perl_access, 502 errors, and gracefully removing permissions
David E Mussulman
mussulma at illinois.edu
Wed Sep 22 17:31:43 UTC 2010
Hi gang,
Running INN 2.5.2 as an intranet newsgroup server. We're using
perl_access to restrict access for users to read/post to various
newsgroups, and it's been working okay.
This week, I was asked to restrict read access to a newsgroup that had
been available to a larger audience. I updated my perl authz stuff and
excluded that newsgroup from the read and post hashes; that part's
working fine.
However, now, when newsgroups readers who were previously subscribed to
that newsgroup try to connect, they're having problems with the GROUP
(or some other newsgroup access command) returns a "502 Read access
denied" error.
tin 1.8.3 dies after connecting (after auth but before showing its
newsgroup index) It reports "read access denied". news.notice says
(after a bunch of group commands)
Sep 22 12:07:02 dcs-news1 nnrpd[20859]: columbia.cs.uiuc.edu can't read:
Connection reset by peer
Sep 22 12:07:02 dcs-news1 nnrpd[20859]: columbia.cs.uiuc.edu timeout
Thunderbird 3.1.2 Windows gives a popup: "A News (NNTP) error occurred:
Read access denied" and it seems inconsistent when it is able to pull
down other newsgroups versus that connection timing out.
I tested telnetting into the news server on port 119. A 502 error on
the GROUP command does not terminate the connection (which seems to
follow the RFC), but it looks like some readers just can't handle that
code in that place.
The obvious solution is to remove the restricted newsgroup from the
reader's newsrc. That works well enough. But the errors aren't obvious
(even on which newsgroup is causing the problem), and that means helping
a lot of people update their news config. I also see this as a
potential future repeating event (this semester we have this newsgroup,
next semester its access goes away, etc.), so I'm looking for a
scalable/supportable solution.
Any suggestions for a server-based way to restrict access to this group
without causing problems with previously subscribed newsreaders? I
wonder if the scenario would be different if the GROUP command returned
a "411 No such group" to newsgroups not listed in the read part of
perl_access?
What's the "normal way" to handle newsgroups that go away?
Thanks for any help,
Dave
More information about the inn-workers
mailing list