Duplicate matches in readers.conf, and limit binaries to only binary groups

Jeffrey M. Vinocur jeff at litech.org
Mon Sep 1 17:06:14 UTC 2003 

On Mon, 1 Sep 2003, Travis Farmer wrote:

> will an authenticated user be able to match more than one auth/access pair
> and take the settings from each. now, first, perhaps my method of using an
> auth, and an access field for each match is "unclean" so to speak, but it
> seems to work, and does not pose a performance problem, as of yet.

There's absolutely no point to the three auth groups you have.  (I wonder 
sometimes if this would've been more clear if we put auth groups and 
access groups in two config files -- think of it that way if it helps 
you.)  

Only the first auth group with an appropriate hosts: line will be used.  
Similarly, only one access group will be used -- there's presently no
support in readers.conf for taking the "union" of all matching access
groups (but if you need this functionality, it's pretty easy to do with 
the Python hooks).


> access "public" {
>         users: "*"
>         newsgroups: "local.notices"
>         access: "R"
> }

Better to use "read: local.notices" and "post: !*" here and get rid of the 
access: line entirely.


> access "administrator" {
>         users: "admin"
>         newsgroups: "*"
>         access: "RPA"
> }

Do you have any internal moderated groups?  (The access: A parameter is 
only useful if so.)


> access "test" {
>         users: "test"
>         newsgroups: "test"
>         access: "RP"
> }

Here the access: line has no effect, since newsgroups: implies read/post 
access.  You can delete it.


> now, I assume that first there is a smoother way of doing the above,

Eliminate the extraneous auth groups and the nits I was picking above, and
your configuration will look like it should.  You assign identities based
on connection type (all connections are matched against a password file),
and then use those identites to grant access.


> the user "admin" needs P access, and is granted access to every single
> group. I assume admin has P access to local.notices due to the permissions
> in the administrator group. and that user "test" has RP access to the group
> test, but only R access to local.notices.

You're mostly correct here, except that test does not have any access to 
local.notices -- remember that only one access group applies to each user.  
You'll want to change the test access group to "read: local.notices,test" 
and "post: test".


> Second question, what is the best way to limit binary postings to just the
> binary groups? 

Install Cleanfeed.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list