older 2.3 INN ... bug in readers.conf/nnrp?

The Hermit Hacker scrappy at hub.org
Wed Jun 7 13:45:58 UTC 2000 

On 6 Jun 2000, Russ Allbery wrote:

> The Hermit Hacker <scrappy at hub.org> writes:
> 
> > Can anyone tell me if there was a security bug, maybe, in an older nnrpd
> > along the 2.3 strain?  Or, did I screw up this very simple looking
> > readers.conf ... I *thought* I had it set so that anyone that had a
> > userid/passwd *or* was on the local campus, could connect and everyone
> > else was denied by default.  Yet, I just found out, this has opened me
> > up to anyone reading *and* posting news on our server :(
> 
> > ##  $Revision: 1.1 $
> > ##  readers.conf -- access file for NNTP readers.
> 
> > auth "default" {
> >         # allow authenticated users to read/post everywhere
> >         hosts: "*"
> >         default: "local-user at acadiau.ca"
> >         auth: "radius -f /news/admin/etc/radius.conf"
> >         default-domain: "acadiau.ca"
> > }
> > auth "default" {
> >         hosts: "*.acadiau.ca,131.162.*"
> >         default: "local-user at acadiau.ca"
> > }
> 
> You've got multiple auth groups with the same name, which I wouldn't
> recommend.  But I think your problem is due to the default that you're
> assigning; if someone connects and doesn't authenticate, they get the
> default user string.  The default user string:
> 
> > # ordinary users
> > access "default" {
> >         # users can read/post to all but our internal newsgroups.
> >         users: "*"
> >         newsgroups: "*"
> >         access: "Read Post"
> > }
> 
> lets them read and post to all groups.  You need to have the auth group
> with a hosts setting of * default to a user identity that isn't allowed to
> do anything, or even more easily, make sure it doesn't have a default at
> all and then it shouldn't match any access group with a users key.

Ohhhhhhhhh ... okay.  Now I think its finally hit me like a ton of bricks
... but, shouldn't the above 'auth:' at least try for a userid/passwd
first?  I think this is where I was getting all screwed up ... I had made
the assumption that 'default:' was set *after* auth was completed ...



 > 
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> 
> 

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org 
primary: scrappy at hub.org           secondary: scrappy@{freebsd|postgresql}.org

More information about the inn-workers mailing list