Permissions(4bnu)

Permissions -- BNU remote access permissions file

Description

Entries in the /etc/uucp/Permissions file establish two types of permissions with respect to the login, file access, and command execution facilities provided by the Basic Networking Utilities (BNU).

Entries can begin with the following keywords:

LOGNAME: This specifies the permissions that take effect when a remote computer calls your computer.
MACHINE: This specifies the permissions that take effect when your computer calls a remote computer.

Permissions are specified using declarations of the form:

parameter=value

Each entry in the Permissions file consists of a single logical line. Physical lines may be terminated by a backslash (\) to indicate that the entry continues on the next line. Multiple parameter declarations within a single entry must be delimited by white space. No white space is allowed within an individual parameter declaration. Comment lines begin with a hash sign (#) and occupy the entire line up to a newline character. Blank lines are ignored (even within multi-line entries).

The following parameters can be specified in the Permissions file:

REQUEST

When a remote computer calls your computer and requests the transfer of a file, the request is granted or denied based on the value of the REQUEST parameter. For example, the declaration REQUEST=yes specifies that the remote computer can request the transfer of files from your computer. The declaration REQUEST=no specifies that the remote computer cannot request file transfers from your computer.

The REQUEST parameter can appear in either a LOGNAME entry or in a MACHINE entry. By default, the REQUEST parameter is set to ``no''.

SENDFILES

When a remote computer calls your computer and completes its work, it may attempt to take any work your computer has queued for it. The SENDFILES parameter specifies whether your computer will send the work queued for the remote computer.

The declaration SENDFILES=yes specifies that your computer may send the work that is queued for the remote computer as long as it logged in as one of the names specified by the LOGNAME parameter. The value ``yes'' is mandatory if your computer is in a ``passive mode'' with respect to the remote computer.

The declaration SENDFILES=call specifies that files queued in your computer are sent only when your computer calls the remote computer.

The SENDFILES parameter is only significant in LOGNAME entries. If the parameter is used in a MACHINE entry, it is ignored. By default, SENDFILES is set to ``call''.

PUBDIR

This specifies the name of the directory that uucp uses for public file transfers. This value is used to initialize the value of the READ and WRITE parameters.

By default, PUBDIR is set to ``/var/spool/uucppublic''. We recommend that you do not change the default value; specifying a directory other than /var/spool/uucppublic may have an adverse affect on other system utilities.

READ

WRITE

These specify the various parts of the file system that uucico(1Mbnu) can read from or write to.

The READ parameter requests files, and the WRITE parameter deposits files. One of the values must be a component of any full pathname of a file coming in or going out.

The value for the READ and WRITE parameters is a colon-separated list of pathnames. The declarations READ=/ WRITE=/ specify permission to access any file that can be accessed by a local user whose access permissions are set to other.

The READ and WRITE parameters can be used in both MACHINE and LOGNAME entries. By default, both the READ and WRITE parameters are set to the PUBDIR directory, which is equivalent to the following declarations:

   READ=/var/spool/uucppublic
   WRITE=/var/spool/uucppublic

NOREAD

NOWRITE

These specify exceptions to the READ and WRITE parameters or defaults.

For example, the declarations

   READ=/ NOREAD=/etc WRITE=/var/spool/uucppublic

would permit reading any file except those in the /etc directory (including its subdirectories) and permit writing only to the default /var/spool/uucppublic directory. NOWRITE works in the same manner as the NOREAD parameter.

The NOREAD and NOWRITE parameters can be used in both LOGNAME and MACHINE entries.

DIRECT

This specifies whether files that are received can be placed into the destination directory directly.

If the value of DIRECT is ``no'', files that are received are put into uucp's private spool directory, and then copied to the destination directory. If the value of DIRECT is ``yes'', files that are received are directly put into the destination directory. By default, DIRECT is set to ``no''.

CALLBACK

The CALLBACK parameter in LOGNAME entries specifies that no transaction takes place until the calling system is called back.

From a security standpoint, if you call back a machine, you can be fairly certain it is the machine it says it is. If you are doing long data transmissions, you can choose the machine that will be billed for the longer call. The declaration CALLBACK=yes specifies that your computer must call the remote computer back before any file transfers will take place. The default for the CALLBACK parameter is ``no''.

KEYS

This specifies the key management facility that obtains keys used in the authentication of remote command execution requests.

This parameter provides an override capability for the global KEYS value specified in the Config file (see Config(4bnu)). At present, cr1(1Mbnu) is the only key management facility available to BNU. There is no default key management facility. To specify the cr1 key management facility, the declaration KEYS=cr1 must exist.

CRYPT

This specifies the encryption type to use when authenticating remote execution requests generated by the uux(1bnu) command.

This parameter provides an override capability for the global CRYPT value specified in the Config file (see Config(4bnu)). The default value is des. The value enigma may be used if the export-controlled Encryption Utilities Package is not available.

AUTH

This parameter determines whether authentication is required for remote requests.

It provides an override capability for the global AUTH value specified in the Config file (see Config(4bnu)). If either AUTH=yes or AUTH=req is declared, no remote command request will be accepted without authentication. When authenticated requests are executed, they are executed under the mapped ID of the originator and all commands are allowed; that is, the COMMANDS parameter is ignored.

Either of the declarations AUTH=opt or AUTH=no indicates that authentication is not required for remote command execution. In this case, commands are executed as in previous releases, limited by the COMMANDS value.

Note that, if authentication is attempted but fails, the request is rejected, regardless of the value of AUTH.

COMMANDS

This parameter can be used in MACHINE entries to specify the commands that a remote computer can execute on your local computer.

COMMANDS is not relevant in LOGNAME entries.

In a MACHINE entry, COMMANDS defines command permissions that are in effect at all times, both when your computer calls the remote computer or when it calls you. By default, COMMANDS is set to ``rmail''.

Note that the COMMANDS parameter is used only for unauthenticated remote command execution requests. For information about authenticated remote command execution requests, see the descriptions of the KEYS and AUTH parameters.

VALIDATE

This parameter is used with the COMMANDS parameter when specifying commands that are potentially dangerous to your computer's security. It provides some degree of verification of the caller's identity.

VALIDATE is merely an added level of security on top of the COMMANDS parameter (though it is a more secure way to open command access than ALL). The use of the VALIDATE parameter requires that privileged computers have a unique login/password for uucp transactions. An important aspect of this validation is that the login/password associated with this entry be protected. If an outsider gets that information, that particular VALIDATE parameter can no longer be considered secure.

Usage

General considerations

Consider the following when using the Permissions file to restrict the level of access granted to remote computers:

All login IDs used by remote computers to log in for uucp communications must appear in only one LOGNAME entry.
Any site that is called whose name does not appear in a MACHINE entry will have the following default permissions and restrictions:
- local send and receive requests will be executed
- the remote computer can send files to your computer's /var/spool/uucppublic directory
- the commands sent by the remote computer for execution on your computer must be one of the default commands (usually rmail)
When a remote machine calls you, unless you have a unique login and password for that machine or are using cr1 authentication, it is difficult to ascertain the true identity of the machine.

The READ and WRITE parameters

To grant permission to deposit files in /usr/news as well as in the public directory, the following values would be used with the WRITE parameter:

   WRITE=/var/spool/uucppublic:/usr/news

If the READ and WRITE parameters are used, all pathnames must be specified because the pathnames are not added to the default list. For instance, if the /usr/news pathname was the only one specified in a WRITE parameter, permission to deposit files in the public directory would be denied.

Be careful what directories you make accessible for reading and writing by remote systems. For example, you probably don't want remote computers to be able to write over your /etc/passwd file, so /etc should not be open to writes.

The CALLBACK parameter

The CALLBACK parameter is rarely used.

NOTE: If two sites have this parameter set for each other, a conversation will never get started and no transfers will occur between the local and remote machines.

The COMMANDS parameter

The declaration COMMANDS=rmail specifies the default commands that a remote computer can execute on your computer. If a command name string is used in a MACHINE entry, the default commands are overridden. For instance, the entry:

   MACHINE=owl:raven:hawk:dove \
   COMMANDS=rmail:rnews:lp

overrides the COMMANDS default so that the computers owl, raven, hawk, and dove can now execute rmail, rnews, and lp on your computer.

In addition to the names as specified here, there can be full pathnames of commands. For example, the declaration:

   COMMANDS=rmail:/usr/lbin/rnews:/usr/local/lp

specifies that the command rmail uses the default path. The default path for remote execution is /usr/bin. When the remote computer specifies rnews or /usr/lbin/rnews for the command to be executed, /usr/lbin/rnews will be executed regardless of the default path. Similarly, /usr/local/lp is the path of the lp command that will be executed.

The declaration:

   COMMANDS=/usr/lbin/rnews:ALL:/usr/local/lp

illustrates two points:

the ALL value can appear anywhere in the declaration
the pathnames specified for rnews and lp will be used (instead of the default) if the requested command does not contain the full pathnames for rnews or lp

If commands are executed using the authenticated remote execution feature, the COMMANDS list is ignored and all commands are available to the authenticated user as if the user had logged in directly.

The VALIDATE parameter should be used with the COMMANDS parameter whenever potentially dangerous commands like cat and uucp are specified with the COMMANDS parameter. Any command that reads or writes files is potentially dangerous to local security when executed by the uucp remote execution daemon (uuxqt(1Mbnu)).

The VALIDATE parameter

Give careful consideration when providing a remote computer with a privileged login and password for uucp transactions. Giving a remote computer a special login and password with file access and remote execution capability is like giving anyone on that computer a normal login and password on your computer. Therefore, if you cannot trust users on the remote computer, do not provide that computer with a privileged login and password.

The LOGNAME entry

   LOGNAME=uucpfriend VALIDATE=eagle:owl:hawk

specifies that if one of the remote computers that claims to be eagle, owl, or hawk logs into your computer, it must have used the login uucpfriend. If an outsider gets the uucpfriend login/password, masquerading is trivial.

The VALIDATE parameter links the MACHINE entry (and COMMANDS parameter) with a LOGNAME entry associated with a privileged login. This link is needed because the execution daemon is not running while the remote computer is logged in. In fact, it is an asynchronous process with no knowledge of what computer sent the execution request.

Each remote computer has its own spool directory on your computer. These spool directories have write permission given only to the UUCP family of programs. The execution files from the remote computer are put into its spool directory after being transferred to your computer. When the uuxqt daemon runs, it uses the spool directory name to find the MACHINE entry in the Permissions file and get the COMMANDS list, or it uses a default list if the computer name does not appear in the Permissions file.

The following example shows the relationship between the MACHINE and LOGNAME entries:

   MACHINE=eagle:owl:hawk REQUEST=yes \
   COMMANDS=rmail:/usr/lbin/rnews \
   READ=/  WRITE=/
   
   LOGNAME=uucpz VALIDATE=eagle:owl:hawk \
   REQUEST=yes SENDFILES=yes \
   READ=/  WRITE=/

The value of the COMMANDS parameter means that rmail and /usr/lbin/rnews can be executed by remote users.

In the first entry, you must assume that when you want to call one of the computers listed, you are really calling eagle, owl, or hawk. Therefore, any file put into one of the eagle, owl, or hawk spool directories is put there by one of those computers. If a remote computer logs in and says that it is one of these three computers, its execution files will also be put in the privileged spool directory. You therefore have to validate that the computer has the privileged login uucpz.

Creating machine entries for other systems

You may want to specify different parameter values for the computers that your computer calls that are not mentioned in specific MACHINE entries. This may occur when there are many computers calling in and the command set changes from time to time. The name OTHER for the computer name is used for this entry as shown:

   MACHINE=OTHER \
   COMMANDS=rmail:rnews:/usr/lbin/Photo:/usr/lbin/xp

All other parameters available for the MACHINE entry may also be set for the computers that are not mentioned in other MACHINE entries.

Combining machine and logname entries

It is possible to combine MACHINE and LOGNAME entries into a single entry where the common parameters are the same. For example, the two entries:

   MACHINE=eagle:owl:hawk REQUEST=yes \
   READ=/  WRITE=/

and

   LOGNAME=uucpz REQUEST=yes SENDFILES=yes \
   READ=/  WRITE=/

share the same REQUEST, READ, and WRITE parameters. These two entries can be merged as follows:

   MACHINE=eagle:owl:hawk REQUEST=yes \
   LOGNAME=uucpz SENDFILES=yes \
   READ=/  WRITE=/

Warnings

The COMMANDS parameter can compromise the security of your system. Use it with extreme care.

Including the value ALL in the list for the COMMANDS parameter means that any command from the remote computer(s) specified in the entry will be executed. If you use this value, you give the remote computer full access to your computer. Be careful. This allows far more access than normal users have.

Examples

By default, the system-supplied Permissions file contains the following entry:

   LOGNAME=nuucp

which provides maximum security since it is equivalent to

   LOGNAME=nuucp \
   	MACHINE=OTHER \
   	REQUEST=no \
   	SENDFILES=call \
   	READ=/var/spool/uucppublic \
   	WRITE=/var/spool/uucppublic \
   	AUTH=no \
   	COMMANDS=rmail

Note that, since the KEYS parameter is not specified in the system-supplied Permissions file entry, no keys will be available to authenticate requests. Attempts will therefore fail. Only rmail will be available, as it was in previous releases.

References

Config(4bnu), cr1(1Mbnu), Devconfig(4bnu), Devices(4bnu), Dialcodes(4bnu), Dialers(4bnu), Grades(4bnu), Limits(4bnu), Poll(4bnu), Sysfiles(4bnu), Systems(4bnu), uucico(1Mbnu), uux(1bnu)