Access control for reading.

Russ Allbery rra at stanford.edu
Thu Feb 1 17:30:07 UTC 2001


Jeffrey M Vinocur <jeff at litech.org> writes:

> It's not clear, really, how to add support for checking users' unix
> group membership.  The entry in TODO mentions adding code to ckpasswd,
> but what about usernames being retrieved via ident queries?  It seems to
> me that in order to support groups properly (without using perlhooks)
> some nontrivial changes would have to be made to the readers.conf
> mechanism.  (Either to assign each incoming connection a username _and_
> a group, or to be able to check group membership in access blocks
> somehow.)

> Any thoughts about this?

Depends on which way you think about it.  The way I'd think about it is
that from the perspective of INN, if you're doing group-based access
restrictions, the group *is* the username.  "User" is just a token that
INN uses to decide what access rule to apply, after all.

Viewed from that perspective, all I think you need is an option to
ckpasswd to return the user's group instead of their username and an
option to the ident resolver that does the same.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list