The Permissions file is used to control the access that remote
systems have to data and programs on the local system. Specifically,
it is used to specify:
- Which systems can establish a uucico connection
- The areas in the file system that a remote system can read or
write from
- The commands that the remote system can run on the local system
- If the local system will process its waiting work when contacted
by another system
- An alias for the local system
- A different public directory
The format of each entry in the Permissions file is:
LOGNAME=userid [MACHINE=system] option=value [option=value] …
or
MACHINE=system [LOGNAME=userid] option=value [option=value] …
where
option is
one of the options and
value is one or more values
that you want to set for that option. Options and values are case-sensitive.
When specifying multiple values for an option, separate the values
with a colon (:). Here is a sample entry:
MACHINE=ME READ=/ WRITE=/ COMMANDS=ALL
MACHINE=site1:site2:SITE3 \
READ=/ \
WRITE=/ \
COMMANDS=uucp:cat:ls
LOGNAME=NUUCP \
READ=/ \
WRITE=/ \
SENDFILES=yes \
DEBUG=9 \
VALIDATE=site1:site2:SITE3
The Permissions file can also contain blank lines (which are ignored)
and comment lines. To indicate that a line is a comment line, use
a number sign (#) as the first character in the line.
Each entry must contain the
LOGNAME option or
the
MACHINE option, or both. Both options are used
to identify an entry that applies to a remote system when it is processing
its file transfer requests. The difference between them is based
on which system initiates the connection:
- LOGNAME=userid entries apply to a remote system
when it initiates the connection by logging onto your system as userid.
- MACHINE=system entries apply to a remote system
when your system initiates the call to system.
If your system initiates the connection, your system first processes
any queued file transfer requests that it has. When this is complete,
the remote system can indicate that it has file transfer requests
queued on its system that it would like to process. If the correct
permissions are set, control switches to the remote system which then
processes its file transfer requests. At this point, the MACHINE entry
options are used for the remote system.
If your system does not need to differentiate Permissions options
based on which system initiates the call, then LOGNAME and MACHINE can
appear in the same entry.
These are the
LOGNAME and
MACHINE options:
- LOGNAME
- Indicates the user IDs that remote systems can use when logging
on to your system. For z/OS systems,
these names must be specified in uppercase unless USERIDALIASTABLE
is used to define lowercase or mixed-case aliases. See USERIDALIASTABLE for more information about defining user
aliases.
- MACHINE
- Specified as MACHINE=system, this indicates the
remote systems that your system can call using the other options specified
in this entry. The system name specified here must also be specified
as a system in the systems file. If you set this option to OTHER,
the options specified apply to any remote system not specified by
a MACHINE option in another entry. For remote systems,
these names are typically uppercase. Contact the remote system's UUCP
administrator to make sure that the names are uppercase.
Permissions
for uux commands (which are executed by uuxqt)
are based on MACHINE entries regardless of which
system initiates the call.
These are the valid options that are used with either
LOGNAME or
MACHINE entries,
or with both. Options are marked with an (L) or an (M) to indicate
that they are intended for
LOGNAME or
MACHINE entries
or for both (L,M). An option used in an entry for which it is not
intended will be ignored.
- READ
- (L,M) Indicates which directories uucico can
read. By default, this is the home directory of user uucp (/usr/spool/uucppublic).
Remember that uucico runs with the effective UID
of UUCP, so you must permit the uucp user or uucpg group
to read from these directories.
- WRITE
- (L,M) Indicates which directories uucico can
write to. By default, this is /usr/spool/uucppublic,
the home directory of user uucp. Remember that uucico runs
with the effective UID of UUCP, so you must permit the uucp user
or uucpg group to write to these directories.
- NOREAD
- (L,M) Indicates that files in the specified directories cannot
be read. If a directory is specified by both READ and NOREAD,
files in that directory cannot be read. The public directory can always
be read (even if specified on NOREAD).
- NOWRITE
- (L,M) Indicates that files in the specified directories cannot
be written to. If a directory is specified by both WRITE and NOWRITE,
files in that directory cannot be written to. The public directory
can always be written to (even if specified on NOWRITE).
- PUBDIR
- (L,M) Indicates the public directory. By default, this is the
home directory of user uucp (/usr/spool/uucppublic).
If
you are going to change PUBDIR on your system, you need to have an
additional
MACHINE entry for your local site. Consider
this example:
uucp remote_site!/file1 local_site!˜/file1
When
uucp processes
this command it looks for a MACHINE=local_site entry
to find the value for PUBDIR.
- DEBUG
- (L,M) Indicates the verbosity of the debugging information. Set
this to a number between 0 and 9. Level 0 provides terse debug messages
while level 9 provides verbose output. This output is stored in /usr/spool/uucp/LOGFILE to
aid you in debugging communications problems when remote systems call
you.
- REQUEST
- (L,M) Indicates whether requests made by remote systems to transfer
data from your system are allowed. This option can be used to protect
data on your system from being read by remote systems.
- If set to yes, remote systems can read data from
those directories it is authorized to read from.
- If set to no, a remote system can write data
to your system, but cannot read data irrespective of the value of
the READ option. This is the default.
This option only applies to requests originating from the remote
system. This option has no effect on file transfer requests that
originate on your system.
- SENDFILES
- (L) Indicates if your system will process its own queued file
transfer requests after the remote system has initiated the connection
and completed its file transfer requests. The SENDFILES option allows
the local system to control when its queued file transfer requests
are processed.
- If this option is set to yes, your system will
process its queued requests after the remote system has completed
processing its own.
- If this option is set to call, your system will
only process its own file transfer requests when it initiates the
connection with the remote system. This is the default.
- VALIDATE
- (L) Names the remote systems that can login to your system using
the user IDs given by LOGNAME. If another system
attempts to login using this user ID, uucico refuses
the connection.
- COMMANDS
- (M) Indicates the commands that the remote system can execute
on your system.
By default, the
uucp command
is not permitted, which means that by default your local system is
a terminal, or leaf-node, connection. To allow a remote system to
transfer files through your local system, specify uucp for
the COMMANDS option. - To specify more than one command, separate the command names with
a colon (:). For example, COMMANDS=uucp:ls.
- To prohibit all commands, do not use the COMMANDS option.
- To allow access to all commands, set this option to ALL.
- MYNAME
- (M) Tells the remote system that the name of your local system
is the specified value rather than the name given by uname
-n.
An example might help to explain how the entries in the Permissions
file work. Suppose that the system named North in the sample network
has the following Permissions file.
LOGNAME=uwest MACHINE=west READ=/ WRITE=/ \
COMMANDS=uucp:mail NOREAD=/usr/private \
NOWRITE=/usr/private SENDFILES=yes REQUEST=yes \
VALIDATE=west
LOGNAME=nuucp MACHINE=OTHER REQUEST=yes \
SENDFILES=call
The first entry in this file specifies
the options that are in effect when a remote system logs in as
uwest.
Because of the
VALIDATE=west option, the only remote
system that can use this user ID is West. When West calls North and
logs in as
uwest, it can read from and write to all directories
except the ones starting with
/usr/private and
can execute the commands
uucp and mail on
North's system. This entry also includes the MACHINE=west option,
meaning the options given also apply when North has called West and
control has been transferred to North's uucico utility.
Because REQUEST=yes and SENDFILES=yes,
either system can request or send working files.
The second entry specifies the options in effect when a remote
system logs in with the NUUCP user ID. Because MACHINE=OTHER,
these options will also apply when North has called any remote system
except west (which has its own entry) and control has been transferred
to North's uucico. Files can only be read from or
written to the /usr/spool/uucppublic directory
(no READ or WRITE options to change the default). Either system can
request files from the other, but working files are only transferred
from north when it calls the remote system.
Tip: Whenr a z/OS system
or uucp login is specified, the name must be specified in uppercase.