Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Minimum privs for uustat?

0 views
Skip to first unread message

Harold March

unread,
Sep 17, 1993, 4:37:38 PM9/17/93
to

I've figured out that world is required for uustat -p,
what are the minimum privileges needed to check the
status of queued jobs (uustat -a or -q)?

---------------------------------------------------------------------------
Harold March CMC DECnet: AV785A::MARCH
Canadian Marconi Company CMC internal net: march@av785a
MIS/IT Internet: ma...@av785a.marconi.ca
TEL: 514-340-3000 ext 4467 CompuServe: 76424,3451
FAX: 514-340-3100
---------------------------------------------------------------------------

Mark Pizzolato 510-837-5600

unread,
Sep 18, 1993, 12:13:44 PM9/18/93
to
In article <01H3288SG...@av785a.avionics.cmc.qc.ca>, Harold March <ma...@av785a.marconi.ca> writes:
>
> I've figured out that world is required for uustat -p,
> what are the minimum privileges needed to check the
> status of queued jobs (uustat -a or -q)?

The direct answer to this question is SYSPRV.

****************************************************************************
* Now I WARN you NOT to install the uustat program with this privilege!!!! *
****************************************************************************

The version of uustat that shipped with Version 2.0 was NOT "privilege aware".

What I mean by this, is that it does not expect to be installed with privilege.
It is only intended as a support tool for someone with the appropriate privs
(i.e. the system manager - or the uucp administrator).

A privilege aware program very carefully manages it's use of privilege, and
always runs with it's program specific privs disabled except for the brief
periods when it is performing operations that it was designed to have specific
privileges to perform. Other programs that are shipped as part of uucp very
carefully manage the use of their installed privileges.

The version of uustat that will ship with our forthcoming bugfix release will
automatically be installed with privilege (unless you explicitly configure a
parameter that disables this). This new version IS privilege aware, and hence
could not be used by an arbitrary user to affect uucp jobs of other users.

--
Mark Pizzolato - INFO COMM Computer Consulting, Danville, Ca
PHONE: (510)837-5600 UUCP: decwrl!infopiz!mark or uunet!lupine!infopiz!mark
DOMAIN: ma...@infocomm.com

Harold March

unread,
Sep 18, 1993, 3:57:43 PM9/18/93
to
>
>In article <01H3288SG...@av785a.avionics.cmc.qc.ca>, Harold March <ma...@av785a.marconi.ca> writes:
>>
>> I've figured out that world is required for uustat -p,
>> what are the minimum privileges needed to check the
>> status of queued jobs (uustat -a or -q)?
>
>The direct answer to this question is SYSPRV.

Odd, my personal account is SYSPRV'd and I don't get any info
listed at all with uustat -a.

>
>****************************************************************************
>* Now I WARN you NOT to install the uustat program with this privilege!!!! *
>****************************************************************************
>

Hey, I've been a sysadmin for 12 years: I don't like cleaning
up trashed systems ;-)

>The version of uustat that shipped with Version 2.0 was NOT "privilege aware".
>
>What I mean by this, is that it does not expect to be installed with privilege.
>It is only intended as a support tool for someone with the appropriate privs
>(i.e. the system manager - or the uucp administrator).

Point taken.

>
>A privilege aware program very carefully manages it's use of privilege, and
>always runs with it's program specific privs disabled except for the brief
>periods when it is performing operations that it was designed to have specific
>privileges to perform. Other programs that are shipped as part of uucp very
>carefully manage the use of their installed privileges.
>
>The version of uustat that will ship with our forthcoming bugfix release will
>automatically be installed with privilege (unless you explicitly configure a
>parameter that disables this). This new version IS privilege aware, and hence
>could not be used by an arbitrary user to affect uucp jobs of other users.
>

Good, does this mean that unprived users can uustat -a
to check on the status of their jobs in the next release?

Mark Pizzolato 510-837-5600

unread,
Sep 19, 1993, 5:12:44 AM9/19/93
to
In article <01H33KWOV...@av785a.avionics.cmc.qc.ca>, Harold March <ma...@av785a.marconi.ca> writes:
>>In article <01H3288SG...@av785a.avionics.cmc.qc.ca>, Harold March <ma...@av785a.marconi.ca> writes:
>>>
>>> I've figured out that world is required for uustat -p,
>>> what are the minimum privileges needed to check the
>>> status of queued jobs (uustat -a or -q)?
>>
>>The direct answer to this question is SYSPRV.
>
> Odd, my personal account is SYSPRV'd and I don't get any info
> listed at all with uustat -a.

I'm not in a position to analyze on the details of a program that I've already
redesigned. I suspect that something else is going on. If you have WORLD and
SYSPRV enabled, then you certainly should be able to access both the processes
and the files that are reported on. The program doesn't mess with privs at
all, and SYSPRV should be all you need turned on to look at anything in
UUCP_SPOOL (and the SYSTEMS file).

>>A privilege aware program very carefully manages it's use of privilege, and
>>always runs with it's program specific privs disabled except for the brief
>>periods when it is performing operations that it was designed to have specific
>>privileges to perform. Other programs that are shipped as part of uucp very
>>carefully manage the use of their installed privileges.
>>
>>The version of uustat that will ship with our forthcoming bugfix release will
>>automatically be installed with privilege (unless you explicitly configure a
>>parameter that disables this). This new version IS privilege aware, and hence
>>could not be used by an arbitrary user to affect uucp jobs of other users.
>>
>
> Good, does this mean that unprived users can uustat -a
> to check on the status of their jobs in the next release?

Yes. For Example:

$ uucp test.data "oms!~/"
$ uustat -q
oms: 1 jobs, 0 files in, 1 files out, 10168 bytesout

Total Callout: 1 jobs, 0 files in, 1 files out, 10168 bytesout

UUCP spool space (free/total): 12885/393476 Limit: 3000

$ uustat -a
Job: oms_g39h02 9/18-22:40:00
Send to oms, User: test...@infocomm.com, 10168 byte file: test.data
oms: 1 jobs, 0 files in, 1 files out, 10168 bytesout

Total Callout: 1 jobs, 0 files in, 1 files out, 10168 bytesout

UUCP spool space (free/total): 12885/393476 Limit: 3000

$ uustat -k oms_g39h02


In particular, the unprived user can observe the details of and manipulate ONLY
the jobs he is directly responsible for submitting.

0 new messages