New sample readers.conf file
Russ Allbery
rra at stanford.edu
Thu Apr 13 05:38:19 UTC 2000
Here's a new cut at a sample readers.conf file. There are two major
changes; first, the only uncommented stanzas in the default file are the
ones giving full access to the local system, and second the example is one
of host-based access control (which I think is the majority of INN sites
out there at present). The comments refer people to the man page for more
details, including examples of password-controlled access.
## $Id$
##
## readers.conf - Access control and configuration for nnrpd
##
## Format:
## auth "<name>" {
## hosts: "<hostlist>"
## auth: "<authprog>"
## res: "<resprog>"
## default: "<identity>"
## default-domain: "<email-domain>"
## }
## access "<name>" {
## users: "<userlist>"
## newsgroups: "<newsgroups>"
## read: "<read>"
## post: "<post>"
## access: "<perm>"
## }
##
## Other parameters are possible. See readers.conf(5) for all the
## details. Only one of newsgroups or read/post may be used in a single
## access group.
##
## If the connecting host is not matched by any hosts: parameter of any
## auth group, it will be denied access. auth groups assign an identity
## string to connections, access groups grant privileges to identity
## strings matched by their users: parameters.
##
## In all cases, the last match found is used, so put defaults first.
##
## For a news server that allows connections from anyone within a
## particular domain or IP address range, just uncomment the "local" auth
## group and the "local" access group below and adjust the hosts: and
## default: parameters of the auth group and the users: parameter of the
## access group for your local network and domain name. That's all there
## is to it.
##
## For more complicated configurations, read the comments on the examples
## and also see the examples and explanations in readers.conf(5). The
## examples in readers.conf(5) include setups that require the user to
## log in with a username and password (the example in this file only
## uses simple host-based authentication).
# The only groups enabled by default (the rest of this file is
# commented-out examples). This assigns the identity of <localhost> to
# the local machine
auth "localhost" {
hosts: "localhost, 127.0.0.1, stdin"
default: "<localhost>"
}
# Grant that specific identity access to read and post to any newsgroup.
access "localhost" {
users: "<localhost>"
newsgroups: "*"
}
# This auth group matches all connections from example.com or machines in
# the example.com domain and gives them the identity <local>@example.com.
# Instead of using wildmat patterns to match machine names, you could also
# put a wildmat pattern matching IP addresses or an IP range specified
# using CIDR notation (like 10.10.10.0/24) here.
#auth "local" {
# hosts: "*.example.com, example.com"
# default: "<local>@example.com"
#}
# This auth group matches a subset of machines and assigns connections
# from there an identity of "<read>@example.com"; these systems should
# only have read access, no posting privileges.
#auth "read-only" {
# hosts: "*.newuser.example.com"
# default: "<read>@example.com"
#}
# This auth group matches the systems at a guest institution that should
# be allowed to read the example.events.* hierarchy but nothing else.
#auth "events-only" {
# hosts: "*.example.org"
# default: "<events-only>@example.org"
#}
# Finally, this auth group matches some particular systems which have been
# abusing the server. Note that it doesn't assign them an identity at
# all; the "empty" identity created in this fashion won't match any users:
# parameters. Note also that it's last, so anything matching this entry
# will take precedent over everything above it.
#auth "abusers" {
# hosts: "badguy-dsl.example.com, kiosk.public-access.example.com"
#}
# Now for the access groups. All of our access groups should have users:
# parameters so there are no access groups that match connections without
# an identity (such as are generated by the "abusers" entry above).
# First, the default case of local users, who get to read and post to
# everything.
#access "local" {
# users: "<local>@example.com"
# newsgroups: "*"
#}
# Now, the read-only folks, who only get to read everything.
#access "read-only" {
# users: "<read>@example.com"
# read: "*"
#}
# Finally, the events-only people who get to read and post but only to a
# specific hierarchy.
#access "events-only" {
# users: "<events-only>@example.org"
# newsgroups: "example.events.*"
#}
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list