Access control for reading.

[Jeffrey M. Vinocur]

On Thu, 1 Feb 2001, Dave Tormey wrote:

>   I'm running innd-2.3 on Solaris 2.6.  What I want
> to do is restrict read/post access to certain newsgroups
> based on the unix group of the reader if possible,
> or just the username. I've had a read of the readers.conf
> man pages etc., but am still a bit lost.

readers.conf will certainly let you do username-based stuff.  It's not
clear if your users are locally (or on trusted hosts), in which case you
can get their usernames using a "res: ident" parameter in an auth block,
or if you need to do password authentication, in which case you'll need
"auth: ckpasswd" (with appropriate flags depending on what exactly you
want).

Then you can create an access group listing the users you want to allow
and specify newsgroups there.

Access based on unix groups is something on the INN todo list, but it's
not here yet.

I've been meaning to write to the list about this (Dave, the stuff below
doesn't necessarily apply to you), for I would also like group support.

It's not clear, really, how to add support for checking users' unix group
membership.  The entry in TODO mentions adding code to ckpasswd, but what
about usernames being retrieved via ident queries?  It seems to me that in
order to support groups properly (without using perlhooks) some nontrivial
changes would have to be made to the readers.conf mechanism.  (Either to
assign each incoming connection a username _and_ a group, or to be able to
check group membership in access blocks somehow.)

Any thoughts about this?


Jeff

-- 
Jeffrey M. Vinocur
jeff at litech.org