411 vs. 502 for permission denied reading groups

Russ Allbery rra at stanford.edu
Fri Oct 1 20:52:09 UTC 2004 

After a discussion with Mark Crispin where he pointed out that it was
nearly impossible to do reactive authentication properly against nnrpd,
I've committed the following patch to CURRENT.  I'm guessing that this may
be at least a little controversial, so I've not put it in STABLE yet; it
does fix a bug, but I want to talk about it first and see if we can reach
a good consensus.  It's in CURRENT so that people have something to look
at.

Here is my commit message:

    We had previously returned 411 (group doesn't exist) if the user
    didn't have permission to read the group for all cases other than
    Python dynamic authentication (where we returned 502 for permission
    denied).  I can sort of understand the dubious security mindset behind
    this choice, but at least when the user isn't already authenticated,
    this breaks reactive authentication.

    Instead, if the user is not authenticated, return 480, and if the user
    is authenticated, return 502.  This means that a user can determine
    that a group exists by probing for it and seeing if they get 411 or
    502, but the protocol is cleaner.

Here is the patch.  I think the 480 response if the user hasn't already
authenticated is mandatory if we want clients to be able to authenticate
in response to doing something that requires authentication, rather than
always authenticating at the beginning of the session.

Ideally, of course, we shouldn't return 480 if there's no possibility for
authentication to help, but we don't have a way of determining that
without a significant rewrite of the authentication code.

--- group.c	2003/02/10 03:28:25	1.62
+++ group.c	2004/10/01 20:49:19	1.63
@@ -1,4 +1,4 @@
-/*  $Id: group.c,v 1.62 2003/02/10 03:28:25 rra Exp $
+/*  $Id: group.c,v 1.63 2004/10/01 20:49:19 rra Exp $
 **
 **  Newsgroups and the active file.
 */
@@ -31,7 +31,10 @@ void CMDgroup(int ac, char *av[])
 #endif /* DO_PYTHON */
 
     if (!hookpresent && !PERMcanread) {
-	Reply("%s\r\n", NOACCESS);
+        if (PERMspecified)
+	    Reply("%d Permission denied\r\n", NNTP_ACCESS_VAL);
+        else
+            Reply("%d Authenticatino required\r\n", NNTP_AUTH_NEEDED_VAL);
 	return;
     }
 
@@ -72,18 +75,17 @@ void CMDgroup(int ac, char *av[])
     }
 #endif /* DO_PYTHON */
 
-    /* If permission is denied, pretend group doesn't exist. */
     if (!hookpresent) {
         if (PERMspecified) {
             grplist[0] = group;
             grplist[1] = NULL;
             if (!PERMmatch(PERMreadlist, grplist)) {
-	         Reply("%s %s\r\n", NOSUCHGROUP, group);
-                 free(group);
-                 return;
+                Reply("%d Permission denied\r\n", NNTP_ACCESS_VAL);
+                free(group);
+                return;
             }
         } else {
-            Reply("%s %s\r\n", NOSUCHGROUP, group);
+            Reply("%d Authentication required\r\n", NNTP_AUTH_NEEDED_VAL);
             free(group);
             return;
         }

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list