Permissions(F)
Permissions --
format of UUCP Permissions file
Format
LOGNAME|MACHINE=value [name=value]...
Description
The Permissions
file (/usr/lib/uucp/Permissions)
specifies the permissions for remote computers
concerning login, file access, and command execution.
In the Permissions file, you can specify the commands
that a remote computer can execute and restrict its
ability to request or receive
files queued by the local site.
Each entry is a logical line with physical lines
terminated by a ``\'' to indicate continuation.
Entries are made up of options delimited by white space.
Each option consists of a name=value assignment.
Note that no white space is allowed within an option
assignment. If value is a list, each list item is
separated from the next by a colon (:).
Comment lines begin with a hash sign (#) and they occupy the entire
line up to a newline character.
Blank lines are ignored (even within multi-line entries).
There are two types of Permissions file entry defined
by the following option names:
LOGNAME -
is assigned a list of login names that
can be used to log into the local system.
The option entries following LOGNAME=value
specify the permissions that take effect
when a remote computer calls your computer.
MACHINE -
is assigned a list of machines that
the local system can call.
The option entries following MACHINE=value
specify the permissions that take effect
when your computer calls a remote computer.
The LOGNAME and MACHINE entries can be
combined if the options for both are the same (see ``Examples'').
The following option names may be defined for each
type of entry (default values, if any, are also given):
CALLBACK-
Specifies in LOGNAME entries
that no transaction will take place until the calling
system is called back.
There are two examples of when you would use CALLBACK.
From a security standpoint, if you call back a machine
you can be sure it is the machine it says it is.
If you are doing long data transmissions, you can choose the
machine that will be billed for the longer call.
The CALLBACK option is rarely used. If two
sites have this option set for each other, a conversation
will never get started.
-
The default for the CALLBACK option is no.
COMMANDS -
Specifies the commands in
MACHINE entries that a remote
computer can execute on your computer.
This affects the security of your system;
use it with extreme care.
-
The uux program will generate remote execution requests and
queue them to be transferred to the remote computer.
Files and a command are sent to the target computer for
remote execution.
Note that COMMANDS is not used in a LOGNAME entry;
COMMANDS in MACHINE entries define command
permissions whether you call the remote system or it calls you.
-
The default command that a remote computer can execute on your
computer is rmail. If a command string is used in a
MACHINE entry, the default commands are overridden.
Full pathnames can also be used.
Including the ALL value in the list means that any
command from the remote computer specified in the entry
will be executed.
If you use this value, you give the
remote computer full access to your computer.
So, be careful;
this allows far more access than normal users have.
-
The VALIDATE option should be used with
the COMMANDS option whenever potentially dangerous
commands like cat and uucp are specified with the
COMMANDS
option.
Any command that reads or writes files is
potentially dangerous to local security when executed by
the UUCP remote execution daemon (uuxqt).
MYNAME-
Define the name by which this system is to be known.
You can use the MYNAME option in LOGNAME and
MACHINE entries to change your system's identity for
incoming and outgoing connections. Use the VALIDATE option
to verify the identity of a remote computer that is calling your system.
NOREAD and NOWRITE-
Specify exceptions to the READ and WRITE options or
defaults.
NOWRITE works in the same manner as the NOREAD option.
NOREAD and NOWRITE can be used in both
LOGNAME and MACHINE entries.
READ and WRITE-
Specify the various parts of the file
system that uucico can read from or write to.
The READ and WRITE options can be used with
either MACHINE or LOGNAME entries.
-
The default for both the READ and WRITE options is the
uucppublic directory as shown in the following example:
READ=/usr/spool/uucppublic
WRITE=/usr/spool/uucppublic
Supplying ``/'' as a pathname
gives permission to access any file that can be read by UUCP.
Multiple entries must be separated by a colon.
The READ option is for requesting files, and
the WRITE option for depositing files.
One of the values must be the prefix of any full path name of a file
coming in or going out.
-
Note that the READ and WRITE options do not affect the actual permissions of a
file or directory.
You should be careful what directories you make accessible
for reading and writing by remote systems.
REQUEST=yes|no-
Specifies whether the remote computer can
request to set up file transfers from your computer.
When a remote computer calls your computer and requests
to receive a file, this request can be granted or denied.
no value is the default value.
It will be used if the REQUEST option is not specified.
The REQUEST option can appear in either
a LOGNAME (remote calls you) entry or a MACHINE (you call remote) entry.
SENDFILES=yes|call-
Specifies whether your computer
can send the work queued for the remote computer.
When a remote computer calls your computer and
completes its work, it may attempt to take
work your computer has queued for it.
The call value is the default for the SENDFILE option.
This option is only significant in LOGNAME entries
since MACHINE entries apply when calls are made out to remote computers.
-
If this option is used with a MACHINE entry, it will be ignored.
VALIDATE-
Used in conjunction with the COMMANDS option
when specifying commands that are potentially dangerous
to your computer's security.
It provides a certain degree of verification of the caller's identity.
The use of the VALIDATE option
requires that privileged computers have a unique
login/password for UUCP transactions.
-
An important aspect of this validation is that the
login/password associated with this entry be protected.
If an outsider gets that information, that particular
VALIDATE option can no longer be considered secure.
(VALIDATE is merely an added level of security to the
COMMANDS option, though it is a more secure way to open
command access than ALL.)
Entries for OTHER systems
You may want to specify different option values for machines or
logins that are not mentioned
in specific MACHINE or LOGNAME entries.
This may occur when there
are many computers calling in that have the same set of permissions.
The special name
OTHER
for the computer name can be used in a MACHINE or
LOGNAME entry as follows:
MACHINE=OTHER \
COMMANDS=rmail:/usr/local/bin/lc
LOGNAME=OTHER \
REQUEST=yes SENDFILES=yes \
READ=/usr/spool/uucppublic \
WRITE=/usr/spool/uucppublic
All options that can be set for specific machines or logins
can be used with the OTHER value, although the use of the
VALIDATE option makes little sense.
Examples
This entry is for public login. It provides the default permissions.
Note that use of this type of anonymous login is not encouraged.
LOGNAME=nuucp \
MACHINE=OTHER \
READ=/usr/spool/uucppublic \
WRITE=/usr/spool/uucppublic \
SENDFILES=call REQUEST=no \
COMMANDS=/bin/rmail
Files
/usr/lib/uucp/Permissions-
full pathname of Permissions
See also
uucico(ADM),
uucp(C),
uux(C),
uuxqt(ADM)
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003