15.5 Security in BNU UUCPIn BNU , the Permissions file replaces both the Version 2 USERFILE and L.cmds files. Permissions provides additional protection and finer control over the UUCP system. A second file called remote.unknown controls whether or not an unknown system (that is, one not listed in your Systems file) can log in (assuming that the remote system knows a valid UUCP login name and password). 15.5.1 Permissions FileThe Permissions file consists of commands, possibly multi-line, and often separated by blank lines, that are used to determine what users and remote machines can and cannot do with the UUCP system. Here is a sample Permissions file. For now, don't worry about what all the commands mean: we'll explain them shortly. LOGNAME=Ugarp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic MACHINE=garp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic 15.5.1.1 Starting upWhen uucico starts, it scans the Permissions file to determine which commands the remote machine can execute and which files can be accessed. When uucicio calls another system, it looks for a block of commands containing a MACHINE=system statement, where system is the name of the machine that it is calling. For example, if you are calling the machine idr, it looks for a line in the form: MACHINE=idr When uucico is started by another computer logging in to your local machine, uucico looks for a block of commands containing a LOGNAME=loginname , where loginname is the username with which the remote computer has logged in. For example, if the remote computer has logged in with the username Uidr , the uucico running on your computer looks for a block of commands with a line containing this statement: LOGNAME=Uidr Other commands in the command block specify what the remote machine can do: 15.5.1.2 Name-value pairsIn BNU terminology, the MACHINE=, LOGNAME=, READ=, and WRITE= statements are called " name-value pairs." This name comes from their format: name=value To specify a block of commands for use when calling the machine bread , you would use a command in the form: MACHINE=bread You can specify multiple values by separating them with colons (:). For example: MACHINE=bread:butter:circus 15.5.1.3 A Sample Permissions fileHere is the sample Permissions file again: LOGNAME=Ugarp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic MACHINE=garp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic This Permissions file gives the machine garp permission to read and write files in the /usr/spool/uucppublic directory. It also allows any remote computer logging in with the UUCP login Ugarp to read and write files from those directories. Here is another example: # If garp calls us, only allow access to uucppublic # LOGNAME=Ugarp MACHINE=garp READ=/usr/spool/uucppublic \ WRITE=/usr/spool/uucppublic This command allows the machine garp to read or write any file in /usr/spool/uucppublic , but only when the machine garp logs into your computer using the uucp login Ugarp . Notice in this example that the backslash (\) character is used to continue the entry on the following line. To include a comment, begin a line with a hash mark (#). You can combine a LOGNAME= and a MACHINE= entry in a single line: # Let garp have lots of access # LOGNAME=Ugarp MACHINE=garp READ=/ WRITE=/ REQUEST=yes SENDFILES=yes The REQUEST=yes name-value pair allows garp to request files from your machine. The SENDFILES=yes pair allows you to send files to garp even when it initiates the call to you. If you assign a unique login ID for each UUCP system with which you communicate, then LOGNAME= and MACHINE= can each be thought of as controlling one direction of the file transfer operation. But if the same login ID is shared by several UUCP systems, they will all be covered by the same LOGNAME= entry when they call you, even though they will each be covered by their own MACHINE= entry when you call them. 15.5.2 Permissions CommandsBNU UUCP has 13 different commands that can be included in the Permissions file. These commands help provide the flexibility that BNU allows over UUCP connections. These commands are placed in the same command block as the MACHINE= and LOGNAME= commands described above. You can specify as many commands in a block as you wish. A MACHINE= entry in the Permissions file is used when a specific remote site is contacted by the local computer. Specify a MACHINE= OTHER entry to define a Permissions entry for any machine that is not explicitly referenced. For example: # Setup for when we call garp MACHINE=garp LOGNAME= is used when a remote site logs in with a specific login name. Each UUCP login name should appear in only one LOGNAME entry. For example: # Setup login for when garp calls LOGNAME=Ugarp You can specify a LOGNAME=OTHER entry to define a Permissions entry for any machine that is not explicitly referenced. For example: # Setup login for everybody else LOGNAME=OTHER REQUEST= specifies whether the remote system can request file transfers with your computer. The default is "no," which means that files can be transferred only if the uucp command is issued on your computer. For example: # Let garp request files MACHINE=garp LOGNAME=Ugarp REQUEST=YES SENDFILES= specifies whether files that are queued on the local system should be sent to the calling system when it contacts the local system. The default is "call," which means "no, don't send any queued files when the other computer calls me; hold the files until I call the other computer." The reason for this option is that you are more sure of the identity of a remote computer when you call it than when it calls you . If you set this entry to "yes," all of the queued files will be sent whenever the remote system calls you, or when you call it, whichever happens first. This option makes sense only with the LOGNAME entries. If this option is used with a MACHINE entry, it is ignored. For example: # Send files to garp when it calls us LOGNAME=Ugarp SENDFILES=YES PUBDIR= allows you to specify directories for public access. The default is /usr/spool/uucppublic. For example: # Let garp use two public directories MACHINE=garp LOGNAME=Ugarp READ=/ WRITE=/ \ PUBDIR=/usr/spool/uucppublic:/usr/spool/garp READ= and WRITE= specify the directories that uucico can use to read from or write to. The default is the PUBDIR . You can specify access to all of the temporary directories on your system with the following command: # Let garp read lots MACHINE=garp LOGNAME=Ugarp \ READ=/usr/spool/uucppublic:/tmp:/usr/tmp \ WRITE=/usr/spool/uucppublic:/tmp:/usr/tmp You can let garp access every file on your system with the command: # Let garp read even more MACHINE=garp LOGNAME=Ugarp \ READ=/ WRITE=/ We don't recommend this! NOREAD= and NOWRITE= specify directories that uucico may not read to or write from, even if those directories are included in a READ or a WRITE command. You might want to use the NOREAD and NOWRITE directives to exclude directories like /etc and /usr/lib/uucp , so that there is no way that people on machines connected to yours via UUCP can read files like /etc/passwd and / usr/lib/uucp/Systems . For example: MACHINE=garp LOGNAME=Ugarp \ READ=/ \ WRITE=/usr/spool/uucppublic:/tmp:/usr/tmp \ NOREAD=/etc:/usr/lib/uucp \ NOWRITE=/etc:/usr/lib/uucp CALLBACK= specifies whether or not the local system must call back the calling system before file transfer can occur. The default is "no." CALLBACK enhances security in some environments. Normally, it is possible with UUCP for one machine to masquerade as another. If you call a remote machine, however, it is unlikely that such a masquerade is taking place. CALLBACK is also useful for situations where one computer is equipped with a low-cost, long-distance telephone line, so that the majority of the call will be billed at the lower rate. The CALLBACK command makes sense only for LOGNAME entries. If two sites have CALLBACK=yes specified for each other, the machines will continually call back and forth, but no data will be transferred. For example: # We'll call garp LOGNAME=Ugarp CALLBACK=YES For further information, see our comments on callback in Chapter 14 . COMMANDS= specifies commands that the remote system can execute on the local computer. When uuxqt executes a command, it searches the Permissions file for the MACHINE= entry associated with the particular system from which the commands were sent. The MACHINE= entry is the one that is used, even if the uucico connection was originated by the remote machine and a different LOGNAME= entry is being used. The default value for COMMANDS is compiled into your version of uuxqt ; if you have source code, it is defined in the file params.h . The COMMANDS= entry often has the single form: COMMANDS=rmail You can specify a full pathname: COMMANDS=rmail:/usr/bin/rnews:/usr/ucb/lpr You can specify the value ALL , which allows any command to be executed: COMMANDS=ALL You probably don't want to specify ALL unless you have complete control over all of the machines that you connect to with UUCP . For example: # Let garp send us mail, netnews, and print files MACHINE=garp LOGNAME=Ugarp \ COMMANDS=rmail:rnews:lpr VALIDATE= is used with a LOGNAME entry to provide a small additional degree of security. Specifying a machine name (or many machine names) in the VALIDATE= entry will allow that UUCP login to be used only by those machines. For example: # Let's be sure about garp LOGNAME=Ugarp VALIDATE=garp This command prevents any UUCP computer other than garp from using the Ugarp login. Of course, anybody interested in using UUCP to break into your computer could as easily change their UUCP name to be garp , so this command really doesn't provide very much security. MYNAME= can be used to change the UUCP name of your computer when it initiates a UUCP connection. This command is useful for testing. It is also helpful when you use a generic name for your site, but it is not the same as your UUCP machine. For example: # When we call garp, present ourselves as bigcorp MACHINE=garp \ MYNAME=bigcorp Got that? You can make your computer have any UUCP name that you want! Anybody else can do this as well, so be careful if you let any machine execute commands (specified in the COMMANDS= entry) that might be considered potentially unsafe (e.g., rm , shutdown ).
15.5.3 uucheck: Checking Your Permissions FileVerifying the Permissions file can be tricky. To help with this important task, BNU includes a program called uucheck that does it for you. Normally, the uucheck program only reports security problems. However, it has a -v option which causes the program to produce a full report. Below is a sample Permissions file that lets the computer garp (or anybody using the UUCP login Ugarp ) access a variety of files and execute a number of commands: # cat Permissions MACHINE=garp LOGNAME=Ugarp \ COMMANDS=rmail:rnews:uucp \ READ=/usr/spool/uucppublic:/usr/tmp \ WRITE=/usr/spool/uucppublic:/usr/tmp \ SENDFILES=yes REQUEST=no Here is the output from the uucheck program run with the above Permissions file: Example 15.1: Verifying the Sample UUCP Permissions File# /usr/lib/uucp/uucheck -v *** uucheck: Check Required Files and Directories *** uucheck: Directories Check Complete *** uucheck: Check /etc/uucp/Permissions file ** LOGNAME PHASE (when they call us) When a system logs in as: (Ugarp) We DO NOT allow them to request files. We WILL send files queued for them on this call. They can send files to /usr/spool/uucppublic /usr/tmp Sent files will be created in /var/spool/uucp before they are copied to the target directory. Myname for the conversation will be sun. PUBDIR for the conversation will be /usr/spool/uucppublic. ** MACHINE PHASE (when we call or execute their uux requests) When we call system(s): (garp) We DO NOT allow them to request files. They can send files to /usr/spool/uucppublic /usr/tmp Sent files will be created in /var/spool/uucp before they are copied to the target directory. Myname for the conversation will be sun. PUBDIR for the conversation will be /usr/spool/uucppublic. Machine(s): (garp) CAN execute the following commands: command (rmail), fullname (rmail) command (rnews), fullname (rnews) command (uucp), fullname (uucp) *** uucheck: /etc/uucp/Permissions Check Complete # |
|