LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/nag2/x-087-2-uucp.permissions.html

576 lines
10 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Controlling Access to UUCP Features</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
REL="HOME"
TITLE="Linux Network Administrators Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="ManagingTaylor UUCP"
HREF="x-087-2-uucp.html"><LINK
REL="PREVIOUS"
TITLE="UUCP Configuration Files"
HREF="x-087-2-uucp.config.files.html"><LINK
REL="NEXT"
TITLE="Setting Up Your System for Dialing In"
HREF="x-087-2-uucp.dialin.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Network Administrators Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x-087-2-uucp.config.files.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 16. ManagingTaylor UUCP</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x-087-2-uucp.dialin.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="X-087-2-UUCP.PERMISSIONS"
>16.3. Controlling Access to UUCP Features</A
></H1
><P
>&#13;
UUCP is quite a flexible system. With that flexibility comes a need to
carefully control access to its features to prevent abuse, whether it be
intentional or accidental. The primary features of concern to the UUCP
administrator are remote command execution, file transfer, and forwarding.
Taylor UUCP provides a means of limiting the freedom that remote UUCP hosts
have in exercising each of these features. With careful selection of
permissions, the UUCP administrator can ensure that the host's security is
preserved.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN13362"
>16.3.1. Command Execution</A
></H2
><P
>&#13;
UUCP's task is to copy files from one system to another and to request
execution of certain commands on remote hosts. Of course, you as an
administrator would want to control what rights you grant other
systems&#8212;allowing them to execute any command they choose on your system
is definitely not a good idea.</P
><P
>&#13;
By default, the only commands Taylor UUCP allows other systems to execute on
your machine are <B
CLASS="COMMAND"
>rmail</B
> and <B
CLASS="COMMAND"
>rnews</B
>, which
are commonly used to exchange email and Usenet News over UUCP. To change the
set of commands for a particular system, you can use the
<SPAN
CLASS="SYSTEMITEM"
>commands</SPAN
> keyword in the
<TT
CLASS="FILENAME"
>sys</TT
> file. Similarly, you may want to limit the search
path to just those directories containing the allowed commands. You can
change the search path allowed for a remote host with the
<SPAN
CLASS="SYSTEMITEM"
>command-path</SPAN
> statement. For instance,
you may want to allow system
<SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
> to execute the
<B
CLASS="COMMAND"
>bsmtp</B
> command in addition to <B
CLASS="COMMAND"
>rmail</B
>
and <B
CLASS="COMMAND"
>rnews</B
>:<A
NAME="X-087-2-FNUU12"
HREF="#FTN.X-087-2-FNUU12"
>[1]</A
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>system pablo
...
commands rmail rnews bsmtp</PRE
></TD
></TR
></TABLE
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN13402"
>16.3.2. File Transfers</A
></H2
><P
>&#13;
Taylor UUCP also allows you to fine-tune file transfers in great
detail. At one extreme, you can disable transfers to and from a
particular system. Just set <SPAN
CLASS="SYSTEMITEM"
>request</SPAN
> to <SPAN
CLASS="SYSTEMITEM"
>no</SPAN
>, and the remote system will not be able
to either retrieve files from your system or send it any
files. Similarly, you can prohibit your users from transferring files
to or from a system by setting <SPAN
CLASS="SYSTEMITEM"
>transfer</SPAN
> to <SPAN
CLASS="SYSTEMITEM"
>no</SPAN
>. By default, users on both the local
and the remote system are allowed to upload and download files.</P
><P
>In addition, you can configure the directories that files may be
copied to and from. Usually you will want to restrict access from
remote systems to a single directory hierarchy, but still allow your
users to send files from their home directory. Commonly, remote users are
allowed to receive files only from the public UUCP directory
<TT
CLASS="FILENAME"
>/var/spool/uucppublic</TT
>. This is the traditional
place to make files publicly available, very much like FTP servers on
the Internet.<A
NAME="X-087-2-UUCP-FNUU13"
HREF="#FTN.X-087-2-UUCP-FNUU13"
>[2]</A
></P
><P
>Taylor UUCP provides four different commands to configure the
directories for sending and receiving files. They are:
<B
CLASS="COMMAND"
>local-send</B
>, which specifies the list of
directories a user may ask UUCP to send files from;
<B
CLASS="COMMAND"
>local-receive</B
>, which gives the list of
directories a user may ask to receive files to; and
<B
CLASS="COMMAND"
>remote-send</B
> and <B
CLASS="COMMAND"
>remote-receive</B
>,
which do the analogous for
requests from a foreign system. Consider the following example:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>system pablo
...
local-send /home ~
local-receive /home ~/receive
remote-send ~ !~/incoming !~/receive
remote-receive ~/incoming</PRE
></TD
></TR
></TABLE
></P
><P
>The <B
CLASS="COMMAND"
>local-send</B
> command allows
users on your host to send any files below <TT
CLASS="FILENAME"
>/home</TT
>
and from the public UUCP directory to <SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
>. The <B
CLASS="COMMAND"
>local-receive</B
>
command allows them to
receive files either to the world-writable
<TT
CLASS="FILENAME"
>receive</TT
> directory in the
<TT
CLASS="FILENAME"
>uucppublic</TT
>, or any world-writable directory below
<TT
CLASS="FILENAME"
>/home</TT
>. The <B
CLASS="COMMAND"
>remote-send</B
>
directive allows <SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
> to request files from
<TT
CLASS="FILENAME"
>/var/spool/uucppublic</TT
>, except for files from the
<TT
CLASS="FILENAME"
>incoming</TT
> and <TT
CLASS="FILENAME"
>receive</TT
>
directories. This is signaled to <B
CLASS="COMMAND"
>uucico</B
> by
preceding the directory names with exclamation marks. Finally, the
last line allows <SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
> to
upload files to <SPAN
CLASS="SYSTEMITEM"
>incoming</SPAN
>.</P
><P
>A major problem with file transfers using UUCP is that it receives files
only to directories that are world-writable. This may tempt some users to set
up traps for other users. However, there's no way to escape this problem
outside of disabling UUCP file transfers altogether.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN13444"
>16.3.3. Forwarding</A
></H2
><P
>&#13;
UUCP provides a mechanism to have other systems execute file transfers on your
behalf. For instance, suppose your system has <B
CLASS="COMMAND"
>uucp</B
> access
to a system called <SPAN
CLASS="SYSTEMITEM"
>seci</SPAN
>, but not to
another system called <SPAN
CLASS="SYSTEMITEM"
>uchile</SPAN
>. This
allows you to make <SPAN
CLASS="SYSTEMITEM"
>seci</SPAN
> retrieve a
file from <SPAN
CLASS="SYSTEMITEM"
>uchile</SPAN
> for you and send it
to your system. The following command would achieve this:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>$ <TT
CLASS="USERINPUT"
><B
>uucp -r seci!uchile!~/find-ls.gz ~/uchile.files.gz</B
></TT
></PRE
></TD
></TR
></TABLE
></P
><P
>This technique of passing a job through several systems is called
<I
CLASS="EMPHASIS"
>forwarding</I
>. On your own UUCP system, you would want to
limit the forwarding service to a few hosts you trust not to run up a
horrendous phone bill by making you download the latest X11R6 source release
for them.</P
><P
>By default, Taylor UUCP prohibits forwarding altogether. To enable
forwarding for a particular system, you can use the
<B
CLASS="COMMAND"
>forward</B
> command. This command specifies a
list of sites the system may request you to forward jobs to and
from. For instance, the UUCP administrator of <SPAN
CLASS="SYSTEMITEM"
>seci</SPAN
> would have to add the following
lines to the <TT
CLASS="FILENAME"
>sys</TT
> file to allow <SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
> to request files from <SPAN
CLASS="SYSTEMITEM"
>uchile</SPAN
>:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>####################
# pablo
system pablo
...
forward uchile
####################
# uchile
system uchile
...
forward-to pablo</PRE
></TD
></TR
></TABLE
></P
><P
>The <SPAN
CLASS="SYSTEMITEM"
>forward-to</SPAN
> entry for
<SPAN
CLASS="SYSTEMITEM"
>uchile</SPAN
> is necessary so that any files
returned by it are actually passed on to
<SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
>. Otherwise UUCP would drop them.
This entry uses a variation of the
<B
CLASS="COMMAND"
>forward</B
> command that permits
<SPAN
CLASS="SYSTEMITEM"
>uchile</SPAN
> to send files only to
<SPAN
CLASS="SYSTEMITEM"
>pablo</SPAN
> through
<SPAN
CLASS="SYSTEMITEM"
>seci</SPAN
>, not the other way round.</P
><P
>To permit forwarding to any system, use the special keyword
<SPAN
CLASS="SYSTEMITEM"
>ANY</SPAN
> (capital letters required).</P
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.X-087-2-FNUU12"
HREF="x-087-2-uucp.permissions.html#X-087-2-FNUU12"
>[1]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
><B
CLASS="COMMAND"
>bsmtp</B
> is used to deliver mail with batched SMTP.</P
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.X-087-2-UUCP-FNUU13"
HREF="x-087-2-uucp.permissions.html#X-087-2-UUCP-FNUU13"
>[2]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
> You may use a
tilde (<TT
CLASS="LITERAL"
>~</TT
>) character to refer to the UUCP public
directory, but only in UUCP configuration files; outside it usually
translates to the user's home directory.</P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x-087-2-uucp.config.files.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x-087-2-uucp.dialin.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>UUCP Configuration Files</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="x-087-2-uucp.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Setting Up Your System for Dialing In</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink