New sample readers.conf file

Thu Apr 13 05:38:19 UTC 2000

Here's a new cut at a sample readers.conf file.  There are two major
changes; first, the only uncommented stanzas in the default file are the
ones giving full access to the local system, and second the example is one
of host-based access control (which I think is the majority of INN sites
out there at present).  The comments refer people to the man page for more
details, including examples of password-controlled access.

##  $Id$
##
##  readers.conf - Access control and configuration for nnrpd
##
##  Format:
##      auth "<name>" {
##          hosts: "<hostlist>"
##          auth: "<authprog>"
##          res: "<resprog>"
##          default: "<identity>"
##          default-domain: "<email-domain>"
##      }
##      access "<name>" {
##          users: "<userlist>"
##          newsgroups: "<newsgroups>"
##          read: "<read>"
##          post: "<post>"
##          access: "<perm>"
##      }
##
##  Other parameters are possible.  See readers.conf(5) for all the
##  details.  Only one of newsgroups or read/post may be used in a single
##  access group.
##
##  If the connecting host is not matched by any hosts: parameter of any
##  auth group, it will be denied access.  auth groups assign an identity
##  string to connections, access groups grant privileges to identity
##  strings matched by their users: parameters.
##
##  In all cases, the last match found is used, so put defaults first.
##
##  For a news server that allows connections from anyone within a
##  particular domain or IP address range, just uncomment the "local" auth
##  group and the "local" access group below and adjust the hosts: and
##  default: parameters of the auth group and the users: parameter of the
##  access group for your local network and domain name.  That's all there
##  is to it.
##
##  For more complicated configurations, read the comments on the examples
##  and also see the examples and explanations in readers.conf(5).  The
##  examples in readers.conf(5) include setups that require the user to
##  log in with a username and password (the example in this file only
##  uses simple host-based authentication).

# The only groups enabled by default (the rest of this file is
# commented-out examples).  This assigns the identity of <localhost> to
# the local machine

auth "localhost" {
    hosts: "localhost, 127.0.0.1, stdin"
    default: "<localhost>"
}

# Grant that specific identity access to read and post to any newsgroup.

access "localhost" {
    users: "<localhost>"
    newsgroups: "*"
}

# This auth group matches all connections from example.com or machines in
# the example.com domain and gives them the identity <local>@example.com.
# Instead of using wildmat patterns to match machine names, you could also
# put a wildmat pattern matching IP addresses or an IP range specified
# using CIDR notation (like 10.10.10.0/24) here.

#auth "local" {
#    hosts: "*.example.com, example.com"
#    default: "<local>@example.com"
#}

# This auth group matches a subset of machines and assigns connections
# from there an identity of "<read>@example.com"; these systems should
# only have read access, no posting privileges.

#auth "read-only" {
#    hosts: "*.newuser.example.com"
#    default: "<read>@example.com"
#}

# This auth group matches the systems at a guest institution that should
# be allowed to read the example.events.* hierarchy but nothing else.

#auth "events-only" {
#    hosts: "*.example.org"
#    default: "<events-only>@example.org"
#}

# Finally, this auth group matches some particular systems which have been
# abusing the server.  Note that it doesn't assign them an identity at
# all; the "empty" identity created in this fashion won't match any users:
# parameters.  Note also that it's last, so anything matching this entry
# will take precedent over everything above it.

#auth "abusers" {
#    hosts: "badguy-dsl.example.com, kiosk.public-access.example.com"
#}

# Now for the access groups.  All of our access groups should have users:
# parameters so there are no access groups that match connections without
# an identity (such as are generated by the "abusers" entry above).
# First, the default case of local users, who get to read and post to
# everything.

#access "local" {
#    users: "<local>@example.com"
#    newsgroups: "*"
#}

# Now, the read-only folks, who only get to read everything.

#access "read-only" {
#    users: "<read>@example.com"
#    read: "*"
#}

# Finally, the events-only people who get to read and post but only to a
# specific hierarchy.

#access "events-only" {
#    users: "<events-only>@example.org"
#    newsgroups: "example.events.*"
#}

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>