Linux Unleashed, Third Edition:UUCP





-->















Previous
Table of Contents
Next




UUCP Security
The permissions of the UUCP configuration files must be carefully set to allow UUCP to function properly, as well as to allow better security for the system. Simply stated, the files should all be owned by uucp, and the group should be uucp on most systems that have that group in the /etc/group file. The ownerships can be set either by making all the file changes while logged in as uucp or by setting the changes as root, and then issuing the following commands when you are in the /usr/lib/uucp directory:


chown uucp *
chgrp uucp *


As a security precaution, you should set a strong password for the uucp login if there is one on your system. Some versions of Linux do not supply a password by default, leaving the system wide open for anyone who can type uucp at the login prompt!
The file permissions should be set very tightly, preferably to read-write (and execute for directories) only for the owner (uucp). The group and other permissions should be blanked because a read access can give valuable login information, as well as passwords to someone.
When UUCP logs in to a remote system, it requires a password and login. This information is contained in the /usr/lib/uucp/sys or /usr/lib/uucp/Systems files and should be protected to prevent unauthorized snooping by setting file ownerships and permissions as mentioned.
If you have several systems connecting into yours, they can all use the same uucp login and password, or you can assign new logins and passwords as you need them. All you need to do is create a new /etc/passwd entry for each login (with a different login name from uucp, such as uucp1, uucp_arthur, and so forth) and a unique passwd. The remote system can then use that login to access your system. When you create new UUCP users in the /etc/passwd, force them to use uucico only to prevent access to other areas of your system. For example, the login uucp1, shown here, forces uucico as the startup command:


uucp1::123:52:UUCP Login for Arthur:/usr/spool/uucppublic:/usr/lib/uucp/
uucico


The home directory is set to the uucppublic directory, and uucico is the only startup program that can be run. Using different logins for remote machines also allows you to grant different access permissions for each system, preventing unwanted access.
You should also carefully control the commands that remote systems can execute on your local machine. This is done through the permissions fields of the local access file and should be monitored carefully to prevent abuse and unauthorized access. In a similar manner, if you are allowing forwarding of files through your system, you should control who is allowed to forward and where they are forwarded to.
Most important of all is to ensure that whoever accesses your system on a regular basis is someone you want access to be granted to. Don’t leave your system wide open for anyone to enter because you are guaranteeing yourself disaster. Carefully watch logins and make sure file permissions and ownerships are properly set at all times.
Using UUCP
Once you have configured UUCP, you can use it to transfer files and email. In order to use UUCP, you have to know the addressing syntax which is different from what you may know from the Internet. The UUCP address syntax is



machine!target


machine is the remote machine name and target is the name of the user or file that you are trying to get to. For example, to send mail to the user yvonne on machine arthur, use the mail command with the following destination username


mail arthur!yvonne


UUCP lets you move through several machines to get to a target. This can help save on telephone bills or make a much wider network available to you from a small number of connections. Suppose you want to send mail to a user called bill on a system called warlock, which isn’t in your configuration files but can be connected to through arthur. If you have permission to send mail through the system arthur (called a hop), you can send the mail with this command:


mail arthur!warlock!bill






Previous
Table of Contents
Next