Unfortunately, the USERFILE is unnecessarily complicated. The system administrator usually has to spend many hours debugging relatively simple problems. In many cases, the only clue that there is a problem is a loss of security, which usually isn’t visible until data has already been compromised on your system!

To maintain consistent security and avoid the headaches associated with debugging USERFILE, keep these suggestions in mind when using uucico:

•  Whenever uucp and uux are run by users, and when uucico runs in Master mode, only the username portion of the USERFILE entry is used.

•  When uucico runs in Slave mode, only the system name part of the entry is used. Remember that in the course of any conversation, uucico can switch between slave and master any number of times.

•  In the USERFILE file on systems that use any version other than BSD 4.2 and BSD 4.3, there must be an entry that has no system name, and an entry with no user name. In BSD 4.2 and 4.3, these entries can be combined into one entry. The non-system name entity is used when uucico is in Slave mode and has already searched the USERFILE and cannot find a matching entry. The non-username entry is used by uucp, uux, uuxqt, and uucico when in Master mode, only when it cannot find a matching username (in the directory /etc/passwd).

The exact operation and use of USERFILE can differ greatly depending on the implementation of Version 2 UUCP you receive. For this reason, make sure you check the documentation shipped with your operating system.

The following descriptions are for some special USERFILE entries. If no username is specified in the entry, as in the following, any user on the system can request outbound transfers of any file on your system.

,xray    /

If you don’t want to use an entry like this, you will need an entry for EVERY user on your system.

To allow uuxqt file access while uucico is in Slave mode, an entry with no system name must exist in the USERFILE:

nuucp,             /usr/spool/uucppublic

This entry is used even when uuxqt is started on your local system! Based on what has been presented thus far, you would think that this entry would mean that any system logging in with a username of nuucp will have access to ./usr/spool/uucppublic. Although this may seem intuitive, this isn’t exactly true. When the local uucico is in Slave mode, only the system name is used to validate file transfers that are requests.

You can also grant individual users special access permissions for certain systems, and then combine the system name and user name entry in the USERFILE file, but you should also have that system call in with its own login name and password. Here is one example:

uu101,thumper /usr/spool/uucppublic/ /usr/tmp /u/src

It is not uncommon to see people set up entries that look like this:

nuucp,             /usr/spool/uucppublic
nuucp,thumper        /usr/spool/uucppublic
nuucp,bugs        /usr/spool/uucppublic

There is a problem with this arrangement however. There is nothing to prevent someone from changing the name of his or her system and then calling your system. The reason why this is a problem is that uucico doesn’t use the login name when in Slave mode. The best way to limit this danger is to set up individual UUCP login names for each system that will be calling you.

L.cmds

The next component in the issue of security is that of remote command execution, which is defined in the L.cmds file. Typically, the administrator will restrict commands that can be run by a remote system. The L.cmds file is used to limit commands from the remote system. If the command in question is not listed in this file, execution of it via uux is denied. Usually, L.cmds contains one command: rmail.

The L.cmds on most systems contain the following entries:

rmail
/usr/lib/uucp/uucico

This setup indicates that both the rmail and uucico commands can be executed by uux. Be careful when adding commands to this file. Even innocuous commands such as cat can be dangerous to your system.

SQFILE

Finally, SQFILE is used to track conversations that have taken place between machines. This is an optional file, and if you want to use conversation counts, you must create it in /usr/lib/uucp. SQFILE must be owned by uucp, and have a file mode of 400. For this to work, SQFILE has an entry in it for each file that your system wants to have conversation checks with. The remote system must also be configured to use SQFILE.

When the file is created, edit it to include the names of the files you want to monitor, one system per line. After the first call, uucico adds the number of conversations, and the date and time of the last contact.

When one system calls another, uucico compares the SQFILE information on the two systems. If they don’t agree, the login fails. The log files on the calling system will then add a message indicating an SEQ number problem. To correct this, the two system administrators must get together and correct the files manually.