using readers.conf to force nnrpd to send 480
rra at stanford.edu
Tue Jun 7 05:51:06 UTC 2005
Todd Olson <tco2 at cornell.edu> writes:
> At 14:56 -0800 2005-03-08, Russ Allbery wrote:
>> Todd Olson <tco2 at cornell.edu> writes:
>>> - assume a client has successfully obtained readonly permissions
>>> to my news server
>>> - Now they try to post
>>> QUESTION: Is there a way to make nnrpd return 480 rather than 440 ??
>> It should (which doesn't mean it *does*) do this if the user has not
>> already authenticated. If the user has already authenticated, then the
>> regular failure codes are returned. Alas, a quick perusal of the code
>> reveals that it doesn't do this properly in 2.4 or CURRENT. I'll fix
>> this in CVS (it's a straighforward fix), so at least it will be in the
>> next release.
> Thanks for the fix.
> Out of curiosity ...
> If I pull CURRENT today would this 'fix' be in ... or should I wait.
I studied this some more, and I was wrong. The existing code should have
already done this; if the user has not authenticated, they should get a
480 response to POST (and many other commands) until they do.
If, however, you've assigned an identity to the user, nnrpd thinks they've
already authenticated and therefore returns 440.
What nnrpd currently does not understand is the idea of being assigned a
low-privilege identity and being able to get more privileges after
authenticating. What it needs is some notion of "you can't do that but
you *could* if you authenticate" and then prompt for authentication, but
it doesn't have that and doing that would be quite a bit of work.
Instead, either you have an identity or not, and if you already have one,
it assumes that's the most privileges you'll ever get.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers