nnrp conf

Russ Allbery eagle at eyrie.org
Wed Dec 3 06:19:05 UTC 2014


Edwardo Garcia <wdgarc88 at gmail.com> writes:

> before I put back server on, is possible to have multi auth refer to one
> access?  or require matching pair?

Yes.

The idea behind readers.conf is that the auth blocks assign an identity to
the user, and then the access blocks map identities to permissions.  So,
if you have multiple auth blocks that map different incoming connections
to the same identity, they'll all have exactly the the same access.

If you want to have all rules come in pairs, so that one auth block always
maps uniquely to one access block, there are two ways to do it.  The
easiest is to always use the default: key in the auth block to assign a
unique identity that shows up only in that auth block, and then have all
your access blocks assign permissions based on those unique identities,
matching only one such identity in each block.

(You can also use key:, but that's a bit more complicated.)

> example:

> auth "localhost" {
>     hosts: "localhost, 127.0.0.1, ::1, stdin, 200.x.x.x.x/24"
>     default: "<localhost>"
> }

> access "localhost" {
>     users: "<localhost>"
>     newsgroups: "*"
>     access: RPA
> }

This access block matches only that auth block.

> auth  name1 {
>     hosts: " foo/16, bah/19, somefoo/19"
>     default: "<parent>"     <--------------------------------
> }

> auth name2 {
>     hosts: "x.x.x/17, x.x.x.x/16, ..."
>     default: "<parent>"     <--------------------------------
> }

> access subsids {
>     users: "<parent>"   <-----------------
>     newsgroups: "*"
> }

This access block goes with any auth block that assigns an identity of
<parent>.  So it gives the same access to connections that match either of
those auth blocks.

> is this right?  each subsiduary busines we let access to, has many many
> IP range, I see 8k limit per host line still, and we keep this clean in
> case company sell off one company we just delete block, hope have syntax
> right and wont be open server again?

That should not open the news server to the world.  I think you've got the
right configuration for what you're trying to do.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list