PERMISSIONS(F) XENIX System V PERMISSIONS(F)
Name
permissions - Format of UUCP Permissions file.
Description
The Permissions file (/usr/lib/uucp/Permissions) specifies
the permissions for remote computers concerning login, file
access, and command execution. In the Permissions file, you
can specify the commands that a remote computer can execute
and restrict its ability to request or receive files queued
by the local site.
Each entry is a logical line with physical lines terminated
by a \ to indicate continuation. Entries are made up of
options delimited by white space. Each option is a name-
value pair in the following format:
name=value
Note that no white space is allowed within an option
assignment.
Comment lines begin with a pound sign (#) and they occupy
the entire line up to a newline character. Blank lines are
ignored (even within multi-line entries).
There are two types of Permissions file entries:
LOGNAME specifies the permissions that take effect
when a remote computer calls your computer.
MACHINE specifies permissions that take effect when
your computer calls a remote computer.
Options
This section describes each option, specifies how they are
used, and lists their default values.
REQUEST=yes/no
Specifies whether the remote computer can request
to set up file transfers from your computer. When
a remote computer calls your computer and requests
to receive a file, this request can be granted or
denied. no value is the default value. It will
be used if the REQUEST option is not specified.
The REQUEST option can appear in either a LOGNAME
(remote calls you) entry or a MACHINE (you call
remote) entry.
Page 1 (printed 2/7/91)
PERMISSIONS(F) XENIX System V PERMISSIONS(F)
SENDFILES=yes/call
Specifies whether your computer can send the work
queued for the remote computer. When a remote
computer calls your computer and completes its
work, it may attempt to take work your computer
has queued for it. The call value is the default
for the SENDFILE option. This option is only
significant in LOGNAME entries since MACHINE
entries apply when calls are made out to remote
computers. If this option is used with a MACHINE
entry, it will be ignored.
READ and WRITE
Specify the various parts of the file system that
uucico can read from or write to. The READ and
WRITE options can be used with either MACHINE or
LOGNAME entries.
The default for both the READ and WRITE options is
the uucppublic directory as shown in the following
example:
READ=/usr/spool/uucppublic
WRITE=/usr/spool/uucppublic
Supplying ``/'' as a pathname gives permission to
access any file that can be read by UUCP.
Multiple entries must be separated by a colon.
The READ option is for requesting files, and the
WRITE option for depositing files. One of the
values must be the prefix of any full path name of
a file coming in or going out.
Note that the READ and WRITE options do not effect the
actual permissions of a file or directory. You should be
careful what directories you make accessible for reading and
writing by remote systems.
NOREAD and NOWRITE
Specify exceptions to the READ and WRITE options or
defaults. NOWRITE works in the same manner as the NOREAD
option. The NOREAD and NOWRITE can be used in both LOGNAME
and MACHINE entries.
CALLBACK
Specifies in LOGNAME entries that no transaction will take
place until the calling system is called back. There are
two examples of when you would use CALLBACK. From a
security standpoint, if you call back a machine you can be
sure it is the machine it says it is. If you are doing long
data transmissions, you can choose the machine that will be
billed for the longer call. The default for the COMMAND
Page 2 (printed 2/7/91)
PERMISSIONS(F) XENIX System V PERMISSIONS(F)
option is no. The CALLBACK option is rarely used. If two
sites have this option set for each other, a conversation
will never get started.
COMMANDS
Specifies the commands in MACHINE entries that a remote
computer can execute on your computer. This affects the
security of your system; use it with extreme care.
The uux program will generate remote execution requests and
queue them to be transferred to the remote computer. Files
and a command are sent to the target computer for remote
execution. Note that COMMANDS is not used in a LOGNAME
entry; COMMANDS in MACHINE entries define command
permissions whether you call the remote system or it calls
you.
The default command that a remote computer can execute on
your computer is rmail. If a command string is used in a
MACHINE entry, the default commands are overridden. Full
pathnames can also be used. Including the ALL value in the
list means that any command from the remote computer
specified in the entry will be executed. If you use this
value, you give the remote computer full access to your
computer. So, be careful; this allows far more access than
normal users have. The VALIDATE option should be used with
the COMMANDS option whenever potentially dangerous commands
like cat and uucp are specified with the COMMANDS option.
Any command that reads or writes files is potentially
dangerous to local security when executed by the UUCP remote
execution daemon (uuxqt).
VALIDATE
Used in conjunction with the COMMANDS option when specifying
commands that are potentially dangerous to your computer's
security. It provides a certain degree of verification of
the caller's identity. The use of the VALIDATE option
requires that privileged computers have a unique
login/password for UUCP transactions. An important aspect
of this validation is that the login/password associated
with this entry be protected. If an outsider gets that
information, that particular VALIDATE option can no longer
be considered secure. (VALIDATE is merely an added level of
security to the COMMANDS option, though it is a more secure
way to open command access than ALL.)
Entries for OTHER Systems
You may want to specify different option values for machines
or logins that are not mentioned in specific MACHINE or
LOGNAME entries. This may occur when there are many
computers calling in that have the same set of permissions.
The special name OTHER for the computer name can be used in
Page 3 (printed 2/7/91)
PERMISSIONS(F) XENIX System V PERMISSIONS(F)
a MACHINE or LOGNAME entry as follows:
MACHINE=OTHER \
COMMANDS=rmail:/usr/local/bin/lc
LOGNAME=OTHER \
REQUEST=yes SENDFILES=yes \
READ=/usr/spool/uucppublic \
WRITE=/usr/spool/uucppublic
All options that can be set for specific machines or logins
can be used with the OTHER value, although the use of the
VALIDATE option makes little sense.
Example
This entry is for public login. It provides the default
permissions. Note that use of this type of anonymous login
is not encouraged.
LOGNAME=nuucp \
MACHINE=OTHER \
READ=/usr/spool/uucppublic \
WRITE=/usr/spool/uucppublic \
SENDFILES=call REQUEST=no \
COMMANDS=/bin/rmail
See Also
uucico(ADM), uucp(C), uux(C), uuxqt(C)
Page 4 (printed 2/7/91)
