older 2.3 INN ... bug in readers.conf/nnrp?
The Hermit Hacker
scrappy at hub.org
Wed Jun 7 13:45:58 UTC 2000
On 6 Jun 2000, Russ Allbery wrote:
> The Hermit Hacker <scrappy at hub.org> writes:
>
> > Can anyone tell me if there was a security bug, maybe, in an older nnrpd
> > along the 2.3 strain? Or, did I screw up this very simple looking
> > readers.conf ... I *thought* I had it set so that anyone that had a
> > userid/passwd *or* was on the local campus, could connect and everyone
> > else was denied by default. Yet, I just found out, this has opened me
> > up to anyone reading *and* posting news on our server :(
>
> > ## $Revision: 1.1 $
> > ## readers.conf -- access file for NNTP readers.
>
> > auth "default" {
> > # allow authenticated users to read/post everywhere
> > hosts: "*"
> > default: "local-user at acadiau.ca"
> > auth: "radius -f /news/admin/etc/radius.conf"
> > default-domain: "acadiau.ca"
> > }
> > auth "default" {
> > hosts: "*.acadiau.ca,131.162.*"
> > default: "local-user at acadiau.ca"
> > }
>
> You've got multiple auth groups with the same name, which I wouldn't
> recommend. But I think your problem is due to the default that you're
> assigning; if someone connects and doesn't authenticate, they get the
> default user string. The default user string:
>
> > # ordinary users
> > access "default" {
> > # users can read/post to all but our internal newsgroups.
> > users: "*"
> > newsgroups: "*"
> > access: "Read Post"
> > }
>
> lets them read and post to all groups. You need to have the auth group
> with a hosts setting of * default to a user identity that isn't allowed to
> do anything, or even more easily, make sure it doesn't have a default at
> all and then it shouldn't match any access group with a users key.
Ohhhhhhhhh ... okay. Now I think its finally hit me like a ton of bricks
... but, shouldn't the above 'auth:' at least try for a userid/passwd
first? I think this is where I was getting all screwed up ... I had made
the assumption that 'default:' was set *after* auth was completed ...
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
>
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy at hub.org secondary: scrappy@{freebsd|postgresql}.org
More information about the inn-workers
mailing list