Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 15.4 Security in Version 2 UUCPChapter 15
UUCP
Next: 15.6 Additional Security Concerns
 

15.5 Security in BNU UUCP

In BNU, the Permissions file replaces both the Version 2 USERFILE and L.cmds files. Permissions provides additional protection and finer control over the UUCP system. A second file called remote.unknown controls whether or not an unknown system (that is, one not listed in your Systems file) can log in (assuming that the remote system knows a valid UUCP login name and password).

15.5.1 Permissions File

The Permissions file consists of commands, possibly multi-line, and often separated by blank lines, that are used to determine what users and remote machines can and cannot do with the UUCP system.

Here is a sample Permissions file. For now, don't worry about what all the commands mean: we'll explain them shortly.

LOGNAME=Ugarp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic
MACHINE=garp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic

15.5.1.1 Starting up

When uucico starts, it scans the Permissions file to determine which commands the remote machine can execute and which files can be accessed.

When uucicio calls another system, it looks for a block of commands containing a MACHINE=system statement, where system is the name of the machine that it is calling. For example, if you are calling the machine idr, it looks for a line in the form:

MACHINE=idr

When uucico is started by another computer logging in to your local machine, uucico looks for a block of commands containing a LOGNAME=loginname, where loginname is the username with which the remote computer has logged in. For example, if the remote computer has logged in with the username Uidr, the uucico running on your computer looks for a block of commands with a line containing this statement:

LOGNAME=Uidr

Other commands in the command block specify what the remote machine can do:

15.5.1.2 Name-value pairs

In BNU terminology, the MACHINE=, LOGNAME=, READ=, and WRITE= statements are called " name-value pairs." This name comes from their format:

name=value

To specify a block of commands for use when calling the machine bread, you would use a command in the form:

  MACHINE=bread

You can specify multiple values by separating them with colons (:). For example:

MACHINE=bread:butter:circus

15.5.1.3 A Sample Permissions file

Here is the sample Permissions file again:

LOGNAME=Ugarp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic
MACHINE=garp READ=/usr/spool/uucppublic WRITE=/usr/spool/uucppublic

This Permissions file gives the machine garp permission to read and write files in the /usr/spool/uucppublic directory. It also allows any remote computer logging in with the UUCP login Ugarp to read and write files from those directories.

Here is another example:

# If garp calls us, only allow access to uucppublic
#
  LOGNAME=Ugarp MACHINE=garp READ=/usr/spool/uucppublic \  
WRITE=/usr/spool/uucppublic

This command allows the machine garp to read or write any file in /usr/spool/uucppublic, but only when the machine garp logs into your computer using the uucp login Ugarp. Notice in this example that the backslash (\) character is used to continue the entry on the following line. To include a comment, begin a line with a hash mark (#).

You can combine a LOGNAME= and a MACHINE= entry in a single line:

# Let garp have lots of access
#
LOGNAME=Ugarp MACHINE=garp READ=/ WRITE=/ REQUEST=yes SENDFILES=yes

The REQUEST=yes name-value pair allows garp to request files from your machine. The SENDFILES=yes pair allows you to send files to garp even when it initiates the call to you.

If you assign a unique login ID for each UUCP system with which you communicate, then LOGNAME= and MACHINE= can each be thought of as controlling one direction of the file transfer operation. But if the same login ID is shared by several UUCP systems, they will all be covered by the same LOGNAME= entry when they call you, even though they will each be covered by their own MACHINE= entry when you call them.

15.5.2 Permissions Commands

BNU UUCP has 13 different commands that can be included in the Permissions file. These commands help provide the flexibility that BNU allows over UUCP connections. These commands are placed in the same command block as the MACHINE= and LOGNAME= commands described above. You can specify as many commands in a block as you wish.

A MACHINE= entry in the Permissions file is used when a specific remote site is contacted by the local computer. Specify a MACHINE= OTHER entry to define a Permissions entry for any machine that is not explicitly referenced.

For example:

# Setup for when we call garp
MACHINE=garp

LOGNAME= is used when a remote site logs in with a specific login name. Each UUCP login name should appear in only one LOGNAME entry.

For example:

# Setup login for when garp calls
LOGNAME=Ugarp 

You can specify a LOGNAME=OTHER entry to define a Permissions entry for any machine that is not explicitly referenced.

For example:

# Setup login for everybody else
LOGNAME=OTHER

REQUEST= specifies whether the remote system can request file transfers with your computer. The default is "no," which means that files can be transferred only if the uucp command is issued on your computer.

For example:

# Let garp request files
MACHINE=garp LOGNAME=Ugarp REQUEST=YES

SENDFILES= specifies whether files that are queued on the local system should be sent to the calling system when it contacts the local system. The default is "call," which means "no, don't send any queued files when the other computer calls me; hold the files until I call the other computer." The reason for this option is that you are more sure of the identity of a remote computer when you call it than when it calls you. If you set this entry to "yes," all of the queued files will be sent whenever the remote system calls you, or when you call it, whichever happens first. This option makes sense only with the LOGNAME entries. If this option is used with a MACHINE entry, it is ignored.

For example:

# Send files to garp when it calls us
LOGNAME=Ugarp SENDFILES=YES

PUBDIR= allows you to specify directories for public access. The default is /usr/spool/uucppublic.

For example:

# Let garp use two public directories
MACHINE=garp LOGNAME=Ugarp READ=/ WRITE=/ \
PUBDIR=/usr/spool/uucppublic:/usr/spool/garp

READ= and WRITE= specify the directories that uucico can use to read from or write to. The default is the PUBDIR.

You can specify access to all of the temporary directories on your system with the following command:

# Let garp read lots
MACHINE=garp LOGNAME=Ugarp \
READ=/usr/spool/uucppublic:/tmp:/usr/tmp \
WRITE=/usr/spool/uucppublic:/tmp:/usr/tmp

You can let garp access every file on your system with the command:

# Let garp read even more
MACHINE=garp LOGNAME=Ugarp \
READ=/ WRITE=/

We don't recommend this!

NOREAD= and NOWRITE= specify directories that uucico may not read to or write from, even if those directories are included in a READ or a WRITE command. You might want to use the NOREAD and NOWRITE directives to exclude directories like /etc and /usr/lib/uucp, so that there is no way that people on machines connected to yours via UUCP can read files like /etc/passwd and /usr/lib/uucp/Systems.

For example:

MACHINE=garp LOGNAME=Ugarp \
READ=/ \
WRITE=/usr/spool/uucppublic:/tmp:/usr/tmp \
NOREAD=/etc:/usr/lib/uucp \
NOWRITE=/etc:/usr/lib/uucp

CALLBACK=specifies whether or not the local system must call back the calling system before file transfer can occur. The default is "no." CALLBACK enhances security in some environments. Normally, it is possible with UUCP for one machine to masquerade as another. If you call a remote machine, however, it is unlikely that such a masquerade is taking place. CALLBACK is also useful for situations where one computer is equipped with a low-cost, long-distance telephone line, so that the majority of the call will be billed at the lower rate. The CALLBACK command makes sense only for LOGNAME entries. If two sites have CALLBACK=yes specified for each other, the machines will continually call back and forth, but no data will be transferred.

For example:

# We'll call garp
LOGNAME=Ugarp CALLBACK=YES

For further information, see our comments on callback in Chapter 14.

COMMANDS= specifies commands that the remote system can execute on the local computer. When uuxqt executes a command, it searches the Permissions file for the MACHINE= entry associated with the particular system from which the commands were sent. The MACHINE= entry is the one that is used, even if the uucico connection was originated by the remote machine and a different LOGNAME= entry is being used.

The default value for COMMANDS is compiled into your version of uuxqt; if you have source code, it is defined in the file params.h. The COMMANDS= entry often has the single form:

COMMANDS=rmail

You can specify a full pathname:

COMMANDS=rmail:/usr/bin/rnews:/usr/ucb/lpr

You can specify the value ALL, which allows any command to be executed:

COMMANDS=ALL

You probably don't want to specify ALL unless you have complete control over all of the machines that you connect to with UUCP.

For example:

# Let garp send us mail, netnews, and print files
MACHINE=garp LOGNAME=Ugarp \
COMMANDS=rmail:rnews:lpr

VALIDATE= is used with a LOGNAME entry to provide a small additional degree of security. Specifying a machine name (or many machine names) in the VALIDATE= entry will allow that UUCP login to be used only by those machines.

For example:

# Let's be sure about garp
LOGNAME=Ugarp VALIDATE=garp 

This command prevents any UUCP computer other than garp from using the Ugarp login. Of course, anybody interested in using UUCP to break into your computer could as easily change their UUCP name to be garp, so this command really doesn't provide very much security.

MYNAME= can be used to change the UUCP name of your computer when it initiates a UUCP connection. This command is useful for testing. It is also helpful when you use a generic name for your site, but it is not the same as your UUCP machine. For example:

# When we call garp, present ourselves as bigcorp
MACHINE=garp \
MYNAME=bigcorp

Got that? You can make your computer have any UUCP name that you want! Anybody else can do this as well, so be careful if you let any machine execute commands (specified in the COMMANDS= entry) that might be considered potentially unsafe (e.g., rm, shutdown).

NOTE: If you wish to run a secure system, the directory /usr/lib/uucp (or /etc/uucp) must not be in the WRITE directory list (or it must be in the NOWRITE list)! If users from the outside are allowed to transfer into these directories, they can change the Permissions file to allow them to execute any command that they wish. Similarly, local users can use the uucp command to change these files, and then subvert UUCP. Giving all access from the / directory is also dangerous - as such, people outside your organization can subvert your system easily. Furthermore, the home directory for the uucp user should not be in the / usr/spool/uucp/uucppublic directory, or in any other directory that can be written to by a uucp user. Doing so allows an outside user to subvert the system.

15.5.3 uucheck: Checking Your Permissions File

Verifying the Permissions file can be tricky. To help with this important task, BNU includes a program called uucheck that does it for you.

Normally, the uucheck program only reports security problems. However, it has a -v option which causes the program to produce a full report.

Below is a sample Permissions file that lets the computer garp (or anybody using the UUCP login Ugarp) access a variety of files and execute a number of commands:

# cat Permissions
MACHINE=garp LOGNAME=Ugarp \
COMMANDS=rmail:rnews:uucp \
READ=/usr/spool/uucppublic:/usr/tmp \
WRITE=/usr/spool/uucppublic:/usr/tmp \
SENDFILES=yes REQUEST=no

Here is the output from the uucheck program run with the above Permissions file:

Example 15.1: Verifying the Sample UUCP Permissions File

# /usr/lib/uucp/uucheck -v
*** uucheck:  Check Required Files and Directories
*** uucheck:  Directories Check Complete

*** uucheck:  Check /etc/uucp/Permissions file
** LOGNAME PHASE (when they call us) 

When a system logs in as: (Ugarp) 
        We DO NOT allow them to request files.
        We WILL send files queued for them on this call.
        They can send files to
            /usr/spool/uucppublic
            /usr/tmp
        Sent files will be created in /var/spool/uucp
         before they are copied to the target directory.
        Myname for the conversation will be sun.
        PUBDIR for the conversation will be /usr/spool/uucppublic.


** MACHINE PHASE (when we call or execute their uux requests) 

When we call system(s): (garp) 
        We DO NOT allow them to request files.
        They can send files to
            /usr/spool/uucppublic
            /usr/tmp
        Sent files will be created in /var/spool/uucp
         before they are copied to the target directory.
        Myname for the conversation will be sun.
        PUBDIR for the conversation will be /usr/spool/uucppublic.

Machine(s): (garp) 
CAN execute the following commands:
command (rmail), fullname (rmail)
command (rnews), fullname (rnews)
command (uucp), fullname (uucp)


*** uucheck:  /etc/uucp/Permissions Check Complete

#  
 


Previous: 15.4 Security in Version 2 UUCPPractical UNIX & Internet SecurityNext: 15.6 Additional Security Concerns
15.4 Security in Version 2 UUCPBook Index15.6 Additional Security Concerns