Customizing nnrpd permission denied messages

Jeffrey M. Vinocur jeff at litech.org
Fri Apr 20 21:51:06 UTC 2001 

As per some discussion on inn-workers, here's a patch (against
CURRENT-20010420) that adds a parameter to readers.conf access stanzas for
denying a connection and giving a specified error message to the client.
E.g.,

access "foo" {
    ...
    reject_with: "Connections require SSL"
}

It compiles and has received some rudimentary testing (i.e., I can reject
with a message, and everything else seems to still work).

I updated the .pod for readers.conf and remade the manpage, but my
versions seem to differ slightly so I'd recommend remaking the manpage
"officially" (I included it in the diff anyway for people who might apply
it themselves).


-- 
Jeffrey M. Vinocur
jeff at litech.org


-- Attached file included as plaintext by Listar --
-- File: nnrpd-rejectwith

diff -u -r inn-CURRENT-20010420/doc/man/readers.conf.5 inn-CURRENT-20010420-modified/doc/man/readers.conf.5
--- inn-CURRENT-20010420/doc/man/readers.conf.5	Fri Apr 20 17:32:38 2001
+++ inn-CURRENT-20010420-modified/doc/man/readers.conf.5	Fri Apr 20 17:28:31 2001
@@ -457,6 +457,12 @@
 If this parameter is present, this access group is only considered when
 finding privileges for users matching auth groups with this same key:
 parameter.
+.Ip "\fBreject_with:\fR" 4
+.IX Item "reject_with:"
+If this parameter is present, a client matching this block will be
+disconnected with a \*(L"Permission denied\*(R" message containing the contents
+(a \*(L"reason\*(R") of this parameter.  Some newsreaders will then display the 
+reason to the user.
 .Ip "\fBlocaltime:\fR" 4
 .IX Item "localtime:"
 If a Date: header is not included in a posted article, \fInnrpd\fR\|(8) normally
diff -u -r inn-CURRENT-20010420/doc/pod/readers.conf.pod inn-CURRENT-20010420-modified/doc/pod/readers.conf.pod
--- inn-CURRENT-20010420/doc/pod/readers.conf.pod	Fri Apr 20 05:00:46 2001
+++ inn-CURRENT-20010420-modified/doc/pod/readers.conf.pod	Fri Apr 20 17:27:56 2001
@@ -335,6 +335,13 @@
 finding privileges for users matching auth groups with this same key:
 parameter.
 
+=item B<reject_with:>
+
+If this parameter is present, a client matching this block will be
+disconnected with a "Permission denied" message containing the contents
+(a "reason") of this parameter.  Some newsreaders will then display the 
+reason to the user.
+
 =item B<localtime:>
 
 If a Date: header is not included in a posted article, nnrpd(8) normally
diff -u -r inn-CURRENT-20010420/nnrpd/nnrpd.h inn-CURRENT-20010420-modified/nnrpd/nnrpd.h
--- inn-CURRENT-20010420/nnrpd/nnrpd.h	Fri Apr 20 05:01:22 2001
+++ inn-CURRENT-20010420-modified/nnrpd/nnrpd.h	Fri Apr 20 15:13:41 2001
@@ -53,6 +53,7 @@
     char *read;
     char *post;
     char *users; 
+    char *rejectwith;
     int allownewnews;
     int locpost;
     int allowapproved;
diff -u -r inn-CURRENT-20010420/nnrpd/perm.c inn-CURRENT-20010420-modified/nnrpd/perm.c
--- inn-CURRENT-20010420/nnrpd/perm.c	Fri Apr 20 05:01:22 2001
+++ inn-CURRENT-20010420-modified/nnrpd/perm.c	Fri Apr 20 17:17:36 2001
@@ -141,11 +141,12 @@
 #define PERMvirtualhost		51
 #define PERMnewsmaster		52
 #define PERMlocaladdress	53
+#define PERMrejectwith		54
 #ifdef HAVE_SSL
-#define PERMrequire_ssl		54
-#define PERMMAX			55
+#define PERMrequire_ssl		55
+#define PERMMAX			56
 #else
-#define PERMMAX			54
+#define PERMMAX			55
 #endif
 
 #define TEST_CONFIG(a, b) \
@@ -224,6 +225,7 @@
   { PERMvirtualhost, "virtualhost:" },
   { PERMnewsmaster, "newsmaster:" },
   { PERMlocaladdress, "localaddress:" },
+  { PERMrejectwith, "reject_with:" },
 #ifdef HAVE_SSL
   { PERMrequire_ssl, "require_ssl:" },
 #endif
@@ -383,6 +385,8 @@
 	ret->post = COPY(orig->post);
     if (orig->users)
 	ret->users = COPY(orig->users);
+    if (orig->rejectwith)
+	ret->users = COPY(orig->rejectwith);
     if (orig->fromhost)
 	ret->fromhost = COPY(orig->fromhost);
     if (orig->pathhost)
@@ -497,6 +501,8 @@
 	DISPOSE(del->post);
     if (del->users)
 	DISPOSE(del->users);
+    if (del->rejectwith)
+	DISPOSE(del->rejectwith);
     if (del->fromhost)
 	DISPOSE(del->fromhost);
     if (del->pathhost)
@@ -728,6 +734,10 @@
 	CompressList(curaccess->users);
 	SET_CONFIG(oldtype);
 	break;
+      case PERMrejectwith:
+	curaccess->rejectwith = COPY(tok->name);
+	SET_CONFIG(oldtype);
+	break;
       case PERMnewsgroups:
 	TEST_CONFIG(PERMread, bit);
 	if (bit) {
@@ -1114,6 +1124,7 @@
 
 		/* stuff that belongs in an accessgroup */
 	      case PERMusers:
+	      case PERMrejectwith:
 	      case PERMnewsgroups:
 	      case PERMread:
 	      case PERMpost:
@@ -1425,6 +1436,13 @@
     }
     if (i >= 0) {
 	/* found the right access group */
+	if (access_realms[i]->rejectwith) {
+	    syslog(L_ERROR, "%s rejected by rule (%s)",
+		ClientHost, access_realms[i]->rejectwith);
+	    Reply("%d Permission denied:  %s\r\n",
+		NNTP_ACCESS_VAL, access_realms[i]->rejectwith);
+	    ExitWithStats(1, TRUE);
+	}
 	if (access_realms[i]->read) {
 	    cp = COPY(access_realms[i]->read);
 	    PERMspecified = NGgetlist(&PERMreadlist, cp);

More information about the inn-patches mailing list