Be sure to read the "RKT couplings" below for additional information and updates to this entry.
| Subject: (6.19) How do I restrict access on certain newsgroups (like alt.sex) |
|---|
>If I were running a news server, and some of my users complained that they >didn't want their kids being able to access some of the newsgroups, would it >be possible to block access to specific newsgroups on a per-user basis? >I'm not asking if it's easy, just _possible_.If they are not using NNTP for reading, you can make a /etc/group entry for a group called something special, like "horny" and give only users in group horny access to read that directory: chown news /var/spool/news/alt/sex chgrp horny /var/spool/news/alt/sex chmod 750 /var/spool/news/alt/sex chmod 750 /var/spool/news/over.view/alt/sex # your NOV data chmod 770 /var/spool/news/in.coming chmod 770 /var/spool/news/out.goingNow only people in the group "horny" can read that newsgroup. Everyone can subscribe to it, but only horny people can read it. innd (which runs as "news") will still be able to do its business. Inn has an authentication scheme called authinfo for use with NNTP. The user must supply a name and a password. If they match an entry in nnrp.access, then the user may read the groups specific to this entry. An example entry for nnrp.access: ---------- *.pilhuhn.de:R P:::*,!pilhuhn.foo :R P:hwr:XXX:*---------- Here users from hosts *.pilhuhn.de may read and post in all groups besides pilhuhn.foo. If a user authenticates a user hwr with password XXX, then he or she might also read pilhuhn.foo. In order to be able to authenticate as user ``hwr'' in the above example, the host where this ``hwr'' connects from also must have read rights. So this --------- :R P:hwr:XXX:*--------- as the only entry in nnrp.access won't work, but the following will work: --------- *:R:::*,!pilhuhn.foo :R P:hwr:XXX:*--------- Note that those 'password entries' need to be last in nnrp.access. There is a bug in inn1.4 which allows users to post to such a protected group if they know the name of the group even if they can't read it. nnrp.access-auth.patch (on the usual patch site) cures this. If the newsreader software doesn't support this then you can still restrict access on a per-host basis. To read a specific group you then need to be on a specific machine (but then everybody on that machine can read the group). In 1.5 there is be a better protocol (authinfo generic) for doing this and it should gain better acceptance than the current protocol. Also in 1.5 you can use entries from the password database if you use the following entries: --------- *:R:::*,!pilhuhn.foo :R P:+::*--------- In order to get authentication with Netscape to work, you need a slightly different way of authentication; Netscape (and other newsreaders) don't send authentication info on startup ("active authentication"), but only then when the server requests it by sending a "480 Authentication required for command" reply ("passive authentication"). A entry like the following will do this: --------- :R P:user1:pass1:*,!pilhuhn.foo :R P:test:test:pilhuhn.foo snert.pilhuhn.de:R P:user2:pass2:* tritta.pilhuhn.de:R P:user3:pass3:*,!ka.test--------- Here all users (in this case only from host {snert,tritta}.pilhuhn.de allowed) have to authenticate. If they do as ``user2'' then they can read and post all groups. If they do as user ``test'' then they can only read pilhuhn.foo and if they do as ``user1'' then they will be able to read all groups except pilhuhn.foo. Note that in the above example if the user comes from e.g. snert.pilhuhn.de then he she will nevertheless be able to authenticate as ``user3'' even if this is marked as host tritta. That means at the stage where a ``authinfo {user|pass}'' command is sent to the server, the host is no longer checked and every valid combination of user and pass will authenticate; so password security is here as important as in the normal password database. Note that passive authentication will only take place if there is a hostname match with security fields filled in. If authentication is needed for a protected/secure newsgroup in an environment where no authentication is required for all other newsgroups, and users access the news server from many different hosts (ie; dial-up), then there must be a hostname entry to force passive news agents/clients to authenticate; this may result, however, in every user having to authenticate for ALL newsgroups, even when they don't attempt to access the secured newsgroup; in most cases, this will be accomplished by using a wildcard hostname entry For those that now ask how they can directly go to a newsgroup that needs authentication ... use <news://user:pass@server/some.group> Many thanks to Jim Dutton <jimd@dutton2.it.siu.edu> for his valuable comments. ------------------------------ [Last Changed: $Date: 1997/07/01 01:25:41 $ $Revision: 2.21 $] [Copyright: 1997 Heiko Rupp, portions by Tom Limoncelli, Rich Salz, et al.] |
