are ignored (even within multi line entries).
126: .P
127: There are two types of entries:
128: .BL
129: .LI
130: LOGNAME entries specify permissions for remote sites
131: when they log in to the local machine.
132: .LI
133: MACHINE entries
134: specify permissions for sites that the local machine call.
135: .LE
136: .P
137: LOGNAME entries will contain a LOGNAME option.
138: MACHINE entries will contain a MACHINE option.
139: .H 1 "Some Rules"
140: \fIRULE\fR:--All login ids used by remote sites to login for uucp
141: \fImust\fR appear in one and only one LOGNAME entry.
142: .P
143: \fIRULE\fR:--Any site that is called whose name
144: \fIdoes not\fR appear in a
145: MACHINE entry in the Permissions file will have the following
146: default permissions/restrictions:
147: .BL
148: .LI
149: Local send and receive requests will be executed.
150: .LI
151: The remote can send files to the system's public uucp directory.
152: .LI
153: The commands sent by the remote for execution on the local machine
154: must be in the default set--usually "rmail" and "rnews".
155: .LE
156: .H 1 "Options"
157: This section give the details of each option, specifying how they are
158: used and their default values.
159: .HU "MACHINE"
160: The MACHINE entry specifies the permissions that take effect when
161: a remote site is called.
162: .sp
163: .nf
164: MACHINE=mhtsa
165: .fi
166: .sp
167: is the start of an entry that will specify the permissions associated
168: with machine "mhtsa".
169: The MACHINE option can contain a list of different system names,
170: each separated by a ":".
171: For example,
172: .sp
173: .nf
174: MACHINE=mhtsa:mhtsb:mhtsc
175: .fi
176: .sp
177: .HU "LOGNAME"
178: The LOGNAME option specifies a list of login ids of remote sites
179: that are able to log into the local system.
180: The option contains one or more names separated by a ":".
181: For example,
182: .sp
183: .nf
184: LOGNAME=nuucp
185: .sp
186: .or
187: LOGNAME=uucpz:uucyz
188: .fi
189: .sp
190: Names that appear in LOGNAME options can appear in only one such option.
191: .HU "REQUEST"
192: The REQUEST option can appear in either a LOGNAME entry or a MACHINE entry
193: and specifies whether the remote can make requests to receive local
194: files.
195: .sp
196: .nf
197: REQUEST=yes
198: .fi
199: .sp
200: specifies that the remote \fIcan\fR request files.
201: .sp
202: .nf
203: REQUEST=no
204: .fi
205: .sp
206: specifies that the remote \fIcan not\fR request files.
207: The latter is the default--it will be used if the REQUEST
208: option is not specified.
209: .HU "SENDFILES"
210: SENDFILES specifies whether the \fIcalled\fR site will execute locally
211: queued requests during the conversation.
212: The default is that locally queued
213: requests will not be executed during the call;
214: they will be done only when the remote is \fIcalled\fR by the local system.
215: (I don't care who you say you are, I'll send you queued files when
216: I call you.)
217: .P
218: Clearly, this option is only significant in LOGNAME entries, since
219: MACHINE entries apply when calls are made out to remote sites.
220: In fact, the option is ignored when a MACHINE entry is being used.
221: .sp
222: .nf
223: SENDFILES=yes
224: .fi
225: .sp
226: specifies that the locally queued requests will be executed when
227: the remote site logs in as one of the names in this entry's
228: LOGNAME option.
229: .P
230: The default setting for the SENDFILE option is
231: .sp
232: .nf
233: SENDFILES=call
234: .fi
235: .sp
236: meaning that queued files will be sent only when I call you.
237: This option can be specified for documentation purposes.
238: .HU "READ and WRITE"
239: The default for both the READ and WRITE options
240: is the uucp public directory.
241: The options
242: .sp
243: .nf
244: READ=/usr/spool/uucppublic \\
245: WRITE=/usr/spool/uucppublic
246: .fi
247: .sp
248: are the defaults and may be specified for documentation purposes.
249: The options
250: .sp
251: .nf
252: READ=/ WRITE=/
253: .fi
254: .sp
255: specify permission to access any file that can be accessed by a local
256: user with "other" permissions.
257: .P
258: The value of these entries is a colon separated list of path
259: names.
260: The READ option is for requesting files and the WRITE option for
261: depositing files.
262: One of the values must be the prefix
263: of any full path name of a file coming in or going out.
264: .P
265: To grant permission to deposit files in /usr/news
266: as well as the public directory, specify
267: .sp
268: .nf
269: WRITE=/usr/spool/uucppublic:/usr/news
270: .fi
271: .sp
272: in the entry.
273: .P
274: \fIRULE\fR:--If the READ or WRITE option is specified, all the
275: path names must be specified; these do not add to the default
276: list.
277: .HU "NOREAD and NOWRITE"
278: There are two other options in the file access class,
279: NOREAD and NOWRITE.
280: These will rarely be used;
281: they specify exceptions to the READ and WRITE options or defaults.
282: .sp
283: .nf
284: READ=/ NOREAD=/etc \\
285: WRITE=/usr/spool/uucppublic
286: .fi
287: .sp
288: This example would permit reading any file except those in the /etc
289: directory (and its sub directories--remember these are prefixes)
290: and writing only to the default /usr/spool/uucppublic directory.
291: NOWRITE works the same way for sending files to the local system.
292: .HU "CALLBACK - Is That Really You?"
293: The CALLBACK option is used in LOGNAME entries to specify that
294: no transaction will take place, but the calling system,
295: as established during handshake, will be called back.
296: .sp
297: .nf
298: CALLBACK=yes
299: .fi
300: .sp
301: specifies this action.
302: The default is
303: .sp
304: .nf
305: CALLBACK=no
306: .fi
307: .sp
308: The CALLBACK option will rarely be used.
309: (Note that if two sites have this option set for each other, a conversation
310: will never get started.)
311: .HU "COMMANDS"
312: WARNING!!
313: \fI
314: The COMMANDS option can be hazardous to the security
315: of your system.
316: Use it with extreme care.
317: \fR
318: The VALIDATE option should be used in conjunction with the
319: COMMANDS option whenever potentially dangerous commands
320: like "cat" and "uucp" are specified.
321: Any command that reads or writes files is potentially
322: dangerous to local security when executed by the uucp
323: remote execution demon (uuxqt).
324: .P
325: The \fIuux\fR program will generate remote execution requests and queue
326: them to be transferred to the remote site.
327: Files and a command are sent to the target site.
328: The COMMANDS option can be used
329: in MACHINE entries to specify the commands that a remote
330: machine can execute.
331: .sp
332: .nf
333: COMMANDS=rmail:rnews
334: .fi
335: .sp
336: This line indicates the commands that can be executed by the
337: remote machine are either rmail or rnews exclusively.
338: (The default list is specified in the "parms.h" header file
339: during installation of uucp.
340: The defaults settings will be discussed later.)
341: The entry
342: .sp
343: .nf
344: MACHINE=owl:raven:hawk:dove \\
345: COMMANDS=rmail:rnews:lp
346: .fi
347: .sp
348: overrides the COMMAND default such that the command list
349: for machines owl, raven, hawk, and dove now consists of
350: "rmail", "rnews" and "lp".
351: .HU "VALIDATE"
352: \fIRULE\fR:--If you don't trust a caller's identity, don't let that system
353: execute dangerous commands.
354: .sp
355: \fICOROLLARY\fR:--If you can't trust a site, don't give it
356: a privileged login and passwd.
357: .sp
358: \fBWARNING!\fR
359: Giving a site a special login, with file access and remote execution
360: capability, is like giving anyone on that system a normal login.
361: .P
362: Use the VALIDATE option in connection with the COMMANDS option
363: when specifying dangerous commands.
364: It is used in LOGNAME entries to provide \fIsome\fR verification
365: of the caller's identity.
366: However, an important aspect of this validation is that the
367: login/passwd associated with this entry be protected.
368: If an outsider gets that information, the validation is not valid!
369: .P
370: Now that the warnings are out of the way, here is an example:
371: .sp
372: .nf
373: LOGNAME=uucpfriend VALIDATE=eagle:owl:hawk
374: .fi
375: .sp
376: This entry specifies that if a remote logs in and says that it is
377: any of the specified birds, it must have logged in as "uucpfriend".
378: As can be seen, if an outsider gets the uucpfriend login/passwd,
379: masquerading is trivial.
380: .P
381: But what does this have to do with the COMMANDS option,
382: which only appears in MACHINE entries?
383: A short answer is that it connects the MACHINE entry that has the
384: COMMANDS option with a protected login entry that appears in
385: a LOGNAME option.
386: This connection is needed because the execution demon is not
387: running while the remote is logged in;
388: it is in fact, an asynchronous process with no knowledge of
389: what system sent the execution requests.
390: .P
391: Therefore, the real question is, how does the local site know who put the
392: execution files (X. files created by the uux command on the remote site)?
393: .P
394: Each remote site has its own "spool" directory, with write permission
395: only given to the uucp programs.
396: The execution files from the remote site are put in its spool directory.
397: Therefore, when the "uuxqt" demon program runs, it can use the
398: spool directory name to find the MACHINE entry in the Permissions
399: file and get the COMMANDS list, or if the machine name does not
400: appear in the Permissions file, the default list will be used.
401: Example
402: .sp
403: .nf
404: MACHINE=mhtsa:mhtsb:mhtsc REQUEST=yes \\
405: COMMANDS=ALL \\
406: READ=/ WRITE=/
407:
408: LOGNAME=uucpz VALIDATE=mhtsa:mhtsb:mhtsc \\
409: REQUEST=yes SENDFILES=yes \\
410: READ=/ WRITE=/
411: .fi
412: .sp
413: provides unlimited read, write, and command execution.
414: The ALL value in the commands option means that any command
415: can be executed!
416: \fBWARNING\fR:
417: Using the ALL value gives the remote site unlimited access to your
418: system.
419: In fact, files that are only readable or writable by user "uucp"
420: (like Systems)
421: can be accessed using commands like "ed".
422: .P
423: The assumption you make by the first entry above is that when you
424: call mhtsa, mhtsb or mhtsc, you really know who you are talking to.
425: Therefore, any files put into one of the "mhtsa", "mhtsb", or "mhtsc"
426: spool directories is put there by one of those sites.
427: If a remote site logs in and says they are one of these three systems,
428: their execution files will also be put in the privileged spool
429: directory.
430: You therefore have to validate that the site has the privileged
431: login "uucpz".
432: .HU "COMMANDS revisited"
433: The COMMANDS option specifies a list of commands that can be
434: executed by remote machines.
435: In addition to the names as specified above, they can be full path
436: names of commands, for example
437: .sp
438: .nf
439: COMMANDS=rmail:/usr/lbin/rnews:/usr/local/lp
440: .fi
441: .sp
442: specifies that command "rmail" uses the default path,
443: which is set up at uucp installation time--specified in the
444: parms.h file.
445: When the remote site specifies rnews or /usr/lbin/rnews for the
446: command to be executed, /usr/lbin/rnews will be executed
447: regardless of the default path.
448: Likewise, /usr/local/lp is the lp command that will be executed.
449: .P
450: Including the "ALL" value in the list means that any command from the
451: remote machine(s) specified in the entry will be executed.
452: If you use this value, you give the remote machine full access
453: to you machine!
454: .sp
455: .nf
456: COMMANDS=/usr/lbin/rnews:ALL:/usr/local/lp
457: .fi
458: .sp
459: This example illustrates two points.
460: The ALL value can appear anywhere in the string.
461: And, the path names specified for rnew and lp will be used
462: if the requested command does not contain the full path names
463: for rnews or lp.
464: .H 1 "Who Am I?"
465: When a remote calls, the called system responds with the local system
466: name;
467: this communicated in the \fIShere\fR message.
468: There are some situations when a system may want to say it is someone else.
469: First, for testing, this permits a system to call itself.
470: Also, a series of systems can be made to look like one to the outside world,
471: while retaining unique identities within a local network.
472: .sp
473: .nf
474: LOGNAME=uucptest MYNAME=testing
475: .fi
476: .sp
477: The local system will report its name as \fItesting\fR whenever
478: a remote logs in as uucptest.
479: .P
480: This facility can also be used when calling out:
481: .sp
482: .nf
483: MACHINE=testmach MYNAME=atest
484: .fi
485: .sp
486: Tells the machine, \fItestmach\fR, that machine \fIatest\fR is calling.
487: .H 1 "Public Directory"
488: The public directory, \fI/usr/spool/uucppublic\fR, provides a tree
489: for public access (by default, receiving files from sites.)
490: One may want to have different public directories based on
491: login ids.
492: .sp
493: .nf
494: LOGNAME=loginA PUBDIR=/usr/spool/uucppublic/loginA
495:
496: LOGNAME=loginB PUBDIR=/usr/spool/uucppublic/loginB
497: .fi
498: .sp
499: This can also be specified when remote machines are called:
500: .sp
501: .nf
502: MACHINE=machineA PUBDIR=/usr/spool/uucppublic/machineA
503:
504: MACHINE=machineB PUBDIR=/usr/spool/uucppublic/machineB
505: .fi
506: .sp
507: .H 1 "Default Settings"
508: The parms.h header file contains some default settings that affect
509: the Permissions file processing.
510: The PATH manifest defines the PATH environment variable that will be
511: set when remote commands are executed.
512: A typical line is
513: .sp
514: .nf
515: #define PATH "PATH=/bin:/usr/bin:/usr/lbin " /* */
516: .fi
517: .sp
518: The default list of commands is defined by
519: .sp
520: .nf
521: #define DEFAULTCMDS "rmail"
522: .fi
523: .sp
524: Another example is
525: .sp
526: .nf
527: #define DEFAULTCMDS "rmail:rnews:xp:lp"
528: .fi
529: .sp
530: These take effect if no COMMANDS option is specified for the
531: machine that sent the remote execution.
532: .H 1 "MACHINE Entry For Other Systems"
533: An administrator may want to specify different option values for
534: the machines it calls that are not mentioned in specific MACHINE
535: entries.
536: This may occur when there are many machines calling in, and the command
537: set changes from time to time.
538: For these cases, it is not convenient to change the DEFAULTCMDS
539: as it would require a recompile.
540: The name "OTHER" for the machine name is used for this entry.
541: .sp
542: .nf
543: MACHINE=OTHER \\
544: COMMANDS=rmail:rnews:/usr/lbin/Photo:/usr/lbin/xp
545: .fi
546: .sp
547: All other options available for the MACHINE entry may also be set
548: for the machines that are not mentioned in other MACHINE entries.
549: .H 1 "Combining MACHINE and LOGNAME Entries"
550: It is possible to combine MACHINE and LOGNAME entries into a single entry
551: where the common options are the same.
552: For example, these two entries
553: .sp
554: .nf
555: MACHINE=mhtsa:mhtsb:mhtsc REQUEST=yes \\
556: READ=/ WRITE=/
557:
558: LOGNAME=uucpz REQUEST=yes SENDFILES=yes \\
559: READ=/ WRITE=/
560: .fi
561: .sp
562: share the REQUEST, READ, and WRITE options.
563: They can be merged into one entry
564: .sp
565: .nf
566: MACHINE=mhtsa:mhtsb:mhtsc REQUEST=yes \\
567: LOGNAME=uucpz SENDFILES=yes \\
568: READ=/ WRITE=/
569: .fi
570: .sp
571: that will take the place of the two entries.
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.