The Permissions File

The Permissions File

The Permissions file (/etc/uucp/Permissions) specifies the permissions that remote computers have with respect to login, file access, and command execution. There are options that restrict the remote computer's ability to request files and its ability to receive files queued by the local site. Another option specifies the commands that a remote site can execute on the local computer.

The program /etc/uucp/genperm is recommended for creating a sample or default Permissions file from the Systems file.

How Permissions File Entries Are Structured

Each entry is a logical line with physical lines terminated by a backslash (\) to indicate continuation. (Note that such continuations are not possible in most other UUCP files.) Entries are made up of options delimited by white space. Each option is a name/value pair in the following format:

name=value

Note that no white space is allowed within an option assignment.

Comment lines begin with a number sign (#) and occupy the entire line up to a newline character. Blank lines are ignored (even within multi-line entries).

There are two types of Permissions file entries:

LOGNAME: Specifies the permissions that take effect when a remote computer logs in to (calls) your computer.
MACHINE: Specifies the permissions that take effect when your computer logs in to (calls) a remote computer.

LOGNAME entries begin with a LOGNAME option and MACHINE entries begin with a MACHINE option.

Permissions File Considerations

Keep these rules in mind when using the Permissions file to restrict the level of access granted to remote computers:

Any login ID used by a remote computer to log in for UUCP communications must appear in one and only one LOGNAME entry.
Any site that is called whose name does not appear in a MACHINE entry will have the following default permissions/restrictions:
- Local send and receive requests will be executed.
- The remote computer will be able to send files to your computer's /var/spool/uucppublic directory.
- The command sent by the remote computer for execution on your computer must be one of the default commands, usually rmail.

Permissions File Options

This section describes each option, specifies how it is used, and lists its default value.

REQUEST

When a remote computer calls your computer and requests to receive a file, this request can be granted or denied. The REQUEST option specifies whether the remote computer can request to set up file transfers from your computer.

The string that follows specifies that the remote computer can request to transfer files from your computer:

REQUEST=yes

The following string specifies that the remote computer cannot request to receive files from your computer:

REQUEST=no

This is the default value. It will be used if the REQUEST option is not specified. The REQUEST option can appear in either a LOGNAME (remote calls you) entry or a MACHINE (you call remote) entry.

A note on security: When a remote computer calls you, you cannot verify its identity unless you have a unique login and password for that computer.

SENDFILES

When a remote computer calls your computer and completes its work, it may attempt to take work your computer has queued for it. The SENDFILES option specifies whether your computer can send the work queued for the remote computer.

The string shown here specifies that your computer may send the work that is queued for the remote computer as long as it logged in as one of the names in the LOGNAME option:

SENDFILES=yes

This string is mandatory if your computer is in a "passive mode" with respect to the remote computer.

The string that follows specifies that files queued in your computer will be sent only when your computer calls the remote computer:

SENDFILES=call

The call value is the default for the SENDFILE option. This option is significant only in LOGNAME entries, because MACHINE entries apply when calls are made to remote computers. If the option is used with a MACHINE entry, it will be ignored.

READ and WRITE

These options specify the various parts of the filesystem that uucico can read from or write to. The READ and WRITE options can be used with either MACHINE or LOGNAME entries.

The default for both the READ and WRITE options is the uucppublic directory, as shown in the following strings:

READ=/var/spool/uucppublic

WRITE=/var/spool/uucppublic

These strings specify permission to access any file that can be accessed by a local user with "other" permissions:

READ=/ WRITE=/

Because this suggestion may compromise security, use it only if required.

The value of these entries is a colon-separated list of pathnames. The READ option is for requesting files, and the WRITE option for depositing files. One of the values must be the prefix of any full pathname of a file coming in or going out. To grant permission to deposit files in /usr/news as well as in the public directory, the following values would be used with the WRITE option:

WRITE=/var/spool/uucppublic:/usr/news

Note that if you use the READ and WRITE options, you must specify all pathnames because the pathnames are not added to the default list. For instance, if the /usr/news pathname were the only one specified in a WRITE option, permission to deposit files in the public directory would be denied.

You should be careful which directories you make accessible for reading and writing by remote stations. For example, you probably wouldn't want remote computers to be able to write over your /etc/passwd file, so /etc shouldn't be open to writes.

NOREAD and NOWRITE

The NOREAD and NOWRITE options specify exceptions to the READ and WRITE options or defaults. The strings shown here would permit one remote computer to read any file except those in the /etc directory (and its subdirectories--remember, these are prefixes) and to write only to the default /var/spool/uucppublic directory:

READ=/ NOR EAD=/etc WRITE=/var/spool/uucppublic

NOWRITE works in the same manner as the NOREAD option. NOREAD and NOWRITE can be used in both LOGNAME and MACHINE entries.

CALLBACK

The CALLBACK option is used in LOGNAME entries to specify that no transaction will take place until the calling station is called back. You would use CALLBACK for two reasons: From a security standpoint, if you call back a station you can be sure it is the station it says it is. If you are doing long data transmissions, you can choose the station that will be billed for the longer call.

The string that follows specifies that your computer must call the remote computer back before any file transfers will take place:

CALLBACK=yes

The default for the CALLBACK option is

CALLBACK=no

The CALLBACK option is very rarely used. Note that if two sites have this option set for each other, a conversation cannot be started.

COMMANDS

The COMMANDS option can be hazardous to the security of your station. Use it with extreme care.

The uux program generates remote execution requests and queues them to be transferred to the remote computer. Files and a command are sent to the target computer for remote execution.

The COMMANDS option can be used in MACHINE entries to specify the commands that a remote computer can execute on your computer. Note that COMMANDS is not used in a LOGNAME entry; COMMANDS in MACHINE entries defines command permissions, whether you call the remote station or it calls you.

This string indicates the default commands that a remote computer can execute on your computer:

COMMANDS=rmail

If a command string is used in a MACHINE entry, the default commands are overridden. For instance, in the following example, the entry overrides the COMMANDS default so that the computers eagle, owl, and hawk can now execute rmail and rnews on your computer:

MACHINE=eagle:owl:hawk REQUEST=yes

COMMANDS=rmail:/usr/bin/rnews

READ=/ WRITE=/

In addition to the names as specified above, there can be full pathnames of commands. For example, this line specifies that command rmail use the default path:

COMMANDS=rmail:/usr/bin/rnews:/usr/local/lp

The default paths for your computer are /bin /usr/sbin, /usr/bsd, and /usr/bin. When the remote computer specifies rnews or /usr/bin/rnews for the command to be executed, /usr/bin/rnews is executed, regardless of the default path. Likewise, /usr/local/lp is the lp command that is executed.

Note: Including the ALL value in the list means that any command from the remote computer(s) specified in the entry is executed. If you use this value, you give the remote computer full access to your computer. Be careful. This value allows far more access than normal users have.

This string illustrates the greater access:

COMMANDS=/usr/bin/rnews:ALL:/usr/local/lp

Two points about this string should be noted. The ALL value can appear anywhere in the string, and the pathnames specified for rnews and lp will be used (instead of the default) if the requested command does not contain the full pathnames for rnews or lp.

The VALIDATE option should be used with the COMMANDS option whenever potentially dangerous commands like cat and uucp are specified with the COMMANDS option. Any command that reads or writes files is potentially dangerous to local security when executed by the UUCP remote execution daemon (uuxqt).

VALIDATE

The VALIDATE option is used in conjunction with the COMMANDS option when specifying commands that are potentially dangerous to your computer's security. It is used to provide a certain degree of verification of the caller's identity. The use of the VALIDATE option requires that privileged computers have a unique login and password for UUCP transactions. An important aspect of this validation is that the login and password associated with this entry be protected. If an outsider gets that information, that particular VALIDATE option can no longer be considered secure. (VALIDATE is merely an added level of security on top of the COMMANDS option, though it is a more secure way to open command access than ALL.)

Give careful consideration to providing a remote system with a privileged login and password for UUCP transactions. Giving another system these privileges is like giving anyone on that computer a normal login and password on your computer. Therefore, if you cannot trust everyone at the remote site, do not provide that system with a privileged login and password.

LOGNAME

The LOGNAME option ensures that remote stations attempting to log in to your computer have login privileges. The following LOGNAME entry specifies that if one of the remote computers that claims to be eagle, owl, or hawk logs in to your computer, it must have used the login uucpfriend:

LOGNAME=uucpfriend VALIDATE=eagle:owl:hawk

As can be seen, if an outsider gets the uucpfriend login and password, marauding is trivial.

But what does this have to do with the COMMANDS option, which appears only in MACHINE entries? It links the MACHINE entry (and COMMANDS option) with a LOGNAME entry associated with a privileged login. This link is needed because the execution daemon is not running while the remote computer is logged in. In fact, it is an asynchronous process with no knowledge of what computer sent the execution request. Therefore, the real question is, how does your computer know where the execution files came from?

Each remote computer has its own "spool" directory on your computer. These spool directories have write permission given only to the UUCP programs. The execution files from the remote computer are put in its spool directory after being transferred to your computer. When the uuxqt daemon runs, it can use the spool directory name to find the MACHINE entry in the Permissions file and get the COMMANDS list or, if the computer name does not appear in the Permissions file, the default list is used.

The following example shows the relationship between the MACHINE and LOGNAME entries:

MACHINE=eagle:owl:hawk REQUEST=yes \

COMMANDS=rmail:/usr/bin/rnews \

READ=/ WRITE=/

LOGNAME=uucpz VALIDATE=eagle:owl:hawk \

REQUEST=yes SENDFILES=yes \

READ=/ WRITE=/

The value in the COMMANDS option means that remote mail and /usr/bin/rnews can be executed by remote users.

In the first entry, you must make the assumption that when you want to call one of the computers listed, you are really calling either eagle, owl, or hawk. Therefore, any files put into one of the eagle, owl, or hawk spool directories is put there by one of those computers. If a remote computer logs in and says that it is one of these three computers, its execution files will also be put in the privileged spool directory. You therefore have to validate that the computer has the privileged login uucpz.

MACHINE Entry for "Other" Systems

You may want to specify different option values for computers your computer calls that are not mentioned in specific MACHINE entries. This situation may occur when there are many computers calling in, and the command set changes from time to time. The name "OTHER" for the computer name is used for this entry:

MACHINE=OTHER \

COMMANDS=rmail:rnews:/usr/bin/Photo:/usr/bin/xp

All other options available for the MACHINE entry may also be set for the computers that are not mentioned in other MACHINE entries.

Combining MACHINE and LOGNAME Entries

It is possible to combine MACHINE and LOGNAME entries into a single entry where the common options are the same. For example, the two entries that follow share the same REQUEST, READ, and WRITE options:

MACHINE=eagle:owl:hawk REQUEST=yes \

READ=/ WRITE=/

LOGNAME=uucpz REQUEST=yes SENDFILES=yes \

READ=/ WRITE=/

These two entries can be merged:

MACHINE=eagle:owl:hawk REQUEST=yes \

LOGNAME=uucpz SENDFILES=yes \

READ=/ WRITE=/

MYNAME

The MYNAME option is used to override the name of the local computer, when the local computer identifies itself to the remote computer. This facility is useful when a computer is replaced or renamed, and its neighbors need to process old traffic to the old name.