INN commit: trunk/nnrpd (7 files)
INN Commit
Russ_Allbery at isc.org
Sat Sep 27 10:04:47 UTC 2008
Date: Saturday, September 27, 2008 @ 03:04:47
Author: iulius
Revision: 8061
After a successful AUTHINFO USER/PASS in an already selected newsgroup,
make sure the client still has read access to that newsgroup.
Modified:
trunk/nnrpd/article.c
trunk/nnrpd/commands.c
trunk/nnrpd/group.c
trunk/nnrpd/misc.c
trunk/nnrpd/nnrpd.h
trunk/nnrpd/perm.c
trunk/nnrpd/sasl.c
------------+
article.c | 8 ++++----
commands.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
group.c | 2 ++
misc.c | 1 +
nnrpd.h | 1 +
perm.c | 1 +
sasl.c | 1 +
7 files changed, 63 insertions(+), 5 deletions(-)
Modified: article.c
===================================================================
--- article.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ article.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -632,7 +632,7 @@
}
/* Check authorizations. */
- if (!ok) {
+ if (!ok || PERMgroupmadeinvalid) {
Reply("%d Read access denied\r\n",
PERMcanauthenticate ? NNTP_FAIL_AUTH_NEEDED : NNTP_ERR_ACCESS);
return;
@@ -712,7 +712,7 @@
const char *message;
/* No syntax to check. Only check authorizations. */
- if (!PERMcanread) {
+ if (!PERMcanread || PERMgroupmadeinvalid) {
Reply("%d Read access denied\r\n",
PERMcanauthenticate ? NNTP_FAIL_AUTH_NEEDED : NNTP_ERR_ACCESS);
return;
@@ -909,7 +909,7 @@
}
/* Check authorizations. */
- if (!PERMcanread) {
+ if (!PERMcanread || PERMgroupmadeinvalid) {
Reply("%d Read access denied\r\n",
PERMcanauthenticate ? NNTP_FAIL_AUTH_NEEDED : NNTP_ERR_ACCESS);
return;
@@ -1134,7 +1134,7 @@
}
/* Check authorizations. */
- if (!PERMcanread) {
+ if (!PERMcanread || PERMgroupmadeinvalid) {
Reply("%d Read access denied\r\n",
PERMcanauthenticate ? NNTP_FAIL_AUTH_NEEDED : NNTP_ERR_ACCESS);
return;
Modified: commands.c
===================================================================
--- commands.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ commands.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -27,12 +27,62 @@
extern const char *NNRPinstance;
+
+
+/*
+** Check after a successful authentication if the currently selected
+** newsgroup is still readable. AUTHINFO SASL does not need it because
+** the NNTP protocol is reset after it.
+*/
+static bool
+makeGroupInvalid(void) {
+ bool hookpresent = false;
+ char *grplist[2];
+
+#ifdef DO_PYTHON
+ hookpresent = PY_use_dynamic;
+ if (hookpresent) {
+ char *reply;
+
+ /* Authorize user using Python module method dynamic. */
+ if (PY_dynamic(PERMuser, GRPcur, false, &reply) < 0) {
+ syslog(L_NOTICE, "PY_dynamic(): authorization skipped due to no Python dynamic method defined");
+ } else {
+ if (reply != NULL) {
+ syslog(L_TRACE, "PY_dynamic() returned a refuse string for user %s at %s who wants to read %s: %s",
+ PERMuser, Client.host, GRPcur, reply);
+ free(reply);
+ return true;
+ }
+ }
+ }
+#endif /* DO_PYTHON */
+
+ if (!hookpresent) {
+ if (PERMspecified) {
+ grplist[0] = GRPcur;
+ grplist[1] = NULL;
+ if (!PERMmatch(PERMreadlist, grplist)) {
+ return true;
+ }
+ } else {
+ return true;
+ }
+ }
+
+ if (!hookpresent && !PERMcanread) {
+ return true;
+ }
+
+ return false;
+}
+
+
/* Returns:
** -1 for problem (such as no such authenticator, etc.).
** 0 for authentication succeeded.
** 1 for authentication failed.
*/
-
static char *PERMauthstring;
static int
@@ -206,6 +256,7 @@
PERMneedauth = false;
PERMauthorized = true;
PERMcanauthenticate = false;
+ PERMgroupmadeinvalid = makeGroupInvalid();
free(logrec);
return;
case 0:
@@ -313,6 +364,7 @@
PERMneedauth = false;
PERMauthorized = true;
PERMcanauthenticate = false;
+ PERMgroupmadeinvalid = makeGroupInvalid();
return;
}
Modified: group.c
===================================================================
--- group.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ group.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -168,6 +168,7 @@
}
} else
GRPcur = xstrdup(group);
+ PERMgroupmadeinvalid = false;
} else {
/* Must be doing a LISTGROUP command. We used to just return
something bland here ("Article list follows"), but reference NNTP
@@ -224,6 +225,7 @@
}
} else
GRPcur = xstrdup(group);
+ PERMgroupmadeinvalid = false;
}
free(group);
}
Modified: misc.c
===================================================================
--- misc.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ misc.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -576,6 +576,7 @@
syslog(L_NOTICE, "%s exit for STARTTLS articles %ld groups %ld",
Client.host, ARTcount, GRPcount);
GRPcount = 0;
+ PERMgroupmadeinvalid = false;
}
}
#endif /* HAVE_SSL */
Modified: nnrpd.h
===================================================================
--- nnrpd.h 2008-09-27 08:51:07 UTC (rev 8060)
+++ nnrpd.h 2008-09-27 10:04:47 UTC (rev 8061)
@@ -159,6 +159,7 @@
EXTERN bool PERMcanread;
EXTERN bool PERMneedauth;
EXTERN bool PERMspecified;
+EXTERN bool PERMgroupmadeinvalid;
EXTERN ACCESSGROUP *PERMaccessconf;
EXTERN bool Tracing;
EXTERN bool Offlinepost;
Modified: perm.c
===================================================================
--- perm.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ perm.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -1382,6 +1382,7 @@
success_auth = NULL;
PERMcanauthenticate = false;
+ PERMgroupmadeinvalid = false;
#ifdef HAVE_SSL
PERMcanauthenticatewithoutSSL = false;
#endif
Modified: sasl.c
===================================================================
--- sasl.c 2008-09-27 08:51:07 UTC (rev 8060)
+++ sasl.c 2008-09-27 10:04:47 UTC (rev 8061)
@@ -316,6 +316,7 @@
syslog(L_NOTICE, "%s exit for AUTHINFO SASL articles %ld groups %ld",
Client.host, ARTcount, GRPcount);
GRPcount = 0;
+ PERMgroupmadeinvalid = false;
}
}
} else {
More information about the inn-committers
mailing list