older 2.3 INN ... bug in readers.conf/nnrp?

Russ Allbery rra at stanford.edu
Tue Jun 6 17:23:18 UTC 2000

The Hermit Hacker <scrappy at hub.org> writes:

> Can anyone tell me if there was a security bug, maybe, in an older nnrpd
> along the 2.3 strain?  Or, did I screw up this very simple looking
> readers.conf ... I *thought* I had it set so that anyone that had a
> userid/passwd *or* was on the local campus, could connect and everyone
> else was denied by default.  Yet, I just found out, this has opened me
> up to anyone reading *and* posting news on our server :(

> ##  $Revision: 1.1 $
> ##  readers.conf -- access file for NNTP readers.

> auth "default" {
>         # allow authenticated users to read/post everywhere
>         hosts: "*"
>         default: "local-user at acadiau.ca"
>         auth: "radius -f /news/admin/etc/radius.conf"
>         default-domain: "acadiau.ca"
> }
> auth "default" {
>         hosts: "*.acadiau.ca,131.162.*"
>         default: "local-user at acadiau.ca"
> }

You've got multiple auth groups with the same name, which I wouldn't
recommend.  But I think your problem is due to the default that you're
assigning; if someone connects and doesn't authenticate, they get the
default user string.  The default user string:

> # ordinary users
> access "default" {
>         # users can read/post to all but our internal newsgroups.
>         users: "*"
>         newsgroups: "*"
>         access: "Read Post"
> }

lets them read and post to all groups.  You need to have the auth group
with a hosts setting of * default to a user identity that isn't allowed to
do anything, or even more easily, make sure it doesn't have a default at
all and then it shouldn't match any access group with a users key.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the inn-workers mailing list