z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


The Permissions file

z/OS UNIX System Services Planning
GA32-0884-00

The Permissions file is used to control the access that remote systems have to data and programs on the local system. Specifically, it is used to specify:
  • Which systems can establish a uucico connection
  • The areas in the file system that a remote system can read or write from
  • The commands that the remote system can run on the local system
  • If the local system will process its waiting work when contacted by another system
  • An alias for the local system
  • A different public directory
The format of each entry in the Permissions file is: 
LOGNAME=userid [MACHINE=system] option=value  [option=value] …
or 
MACHINE=system [LOGNAME=userid] option=value  [option=value] …
where option is one of the options and value is one or more values that you want to set for that option. Options and values are case-sensitive. When specifying multiple values for an option, separate the values with a colon (:). Here is a sample entry: 
MACHINE=ME READ=/ WRITE=/ COMMANDS=ALL
MACHINE=site1:site2:SITE3       \
        READ=/                   \
        WRITE=/                  \
        COMMANDS=uucp:cat:ls
LOGNAME=NUUCP  \
        READ=/                   \
        WRITE=/                  \
        SENDFILES=yes            \
        DEBUG=9                  \
        VALIDATE=site1:site2:SITE3

The Permissions file can also contain blank lines (which are ignored) and comment lines. To indicate that a line is a comment line, use a number sign (#) as the first character in the line.

Each entry must contain the LOGNAME option or the MACHINE option, or both. Both options are used to identify an entry that applies to a remote system when it is processing its file transfer requests. The difference between them is based on which system initiates the connection:
  • LOGNAME=userid entries apply to a remote system when it initiates the connection by logging onto your system as userid.
  • MACHINE=system entries apply to a remote system when your system initiates the call to system.

If your system initiates the connection, your system first processes any queued file transfer requests that it has. When this is complete, the remote system can indicate that it has file transfer requests queued on its system that it would like to process. If the correct permissions are set, control switches to the remote system which then processes its file transfer requests. At this point, the MACHINE entry options are used for the remote system.

If your system does not need to differentiate Permissions options based on which system initiates the call, then LOGNAME and MACHINE can appear in the same entry.

These are the LOGNAME and MACHINE options:
LOGNAME
Indicates the user IDs that remote systems can use when logging on to your system. For z/OS systems, these names must be specified in uppercase unless USERIDALIASTABLE is used to define lowercase or mixed-case aliases. See USERIDALIASTABLE for more information about defining user aliases.
MACHINE
Specified as MACHINE=system, this indicates the remote systems that your system can call using the other options specified in this entry. The system name specified here must also be specified as a system in the systems file. If you set this option to OTHER, the options specified apply to any remote system not specified by a MACHINE option in another entry. For remote systems, these names are typically uppercase. Contact the remote system's UUCP administrator to make sure that the names are uppercase.

Permissions for uux commands (which are executed by uuxqt) are based on MACHINE entries regardless of which system initiates the call.

These are the valid options that are used with either LOGNAME or MACHINE entries, or with both. Options are marked with an (L) or an (M) to indicate that they are intended for LOGNAME or MACHINE entries or for both (L,M). An option used in an entry for which it is not intended will be ignored.
READ
(L,M) Indicates which directories uucico can read. By default, this is the home directory of user uucp (/usr/spool/uucppublic). Remember that uucico runs with the effective UID of UUCP, so you must permit the uucp user or uucpg group to read from these directories.
WRITE
(L,M) Indicates which directories uucico can write to. By default, this is /usr/spool/uucppublic, the home directory of user uucp. Remember that uucico runs with the effective UID of UUCP, so you must permit the uucp user or uucpg group to write to these directories.
NOREAD
(L,M) Indicates that files in the specified directories cannot be read. If a directory is specified by both READ and NOREAD, files in that directory cannot be read. The public directory can always be read (even if specified on NOREAD).
NOWRITE
(L,M) Indicates that files in the specified directories cannot be written to. If a directory is specified by both WRITE and NOWRITE, files in that directory cannot be written to. The public directory can always be written to (even if specified on NOWRITE).
PUBDIR
(L,M) Indicates the public directory. By default, this is the home directory of user uucp (/usr/spool/uucppublic).
If you are going to change PUBDIR on your system, you need to have an additional MACHINE entry for your local site. Consider this example: 
uucp remote_site!/file1 local_site!˜/file1
When uucp processes this command it looks for a MACHINE=local_site entry to find the value for PUBDIR.
DEBUG
(L,M) Indicates the verbosity of the debugging information. Set this to a number between 0 and 9. Level 0 provides terse debug messages while level 9 provides verbose output. This output is stored in /usr/spool/uucp/LOGFILE to aid you in debugging communications problems when remote systems call you.
REQUEST
(L,M) Indicates whether requests made by remote systems to transfer data from your system are allowed. This option can be used to protect data on your system from being read by remote systems.
  • If set to yes, remote systems can read data from those directories it is authorized to read from.
  • If set to no, a remote system can write data to your system, but cannot read data irrespective of the value of the READ option. This is the default.
This option only applies to requests originating from the remote system. This option has no effect on file transfer requests that originate on your system.
SENDFILES
(L) Indicates if your system will process its own queued file transfer requests after the remote system has initiated the connection and completed its file transfer requests. The SENDFILES option allows the local system to control when its queued file transfer requests are processed.
  • If this option is set to yes, your system will process its queued requests after the remote system has completed processing its own.
  • If this option is set to call, your system will only process its own file transfer requests when it initiates the connection with the remote system. This is the default.
VALIDATE
(L) Names the remote systems that can login to your system using the user IDs given by LOGNAME. If another system attempts to login using this user ID, uucico refuses the connection.
COMMANDS
(M) Indicates the commands that the remote system can execute on your system.
By default, the uucp command is not permitted, which means that by default your local system is a terminal, or leaf-node, connection. To allow a remote system to transfer files through your local system, specify uucp for the COMMANDS option.
  • To specify more than one command, separate the command names with a colon (:). For example, COMMANDS=uucp:ls.
  • To prohibit all commands, do not use the COMMANDS option.
  • To allow access to all commands, set this option to ALL.
MYNAME
(M) Tells the remote system that the name of your local system is the specified value rather than the name given by uname -n.
An example might help to explain how the entries in the Permissions file work. Suppose that the system named North in the sample network has the following Permissions file. 
LOGNAME=uwest  MACHINE=west  READ=/  WRITE=/       \
  COMMANDS=uucp:mail  NOREAD=/usr/private   \ 
  NOWRITE=/usr/private  SENDFILES=yes  REQUEST=yes \   
  VALIDATE=west  

LOGNAME=nuucp  MACHINE=OTHER  REQUEST=yes  \   
  SENDFILES=call
The first entry in this file specifies the options that are in effect when a remote system logs in as uwest. Because of the VALIDATE=west option, the only remote system that can use this user ID is West. When West calls North and logs in as uwest, it can read from and write to all directories except the ones starting with /usr/private and can execute the commands uucp and mail on North's system. This entry also includes the MACHINE=west option, meaning the options given also apply when North has called West and control has been transferred to North's uucico utility. Because REQUEST=yes and SENDFILES=yes, either system can request or send working files.

The second entry specifies the options in effect when a remote system logs in with the NUUCP user ID. Because MACHINE=OTHER, these options will also apply when North has called any remote system except west (which has its own entry) and control has been transferred to North's uucico. Files can only be read from or written to the /usr/spool/uucppublic directory (no READ or WRITE options to change the default). Either system can request files from the other, but working files are only transferred from north when it calls the remote system.

Tip: Whenr a z/OS system or uucp login is specified, the name must be specified in uppercase.
Parent topic: Create or edit UUCP configuration files

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014