NAME
USERFILE - UUCP pathname permissions file

DESCRIPTION
The USERFILE file specifies the file system directory trees that
are accessible to local users and to remote systems via UUCP.

Each line in USERFILE is of the form:

[loginname],[system] [ c ] pathname [pathname] [pathname]

The first two items are separated by a comma; any number of spaces
or tabs may separate the remaining items. Lines beginning with a
‘#’ character are comments. A trailing ‘´ indicates that the next
line is a continuation of the current line.

Loginname is a login (from /etc/passwd) on the local machine.

System is the name of a remote machine, the same name used in
L.sys(5).

c denotes the optional callback field. If a c appears here, a
remote machine that calls in will be told that callback is
requested, and the conversation will be terminated. The local
system will then immediately call the remote host back.

Pathname is a pathname prefix that is permissible for this login
and/or system.

When uucico(8) runs in master role or uucp(1) or uux(1) are run by
local users, the permitted pathnames are those on the first line
with a loginname that matches the name of the user who executed the
command. If no such line exists, then the first line with a null
(missing) loginname field is used. (Beware: uucico(8) is often run
by the superuser or the UUCP administrator through cron(8).)

When uucico(8) runs in slave role, the permitted pathnames are
those on the first line with a system field that matches the
hostname of the remote machine. If no such line exists, then the
first line with a null (missing) system field is used.

Uuxqt(8) works differently; it knows neither a login name nor a
hostname. It accepts the pathnames on the first line that has a
null system field. (This is the same line that is used by
uucico(8) when it cannot match the remote machine’s hostname.)

A line with both loginname and system null, for example

, /usr/spool/uucppublic

can be used to conveniently specify the paths for both "no match"
cases if lines earlier in USERFILE did not define them. (This
differs from older Berkeley and all USG versions, where each case
must be individually specified. If neither case is defined
earlier, a "null" line only defines the "unknown login" case.)

To correctly process loginname on systems that assign several
logins per UID, the following strategy is used to determine the
current loginname:

1) If the process is attached to a terminal, a login entry exists
in /etc/utmp, and the UID for the utmp(5) name matches the
current real UID, then loginname is set to the utmp(5) name.

2) If the USER environment variable is defined and the UID for
this name matches the current real UID, then loginname is set
to the name in USER.

3) If both of the above fail, call getpwuid(3) to fetch the first
name in /etc/passwd that matches the real UID.

4) If all of the above fail, the utility aborts.

FILES
/usr/lib/uucp/USERFILE

SEE ALSO
uucp(1), uux(1), L.cmds(5), L.sys(5), uucico(8), uuxqt(8)

NOTES
The UUCP utilities (uucico(8), uucp(1), uux(1), and uuxqt(8))
always have access to the UUCP spool files in /usr/spool/uucp,
regardless of pathnames in USERFILE.

If uucp(1) is listed in L.cmds(5), then a remote system will
execute uucp(1) on the local system with the USERFILE privileges
for its login, not its hostname.

Uucico(8) freely switches between master and slave roles during the
course of a conversation, regardless of the role it was started
with. This affects how USERFILE is interpreted.

WARNING
USERFILE restricts access only on strings that the UUCP utilities
identify as being pathnames. If the wrong holes are left in other
UUCP control files (notably L.cmds(5)), it can be easy for an
intruder to open files anywhere in the file system. Arguments to
uucp(1) are safe, since it assumes all of its non-option arguments
are files. Uux(1) cannot make such assumptions; hence, it is more
dangerous.