rkt logo

INN FAQ Part 6

Be sure to read the "RKT couplings" below for additional information and updates to this entry.

Subject: (6.19) How do I restrict access on certain newsgroups (like alt.sex)

>If I were running a news server, and some of my users complained that they
>didn't want their kids being able to access some of the newsgroups, would it
>be possible to block access to specific newsgroups on a per-user basis?

>I'm not asking if it's easy, just _possible_.

If they are not using NNTP for reading, you can make a /etc/group entry
for a group called something special, like "horny" and give only users
in group horny access to read that directory:

	chown news /var/spool/news/alt/sex
	chgrp horny /var/spool/news/alt/sex
	chmod 750 /var/spool/news/alt/sex
	chmod 750 /var/spool/news/over.view/alt/sex	# your NOV data
	chmod 770 /var/spool/news/in.coming
	chmod 770 /var/spool/news/out.going

Now only people in the group "horny" can read that newsgroup. Everyone
can subscribe to it, but only horny people can read it. innd (which
runs as "news") will still be able to do its business.

Inn has an authentication scheme called authinfo for use with NNTP.
The user must supply a name and a password. If they match an entry in
nnrp.access, then the user may read the groups specific to this entry.
An example entry for nnrp.access:

*.pilhuhn.de:R P:::*,!pilhuhn.foo
:R P:hwr:XXX:*

Here users from hosts *.pilhuhn.de may read and post in all groups
besides pilhuhn.foo. If a user authenticates a user hwr with password
XXX, then he or she might also read pilhuhn.foo.
In order to be able to authenticate as user ``hwr'' in the above
example, the host where this ``hwr'' connects from also must have read
rights. So this

:R P:hwr:XXX:*

as the only entry in nnrp.access won't work, but the following will work:

:R P:hwr:XXX:*

Note that those 'password entries' need to be last in nnrp.access.
There is a bug in inn1.4 which allows users to post to such a protected
group if they know the name of the group even if they can't read it.
nnrp.access-auth.patch (on the usual patch site) cures this.

If the newsreader software doesn't support this then you can still restrict
access on a per-host basis. To read a specific group you then need to be
on a specific machine (but then everybody on that machine can read the group).

In 1.5 there is be a better protocol (authinfo generic) for doing this and
it should gain better acceptance than the current protocol.
Also in 1.5 you can use entries from the password database if you use
the following entries:

:R P:+::*

In order to get authentication with Netscape to work, you need a
slightly different way of authentication; Netscape (and other
newsreaders) don't send authentication info on startup ("active
authentication"), but only then when the server requests it by sending
a "480 Authentication required for command" reply ("passive
authentication"). A entry like the following will do this:

:R P:user1:pass1:*,!pilhuhn.foo
:R P:test:test:pilhuhn.foo
snert.pilhuhn.de:R P:user2:pass2:*
tritta.pilhuhn.de:R P:user3:pass3:*,!ka.test

Here all users (in this case only from host {snert,tritta}.pilhuhn.de
allowed) have
to authenticate. If they do as ``user2'' then they can read and post
all groups. If they do as user ``test'' then they can only read pilhuhn.foo
and if they do as ``user1'' then they will be able to read all groups
except pilhuhn.foo. Note that in the above example if the user comes from e.g.
snert.pilhuhn.de then he she will nevertheless be able to authenticate
as ``user3'' even if this is marked as host tritta. That means at the
stage where a ``authinfo {user|pass}'' command is sent to the server,
the host is no longer checked and every valid combination of user and
pass will authenticate; so password security is here as important as
in the normal password database.
Note that passive authentication will only take place if there is a
hostname match with security fields filled in.

If authentication is needed for a protected/secure newsgroup in an
environment where no authentication is required for all other newsgroups,
and users access the news server from many different hosts (ie; dial-up),
then there must be a hostname entry to force passive news agents/clients
to authenticate; this may result, however, in every user having to
authenticate for ALL newsgroups, even when they don't attempt to access
the secured newsgroup; in most cases, this will be accomplished by using
a wildcard hostname entry
For those that now ask how they can directly go to a newsgroup that
needs authentication ... use <news://user:pass@server/some.group>

Many thanks to Jim Dutton <jimd@dutton2.it.siu.edu> for his valuable


[Source: INN FAQ Part 6 Archive-name: usenet/software/inn-faq/part6]
[Last Changed: $Date: 1997/07/01 01:25:41 $ $Revision: 2.21 $]
[Copyright: 1997 Heiko Rupp, portions by Tom Limoncelli, Rich Salz, et al.]

(Corrections, notes, and links by Mib Software)
More Detailed Topics

Overview and Related Topics
Up to: INN Setup by Topic: Readers
Up to: INN FAQ Table Of Contents for Part 6/9
Up to: Usenet RKT For Providers...Troubleshooting INN
Up to: INN Setup and Changes

RKT Rapid-Links:[ Search ] [ RKT Tips ] Path: Usenet RKT / For Providers / INN FAQ / Part 6 / 0020.htm

You are reading from the Usenet RKT
Copyright 1997-1999, Forrest J. Cavalier III, Mib Software
INN customization and consulting
E-mail comments