NNRP.ACCESS(5)NNRP.ACCESS(5)NAMEnnrp.access - access file for NNTP news readers.
DESCRIPTION
The file <pathetc in inn.conf>/nnrp.access specifies the
access control for those NNTP sites that are not handled
by the main InterNetNews daemon innd(8). The nnrpd(8)
server reads it when first spawned by innd.
Comments begin with a number sign (``#'') and continue
through the end of the line. Blank lines and comments are
ignored. All other lines should consist of two or five
fields separated by colons:
hosts:perms:username:password:patterns
hosts:/full/path/filename
The first field is a wildmat(3)-style pattern specifying
the names or Internet address of a set of hosts. Internet
address style can be specified with slash ``/'' followed
by netmask (e.g. ``/25'' or ``255.255.255.128''). Before
a match is checked, the client's hostname (or its Internet
address if gethostbyaddr(3) fails) is converted to lower-
case. Each line is matched in turn, and the last success-
ful match is taken as the correct one.
The second field is either a full pathname (with leading
``/'') to a second access file (in the same format) to
scan for a specified first field pattern or a set of let-
ters specifying the permissions granted to the client.
The perms should be chosen from the following set (case is
significant):
R The client can retrieve articles
P The client can post articles
N The client can use the NEWNEWS command, overriding the global setting
L The client can post to groups with local-posting prohibited
If the filename option is used, no checks are done for
recursion so loops can occur - be careful.
The third and fourth fields specify the username and pass-
word that the client must use to authenticate themselves
before the server will accept any articles. Note that
authentication is required for newsreading, unless both
are empty. In this case, the connection is never closed
until it is timed out or the client explicitly issues
``QUIT''. If they are empty, then no password is
required. Whitespace in these fields will result in the
client being unable to properly authenticate themselves
and may be used to disable access. If the third field is
``+'', then nnrpd(8) uses crypt(3) to authenticate passed
username and password. This might not work on systems that
use a shadow password file, since nnrpd normally doesn't
have the permissions to read that file. If nnrpd is
started in standalone mode, it tries to adjust its permis-
sions so that it can read the shadow file. See also the -g
1
NNRP.ACCESS(5)NNRP.ACCESS(5)
option in the manual page for nnrpd(8).
The fifth field is a set of patterns identifying the news-
groups that the client is allowed to access. The patterns
are interpreted in the same manner as the newsfeeds(5)
file except for ``@''. The default, however, denies
access to all groups.
There is another line format, which can be used to pre-
define an access list.
%DEFINEn:pattern
The %DEFINE is literal and is followed by a number to
define that particular pattern. You can then use ``%n''
(replacing ``n'' with the number you used in the %DEFINE)
as a complete replacement for the ``pattern'' option in
subsequent lines (i.e: you cannot use it along with normal
patterns). This can be used to reduce the size of the
access file when large access patterns are used and hence
speed up scanning the file. By default, only 10 patterns
can be used.
The access file is normally used to provide host-level
access control for reading and posting articles. There
are times, however, when this is not sufficient and user-
level access control is needed. Whenever an NNTP
``authinfo'' command is used, the nnrpd server re-reads
this file and looks for a matching username and password.
If the local newsreaders are modified to send the
``authinfo'' command, then all host entries can have no
access and specific users can be granted the appropriate
read and post access.
For example:
## host:perm:user:pass:groups
## Default is no access.
*:: -no- : -no- :!*
## FOO hosts have no password, can read anything.
*.foo.com:Read Post:::*
## A related workstation can't access FOO newsgroups.
lenox.foo.net:RP:martha:hiatt:*,!foo.*
## Define a list to be used twice
%DEFINE0:!*,bar.*,foo.*,comp.*,news.*,rec.*,soc.*,alt.*,!alt.binaries.*
bar1.foo.net:RP:::%0
bar2.foo.net:R:::%0
If the file contains passwords, it should not be world-
readable.
HISTORY
Written by Rich $alz <rsalz@uunet.uu.net> for InterNet-
News. This is revision 1.1.2.1, dated 1999/06/12.
2
NNRP.ACCESS(5)NNRP.ACCESS(5)SEE ALSOinn.conf(5), innd(8), newsfeeds(5), nnrpd(8), wildmat(3).
3