General problems revolving around perl_access

[Jeffrey M. Vinocur]

On Wed, 28 Aug 2002, Russ Allbery wrote:

> Matt 'Goo Goo Dolls' Melton <matt_08-02 at my-security.net> writes:
> 
> > In demonstration, $return_hash{"post"} = "alt.not.exist";, does not
> > cause nnrpd to die, however, $return_hash{"post"} = "alt.not.*"; does.
> 
> Where does it die?  This isn't intentional, so there's a bug somewhere.
> Does it log anything?  Does it segfault?  Is there a core dump somewhere?

Much agreed.  Perhaps Erik can have a look as he's surely the most
familiar with the code.


> > $return_hash{"post"} = "*, !*.private"; the server will die at
> > access - why is this, is "*, !*.private" the wrong kind of string
> > to return?
> 
> This is likely the same problem.

Yeah.  (Hmm.  If you remove the space, does it work?)


> You can't send a password without a username using the AUTHINFO NNTP
> protocol.  

I'm actually not sure whether this is "right" (whatever that means).  In 
principle it's not required for the model.

Anyway, it's definitely common existing practice.


> You can't do this with SASL either so far as I know.  

Well, as far as I recall offhand there's nothing in the SASL spec that
says there has to be a username and password.  From our point of view,
there isn't, it's just opaque conversation between client and server.  I
don't know if there are any existing SASL methods that don't have a
"username" concept underlying them, but there's no reason why there 
couldn't be.


> You'll probably have to use a dummy username.

As things stand now, yes. 

Or, if you're not using the standard authenticators, you could write your 
authentication code to ignore the username entirely, and then the client 
could use anything he likes.



-- 
Jeffrey M. Vinocur
jeff at litech.org