[unix-history] / usr / src / usr.bin / uucp / man5 / USERFILE.5

.\" Copyright (c) 1986, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" This module is believed to contain source code proprietary to AT&T.
.\" Use and redistribution is subject to the Berkeley Software License
.\" Agreement and your Software Agreement with AT&T (Western Electric).
.\"
.\"	@(#)USERFILE.5	8.1 (Berkeley) 6/6/93
.\"
.TH USERFILE 5 "June 6, 1993"
.UC 6
.SH NAME
USERFILE \- \s-1UUCP\s0 pathname permissions file
.SH DESCRIPTION
The
.I USERFILE
file specifies the file system directory trees that are accessible to
local users and to remote systems via \s-1UUCP\s0.
.PP
Each line in
.I USERFILE
is of the form:
.PP
[\fIloginname\fP]\fB,\fP[\fIsystem\fP] [ \fBc\fP ] \fIpathname\fP \c
[\fIpathname\fP] [\fIpathname\fP]
.PP
The first two items are separated by a comma; any number of spaces or
tabs may separate the remaining items.
Lines beginning with a `#' character are comments.
A trailing `\e' indicates that the next line
is a continuation of the current line. 
.PP
.I Loginname
is a login (from
.IR /etc/passwd )
on the local machine.
.PP
.I System
is the name of a remote machine, the same name used in
.IR L.sys (5).
.PP
.I c
denotes the optional
.I callback
field.
If a \fBc\fP appears here, a remote machine that calls in will be told
that callback is requested, and the conversation will be terminated.
The local system will then immediately call the remote host back.
.PP
.I Pathname
is a pathname prefix that is permissible for this
.I login
and/or
.IR system .
.PP
When
.IR uucico (8C)
runs in master role or
.IR uucp (1C)
or
.IR uux (1C)
are run by local users, the permitted pathnames are those on the
first line with a
.I loginname
that matches the name of the user who executed the command.
If no such line exists, then the first line with a null (missing)
.I loginname
field is used.
(Beware:
.I uucico
is often run by the superuser or the \s-1UUCP\s0 administrator through
.IR cron (8).)
.PP
When
.I uucico
runs in slave role, the permitted pathnames are those on the
first line with a
.I system
field that matches the hostname of the remote machine.
If no such line exists, then the first line with a null (missing)
.I system
field is used.
.PP
.IR Uuxqt (8)
works differently; it knows neither a login name nor a hostname.
It accepts the pathnames on the first line that has a null
.I system 
field.
(This is the same line that is used by
.I uucico
when it cannot match the remote machine's hostname.)
.PP
A line with both
.I loginname
and
.I system
null, for example
.IP
.B ,  /var/spool/uucppublic
.PP	
can be used to conveniently specify the paths for both "no match" cases
if lines earlier in
.I USERFILE
did not define them.
(This differs from older Berkeley and all USG versions, where each case
must be individually specified.
If neither case is defined earlier,
a "null" line only defines the "unknown login" case.)
.PP
To correctly process
.I loginname
on systems that assign several logins per UID,
the following strategy is used to determine the current
.IR loginname :
.TP
1)
If the process is attached to a terminal, a login entry exists in
.IR /var/run/utmp ,
and the UID for the
.I utmp
name matches the current real UID, then
.IR loginname
is set to the
.I utmp
name.
.TP
2)
If the
.B USER
environment variable is defined and the UID for this name matches
the current real UID, then
.IR loginname
is set to the name in
.BR USER .
.TP
3)
If both of the above fail, call
.IR getpwuid (3)
to fetch the first name in
.I /etc/passwd
that matches the real UID.
.TP
4)
If all of the above fail, the utility aborts.
.SH FILES
.ta \w'/usr/lib/uucp/UUAIDS/USERFILE   'u
.nf
/usr/lib/uucp/USERFILE
/usr/lib/uucp/UUAIDS/USERFILE	USERFILE example
.fi
.SH SEE ALSO
uucp(1C), uux(1C), L.cmds(5), L.sys(5), uucico(8C), uuxqt(8C)
.SH NOTES
The \s-1UUCP\s0 utilities
.RI ( uucico ,
.IR uucp ,
.IR uux ,
and
.IR uuxqt )
always have access to the \s-1UUCP\s0 spool files in
.IR /var/spool/uucp ,
regardless of pathnames in
.IR USERFILE .
.PP
If
.B uucp
is listed in
.IR L.cmds (5),
then a remote system will execute
.I uucp 
on the local system with the
.I USERFILE
privileges for its
.IR login ,
not its hostname.
.PP
.I Uucico
freely switches between master and slave roles during the course of a
conversation, regardless of the role it was started with.
This affects how
.I USERFILE
is interpreted.
.SH WARNING
.I USERFILE
restricts access only on strings that the \s-1UUCP\s0 utilities identify
as being pathnames.
If the wrong holes are left in other \s-1UUCP\s0 control files (notably
.IR L.cmds ),
it can be easy for an intruder to open files anywhere in the file system.
Arguments to
.IR uucp (1C)
are safe, since it assumes all of its non-option arguments are files.
.IR Uux (1C)
cannot make such assumptions; hence, it is more dangerous.
.SH BUGS
The
.I "\s-1UUCP\s0 Implementation Description"
explicitly states that all remote login names must be listed in
.IR USERFILE .
This requirement is not enforced by Berkeley \s-1UUCP\s0, although it is
by USG \s-1UUCP\s0.
.PP
Early versions of 4.2BSD
.IR uuxqt (8)
erroneously check \s-1UUCP\s0 spool files against the
.I USERFILE
pathname permissions.
Hence, on these systems it is necessary to specify
.I /var/spool/uucp
as a valid path on the
.I USERFILE
line used by
.IR uuxqt .
Otherwise, all
.IR uux (1C)
requests are rejected with a "PERMISSION DENIED" message.
Commit	Line	Data
ad787160 C	1	.\" Copyright (c) 1986, 1993
ad787160 C	2	.\" The Regents of the University of California. All rights reserved.
55331617	3	.\"
ad787160 C	4	.\" This module is believed to contain source code proprietary to AT&T.
	5	.\" Use and redistribution is subject to the Berkeley Software License
	6	.\" Agreement and your Software Agreement with AT&T (Western Electric).
f49909f5	7	.\"
ad787160	8	.\" @(#)USERFILE.5 8.1 (Berkeley) 6/6/93
55331617	9	.\"
ad787160	10	.TH USERFILE 5 "June 6, 1993"
55331617 KM	11	.UC 6
	12	.SH NAME
	13	USERFILE \- \s-1UUCP\s0 pathname permissions file
	14	.SH DESCRIPTION
	15	The
	16	.I USERFILE
	17	file specifies the file system directory trees that are accessible to
	18	local users and to remote systems via \s-1UUCP\s0.
	19	.PP
	20	Each line in
	21	.I USERFILE
	22	is of the form:
	23	.PP
	24	[\fIloginname\fP]\fB,\fP[\fIsystem\fP] [ \fBc\fP ] \fIpathname\fP \c
	25	[\fIpathname\fP] [\fIpathname\fP]
	26	.PP
	27	The first two items are separated by a comma; any number of spaces or
	28	tabs may separate the remaining items.
	29	Lines beginning with a `#' character are comments.
	30	A trailing `\e' indicates that the next line
	31	is a continuation of the current line.
	32	.PP
	33	.I Loginname
	34	is a login (from
	35	.IR /etc/passwd )
	36	on the local machine.
	37	.PP
	38	.I System
	39	is the name of a remote machine, the same name used in
	40	.IR L.sys (5).
	41	.PP
	42	.I c
	43	denotes the optional
	44	.I callback
	45	field.
	46	If a \fBc\fP appears here, a remote machine that calls in will be told
	47	that callback is requested, and the conversation will be terminated.
	48	The local system will then immediately call the remote host back.
	49	.PP
	50	.I Pathname
	51	is a pathname prefix that is permissible for this
	52	.I login
	53	and/or
	54	.IR system .
	55	.PP
	56	When
	57	.IR uucico (8C)
	58	runs in master role or
	59	.IR uucp (1C)
	60	or
	61	.IR uux (1C)
	62	are run by local users, the permitted pathnames are those on the
	63	first line with a
	64	.I loginname
	65	that matches the name of the user who executed the command.
	66	If no such line exists, then the first line with a null (missing)
	67	.I loginname
	68	field is used.
	69	(Beware:
	70	.I uucico
	71	is often run by the superuser or the \s-1UUCP\s0 administrator through
	72	.IR cron (8).)
	73	.PP
	74	When
75	.I uucico
76	runs in slave role, the permitted pathnames are those on the
77	first line with a
78	.I system
79	field that matches the hostname of the remote machine.
80	If no such line exists, then the first line with a null (missing)
81	.I system
82	field is used.
83	.PP
84	.IR Uuxqt (8)
85	works differently; it knows neither a login name nor a hostname.
86	It accepts the pathnames on the first line that has a null
87	.I system
88	field.
89	(This is the same line that is used by
90	.I uucico
91	when it cannot match the remote machine's hostname.)
92	.PP
93	A line with both
94	.I loginname
95	and
96	.I system
97	null, for example
98	.IP
dde9b027	99	.B , /var/spool/uucppublic
55331617 KM	100	.PP
	101	can be used to conveniently specify the paths for both "no match" cases
	102	if lines earlier in
	103	.I USERFILE
	104	did not define them.
	105	(This differs from older Berkeley and all USG versions, where each case
	106	must be individually specified.
	107	If neither case is defined earlier,
	108	a "null" line only defines the "unknown login" case.)
	109	.PP
	110	To correctly process
	111	.I loginname
	112	on systems that assign several logins per UID,
	113	the following strategy is used to determine the current
	114	.IR loginname :
	115	.TP
	116	1)
	117	If the process is attached to a terminal, a login entry exists in
dde9b027	118	.IR /var/run/utmp ,
55331617 KM	119	and the UID for the
	120	.I utmp
	121	name matches the current real UID, then
	122	.IR loginname
	123	is set to the
	124	.I utmp
	125	name.
	126	.TP
	127	2)
	128	If the
	129	.B USER
	130	environment variable is defined and the UID for this name matches
	131	the current real UID, then
	132	.IR loginname
	133	is set to the name in
	134	.BR USER .
	135	.TP
	136	3)
	137	If both of the above fail, call
	138	.IR getpwuid (3)
	139	to fetch the first name in
	140	.I /etc/passwd
	141	that matches the real UID.
	142	.TP
	143	4)
	144	If all of the above fail, the utility aborts.
	145	.SH FILES
	146	.ta \w'/usr/lib/uucp/UUAIDS/USERFILE 'u
	147	.nf
	148	/usr/lib/uucp/USERFILE
	149	/usr/lib/uucp/UUAIDS/USERFILE USERFILE example
	150	.fi
	151	.SH SEE ALSO
	152	uucp(1C), uux(1C), L.cmds(5), L.sys(5), uucico(8C), uuxqt(8C)
	153	.SH NOTES
	154	The \s-1UUCP\s0 utilities
	155	.RI ( uucico ,
	156	.IR uucp ,
	157	.IR uux ,
	158	and
	159	.IR uuxqt )
	160	always have access to the \s-1UUCP\s0 spool files in
dde9b027	161	.IR /var/spool/uucp ,
55331617 KM	162	regardless of pathnames in
	163	.IR USERFILE .
	164	.PP
	165	If
	166	.B uucp
	167	is listed in
	168	.IR L.cmds (5),
	169	then a remote system will execute
	170	.I uucp
	171	on the local system with the
	172	.I USERFILE
	173	privileges for its
	174	.IR login ,
	175	not its hostname.
	176	.PP
	177	.I Uucico
	178	freely switches between master and slave roles during the course of a
	179	conversation, regardless of the role it was started with.
	180	This affects how
	181	.I USERFILE
	182	is interpreted.
	183	.SH WARNING
	184	.I USERFILE
	185	restricts access only on strings that the \s-1UUCP\s0 utilities identify
	186	as being pathnames.
	187	If the wrong holes are left in other \s-1UUCP\s0 control files (notably
	188	.IR L.cmds ),
	189	it can be easy for an intruder to open files anywhere in the file system.
	190	Arguments to
	191	.IR uucp (1C)
	192	are safe, since it assumes all of its non-option arguments are files.
	193	.IR Uux (1C)
	194	cannot make such assumptions; hence, it is more dangerous.
	195	.SH BUGS
	196	The
	197	.I "\s-1UUCP\s0 Implementation Description"
	198	explicitly states that all remote login names must be listed in
	199	.IR USERFILE .
	200	This requirement is not enforced by Berkeley \s-1UUCP\s0, although it is
	201	by USG \s-1UUCP\s0.
	202	.PP
	203	Early versions of 4.2BSD
	204	.IR uuxqt (8)
	205	erroneously check \s-1UUCP\s0 spool files against the
	206	.I USERFILE
	207	pathname permissions.
	208	Hence, on these systems it is necessary to specify
dde9b027	209	.I /var/spool/uucp
55331617 KM	210	as a valid path on the
	211	.I USERFILE
	212	line used by
	213	.IR uuxqt .
	214	Otherwise, all
	215	.IR uux (1C)
	216	requests are rejected with a "PERMISSION DENIED" message.