[unix-history] / usr / src / usr.bin / uucp / USERFILE.5

.\" Copyright (c) 1986 Regents of the University of California.
.\" All rights reserved.  The Berkeley software License Agreement
.\" specifies the terms and conditions for redistribution.
.\"
.\"	@(#)USERFILE.5	6.2 (Berkeley) 6/23/90
.\"
.TH USERFILE 5 "June 23, 1990"
.UC 6
.SH NAME
USERFILE \- \s-1UUCP\s0 pathname permissions file
.SH DESCRIPTION
The
.I USERFILE
file specifies the file system directory trees that are accessible to
local users and to remote systems via \s-1UUCP\s0.
.PP
Each line in
.I USERFILE
is of the form:
.PP
[\fIloginname\fP]\fB,\fP[\fIsystem\fP] [ \fBc\fP ] \fIpathname\fP \c
[\fIpathname\fP] [\fIpathname\fP]
.PP
The first two items are separated by a comma; any number of spaces or
tabs may separate the remaining items.
Lines beginning with a `#' character are comments.
A trailing `\e' indicates that the next line
is a continuation of the current line. 
.PP
.I Loginname
is a login (from
.IR /etc/passwd )
on the local machine.
.PP
.I System
is the name of a remote machine, the same name used in
.IR L.sys (5).
.PP
.I c
denotes the optional
.I callback
field.
If a \fBc\fP appears here, a remote machine that calls in will be told
that callback is requested, and the conversation will be terminated.
The local system will then immediately call the remote host back.
.PP
.I Pathname
is a pathname prefix that is permissible for this
.I login
and/or
.IR system .
.PP
When
.IR uucico (8C)
runs in master role or
.IR uucp (1C)
or
.IR uux (1C)
are run by local users, the permitted pathnames are those on the
first line with a
.I loginname
that matches the name of the user who executed the command.
If no such line exists, then the first line with a null (missing)
.I loginname
field is used.
(Beware:
.I uucico
is often run by the superuser or the \s-1UUCP\s0 administrator through
.IR cron (8).)
.PP
When
.I uucico
runs in slave role, the permitted pathnames are those on the
first line with a
.I system
field that matches the hostname of the remote machine.
If no such line exists, then the first line with a null (missing)
.I system
field is used.
.PP
.IR Uuxqt (8)
works differently; it knows neither a login name nor a hostname.
It accepts the pathnames on the first line that has a null
.I system 
field.
(This is the same line that is used by
.I uucico
when it cannot match the remote machine's hostname.)
.PP
A line with both
.I loginname
and
.I system
null, for example
.IP
.B ,  /var/spool/uucppublic
.PP	
can be used to conveniently specify the paths for both "no match" cases
if lines earlier in
.I USERFILE
did not define them.
(This differs from older Berkeley and all USG versions, where each case
must be individually specified.
If neither case is defined earlier,
a "null" line only defines the "unknown login" case.)
.PP
To correctly process
.I loginname
on systems that assign several logins per UID,
the following strategy is used to determine the current
.IR loginname :
.TP
1)
If the process is attached to a terminal, a login entry exists in
.IR /var/run/utmp ,
and the UID for the
.I utmp
name matches the current real UID, then
.IR loginname
is set to the
.I utmp
name.
.TP
2)
If the
.B USER
environment variable is defined and the UID for this name matches
the current real UID, then
.IR loginname
is set to the name in
.BR USER .
.TP
3)
If both of the above fail, call
.IR getpwuid (3)
to fetch the first name in
.I /etc/passwd
that matches the real UID.
.TP
4)
If all of the above fail, the utility aborts.
.SH FILES
.ta \w'/usr/lib/uucp/UUAIDS/USERFILE   'u
.nf
/usr/lib/uucp/USERFILE
/usr/lib/uucp/UUAIDS/USERFILE	USERFILE example
.fi
.SH SEE ALSO
uucp(1C), uux(1C), L.cmds(5), L.sys(5), uucico(8C), uuxqt(8C)
.SH NOTES
The \s-1UUCP\s0 utilities
.RI ( uucico ,
.IR uucp ,
.IR uux ,
and
.IR uuxqt )
always have access to the \s-1UUCP\s0 spool files in
.IR /var/spool/uucp ,
regardless of pathnames in
.IR USERFILE .
.PP
If
.B uucp
is listed in
.IR L.cmds (5),
then a remote system will execute
.I uucp 
on the local system with the
.I USERFILE
privileges for its
.IR login ,
not its hostname.
.PP
.I Uucico
freely switches between master and slave roles during the course of a
conversation, regardless of the role it was started with.
This affects how
.I USERFILE
is interpreted.
.SH WARNING
.I USERFILE
restricts access only on strings that the \s-1UUCP\s0 utilities identify
as being pathnames.
If the wrong holes are left in other \s-1UUCP\s0 control files (notably
.IR L.cmds ),
it can be easy for an intruder to open files anywhere in the file system.
Arguments to
.IR uucp (1C)
are safe, since it assumes all of its non-option arguments are files.
.IR Uux (1C)
cannot make such assumptions; hence, it is more dangerous.
.SH BUGS
The
.I "\s-1UUCP\s0 Implementation Description"
explicitly states that all remote login names must be listed in
.IR USERFILE .
This requirement is not enforced by Berkeley \s-1UUCP\s0, although it is
by USG \s-1UUCP\s0.
.PP
Early versions of 4.2BSD
.IR uuxqt (8)
erroneously check \s-1UUCP\s0 spool files against the
.I USERFILE
pathname permissions.
Hence, on these systems it is necessary to specify
.I /var/spool/uucp
as a valid path on the
.I USERFILE
line used by
.IR uuxqt .
Otherwise, all
.IR uux (1C)
requests are rejected with a "PERMISSION DENIED" message.
Commit	Line	Data
55331617 KM	1	.\" Copyright (c) 1986 Regents of the University of California.
	2	.\" All rights reserved. The Berkeley software License Agreement
	3	.\" specifies the terms and conditions for redistribution.
	4	.\"
1c15e888	5	.\" @(#)USERFILE.5 6.2 (Berkeley) 6/23/90
55331617	6	.\"
1c15e888	7	.TH USERFILE 5 "June 23, 1990"
55331617 KM	8	.UC 6
	9	.SH NAME
	10	USERFILE \- \s-1UUCP\s0 pathname permissions file
	11	.SH DESCRIPTION
	12	The
	13	.I USERFILE
	14	file specifies the file system directory trees that are accessible to
	15	local users and to remote systems via \s-1UUCP\s0.
	16	.PP
	17	Each line in
	18	.I USERFILE
	19	is of the form:
	20	.PP
	21	[\fIloginname\fP]\fB,\fP[\fIsystem\fP] [ \fBc\fP ] \fIpathname\fP \c
	22	[\fIpathname\fP] [\fIpathname\fP]
	23	.PP
	24	The first two items are separated by a comma; any number of spaces or
	25	tabs may separate the remaining items.
	26	Lines beginning with a `#' character are comments.
	27	A trailing `\e' indicates that the next line
	28	is a continuation of the current line.
	29	.PP
	30	.I Loginname
	31	is a login (from
	32	.IR /etc/passwd )
	33	on the local machine.
	34	.PP
	35	.I System
	36	is the name of a remote machine, the same name used in
	37	.IR L.sys (5).
	38	.PP
	39	.I c
	40	denotes the optional
	41	.I callback
	42	field.
	43	If a \fBc\fP appears here, a remote machine that calls in will be told
	44	that callback is requested, and the conversation will be terminated.
	45	The local system will then immediately call the remote host back.
	46	.PP
	47	.I Pathname
	48	is a pathname prefix that is permissible for this
	49	.I login
	50	and/or
	51	.IR system .
	52	.PP
	53	When
	54	.IR uucico (8C)
	55	runs in master role or
	56	.IR uucp (1C)
	57	or
	58	.IR uux (1C)
	59	are run by local users, the permitted pathnames are those on the
	60	first line with a
	61	.I loginname
	62	that matches the name of the user who executed the command.
	63	If no such line exists, then the first line with a null (missing)
	64	.I loginname
	65	field is used.
	66	(Beware:
	67	.I uucico
	68	is often run by the superuser or the \s-1UUCP\s0 administrator through
	69	.IR cron (8).)
	70	.PP
	71	When
72	.I uucico
73	runs in slave role, the permitted pathnames are those on the
74	first line with a
75	.I system
76	field that matches the hostname of the remote machine.
77	If no such line exists, then the first line with a null (missing)
78	.I system
79	field is used.
80	.PP
81	.IR Uuxqt (8)
82	works differently; it knows neither a login name nor a hostname.
83	It accepts the pathnames on the first line that has a null
84	.I system
85	field.
86	(This is the same line that is used by
87	.I uucico
88	when it cannot match the remote machine's hostname.)
89	.PP
90	A line with both
91	.I loginname
92	and
93	.I system
94	null, for example
95	.IP
dde9b027	96	.B , /var/spool/uucppublic
55331617 KM	97	.PP
	98	can be used to conveniently specify the paths for both "no match" cases
	99	if lines earlier in
	100	.I USERFILE
	101	did not define them.
	102	(This differs from older Berkeley and all USG versions, where each case
	103	must be individually specified.
	104	If neither case is defined earlier,
	105	a "null" line only defines the "unknown login" case.)
	106	.PP
	107	To correctly process
	108	.I loginname
	109	on systems that assign several logins per UID,
	110	the following strategy is used to determine the current
	111	.IR loginname :
	112	.TP
	113	1)
	114	If the process is attached to a terminal, a login entry exists in
dde9b027	115	.IR /var/run/utmp ,
55331617 KM	116	and the UID for the
	117	.I utmp
	118	name matches the current real UID, then
	119	.IR loginname
	120	is set to the
	121	.I utmp
	122	name.
	123	.TP
	124	2)
	125	If the
	126	.B USER
	127	environment variable is defined and the UID for this name matches
	128	the current real UID, then
	129	.IR loginname
	130	is set to the name in
	131	.BR USER .
	132	.TP
	133	3)
	134	If both of the above fail, call
	135	.IR getpwuid (3)
	136	to fetch the first name in
	137	.I /etc/passwd
	138	that matches the real UID.
	139	.TP
	140	4)
	141	If all of the above fail, the utility aborts.
	142	.SH FILES
	143	.ta \w'/usr/lib/uucp/UUAIDS/USERFILE 'u
	144	.nf
	145	/usr/lib/uucp/USERFILE
	146	/usr/lib/uucp/UUAIDS/USERFILE USERFILE example
	147	.fi
	148	.SH SEE ALSO
	149	uucp(1C), uux(1C), L.cmds(5), L.sys(5), uucico(8C), uuxqt(8C)
	150	.SH NOTES
	151	The \s-1UUCP\s0 utilities
	152	.RI ( uucico ,
	153	.IR uucp ,
	154	.IR uux ,
	155	and
	156	.IR uuxqt )
	157	always have access to the \s-1UUCP\s0 spool files in
dde9b027	158	.IR /var/spool/uucp ,
55331617 KM	159	regardless of pathnames in
	160	.IR USERFILE .
	161	.PP
	162	If
	163	.B uucp
	164	is listed in
	165	.IR L.cmds (5),
	166	then a remote system will execute
	167	.I uucp
	168	on the local system with the
	169	.I USERFILE
	170	privileges for its
	171	.IR login ,
	172	not its hostname.
	173	.PP
	174	.I Uucico
	175	freely switches between master and slave roles during the course of a
	176	conversation, regardless of the role it was started with.
	177	This affects how
	178	.I USERFILE
	179	is interpreted.
	180	.SH WARNING
	181	.I USERFILE
	182	restricts access only on strings that the \s-1UUCP\s0 utilities identify
	183	as being pathnames.
	184	If the wrong holes are left in other \s-1UUCP\s0 control files (notably
	185	.IR L.cmds ),
	186	it can be easy for an intruder to open files anywhere in the file system.
	187	Arguments to
	188	.IR uucp (1C)
	189	are safe, since it assumes all of its non-option arguments are files.
	190	.IR Uux (1C)
	191	cannot make such assumptions; hence, it is more dangerous.
	192	.SH BUGS
	193	The
	194	.I "\s-1UUCP\s0 Implementation Description"
	195	explicitly states that all remote login names must be listed in
	196	.IR USERFILE .
	197	This requirement is not enforced by Berkeley \s-1UUCP\s0, although it is
	198	by USG \s-1UUCP\s0.
	199	.PP
	200	Early versions of 4.2BSD
	201	.IR uuxqt (8)
	202	erroneously check \s-1UUCP\s0 spool files against the
	203	.I USERFILE
	204	pathname permissions.
	205	Hence, on these systems it is necessary to specify
dde9b027	206	.I /var/spool/uucp
55331617 KM	207	as a valid path on the
	208	.I USERFILE
	209	line used by
	210	.IR uuxqt .
	211	Otherwise, all
	212	.IR uux (1C)
	213	requests are rejected with a "PERMISSION DENIED" message.