older 2.3 INN ... bug in readers.conf/nnrp?
Russ Allbery
rra at stanford.edu
Tue Jun 6 17:23:18 UTC 2000
The Hermit Hacker <scrappy at hub.org> writes:
> Can anyone tell me if there was a security bug, maybe, in an older nnrpd
> along the 2.3 strain? Or, did I screw up this very simple looking
> readers.conf ... I *thought* I had it set so that anyone that had a
> userid/passwd *or* was on the local campus, could connect and everyone
> else was denied by default. Yet, I just found out, this has opened me
> up to anyone reading *and* posting news on our server :(
> ## $Revision: 1.1 $
> ## readers.conf -- access file for NNTP readers.
> auth "default" {
> # allow authenticated users to read/post everywhere
> hosts: "*"
> default: "local-user at acadiau.ca"
> auth: "radius -f /news/admin/etc/radius.conf"
> default-domain: "acadiau.ca"
> }
> auth "default" {
> hosts: "*.acadiau.ca,131.162.*"
> default: "local-user at acadiau.ca"
> }
You've got multiple auth groups with the same name, which I wouldn't
recommend. But I think your problem is due to the default that you're
assigning; if someone connects and doesn't authenticate, they get the
default user string. The default user string:
> # ordinary users
> access "default" {
> # users can read/post to all but our internal newsgroups.
> users: "*"
> newsgroups: "*"
> access: "Read Post"
> }
lets them read and post to all groups. You need to have the auth group
with a hosts setting of * default to a user identity that isn't allowed to
do anything, or even more easily, make sure it doesn't have a default at
all and then it shouldn't match any access group with a users key.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list