Parametring cancel processing (Cancel-Lock vs unauthenticated cancels)

Julien ÉLIE julien at trigofacile.com
Sun Jan 23 21:09:39 UTC 2022


Hi Grant,

>> That sounds great for a soft transition period.  I'll put a warning in 
>> 2.7.0 and really remove it in 2.8.0.
> 
> <ASCII thumbs up>
> 
> The only other thing that I might ask is that you include the exact 
> error message(s) in release notes / FAQ / what have you.  That way if 
> (read: when) people hit the error and search for it (a la. fgrep -ir 
> "...") they will have a nugget of information to find.

Just done.
The release notes will contain what you asked for:

     * A new *docancels* parameter has been added in inn.conf to define which
       types of cancels innd should process.  The -C flag given to innd is
       deprecated in favour of that new parameter (you'll see in your logs
       the message "innd -C flag has been deprecated and has no effect; use
       docancels in inn.conf" in case you're passing that flag to innd).



For the ones using CURRENT snapshots, you'll see that warning starting from
tomorrow's snapshots.  Have a look at inn.conf(5) to see how to parameter
"docancels":

        docancels
            This parameter is intended for sites concerned about abuse of
            cancels, or that wish to enforce a mechanism to authenticate
            cancels.  Unless rejected by the use of a filter hook, innd always
            accepts and propagates cancel articles and supersede requests.
            However, actually processing such articles on the local news server
            depends on this parameter which can take the following values:

            "require-auth"
                Only articles originally protected by the Cancel-Lock
                authentication mechanism can be withdrawn by a valid
                authenticated cancel article or a valid authenticated supersede
                request.  Withdrawals of articles not originally protected by
                Cancel-Lock will not be executed.

                This is the default value if innd knows how to authenticate
                cancels (that is to say if INN was built with Cancel-Lock
                support).  Otherwise, the behaviour will be the same as "none".

            "auth"
                Withdrawals of articles not originally protected by the Cancel-
                Lock authentication mechanism will always be executed.
                However, if the original article is protected, only a valid
                authenticated cancel article or a valid authenticated supersede
                request will permit withdrawing it.  (If INN was not built with
                Cancel-Lock support, such protected articles won't be
                withdrawn.)

            "none"
                Neither cancel articles nor supersede requests will be
                processed; no articles will be withdrawn.

                This is the default value if innd does not know how to
                authenticate cancels (that is to say if INN was not built with
                Cancel-Lock support) as it has no means to ensure that these
                withdrawal requests are legitimate.

            "all"
                innd will process all cancel articles and supersede requests,
                even if unauthenticated, forged or with bad authentication.
                You should be sure of what you are doing if you choose that
                value as any article can be withdrawn (even by someone who is
                not the author of the article).



> Aside:  Is doing the same in the source going too far?  As in "Use the 
> Source Luke!".  ;-)

The exact message is naturally present in the source.

-- 
Julien ÉLIE

« – Prends un peu de potion magique, Jolitorax ?
   – Mais ça va être l'heure de l'eau chaude ! » (Astérix)


More information about the inn-workers mailing list