## $Id: readers.conf 4371 2001-01-16 15:35:38Z rra $ ## ## readers.conf - Access control and configuration for nnrpd ## ## Format: ## auth "" { ## hosts: "" ## auth: "" ## res: "" ## default: "" ## default-domain: "" ## } ## access "" { ## users: "" ## newsgroups: "" ## read: "" ## post: "" ## access: "" ## } ## ## Other parameters are possible. See readers.conf(5) for all the ## details. Only one of newsgroups or read/post may be used in a single ## access group. ## ## If the connecting host is not matched by any hosts: parameter of any ## auth group, it will be denied access. auth groups assign an identity ## string to connections, access groups grant privileges to identity ## strings matched by their users: parameters. ## ## In all cases, the last match found is used, so put defaults first. ## ## For a news server that allows connections from anyone within a ## particular domain or IP address range, just uncomment the "local" auth ## group and the "local" access group below and adjust the hosts: and ## default: parameters of the auth group and the users: parameter of the ## access group for your local network and domain name. That's all there ## is to it. ## ## For more complicated configurations, read the comments on the examples ## and also see the examples and explanations in readers.conf(5). The ## examples in readers.conf(5) include setups that require the user to ## log in with a username and password (the example in this file only ## uses simple host-based authentication). ## ## NOTE: Unlike in previous versions of INN, nnrpd will now refuse any ## post from anyone to a moderated newsgroup that contains an Approved: ## header unless their access block has an access: key containing the ## "A" flag. This is to prevent abuse of moderated groups, but it means ## that if you support any newsgroup moderators, you need to make sure ## to add such a line to the access group that affects them. See the ## access group for localhost below for an example. # The only groups enabled by default (the rest of this file is # commented-out examples). This assigns the identity of to # the local machine auth "localhost" { hosts: "localhost, 127.0.0.1, stdin" default: "" } # Grant that specific identity access to read and post to any newsgroup # and allow it to post articles with Approved: headers to moderated # groups. access "localhost" { users: "" newsgroups: "*" access: RPA } # This auth group matches all connections from example.com or machines in # the example.com domain and gives them the identity @example.com. # Instead of using wildmat patterns to match machine names, you could also # put a wildmat pattern matching IP addresses or an IP range specified # using CIDR notation (like 10.10.10.0/24) here. #auth "local" { # hosts: "*.example.com, example.com" # default: "@example.com" #} # This auth group matches a subset of machines and assigns connections # from there an identity of "@example.com"; these systems should # only have read access, no posting privileges. #auth "read-only" { # hosts: "*.newuser.example.com" # default: "@example.com" #} # This auth group matches the systems at a guest institution that should # be allowed to read the example.events.* hierarchy but nothing else. #auth "events-only" { # hosts: "*.example.org" # default: "@example.org" #} # Finally, this auth group matches some particular systems which have been # abusing the server. Note that it doesn't assign them an identity at # all; the "empty" identity created in this fashion won't match any users: # parameters. Note also that it's last, so anything matching this entry # will take precedent over everything above it. #auth "abusers" { # hosts: "badguy-dsl.example.com, kiosk.public-access.example.com" #} # Now for the access groups. All of our access groups should have users: # parameters so there are no access groups that match connections without # an identity (such as are generated by the "abusers" entry above). # First, the default case of local users, who get to read and post to # everything. #access "local" { # users: "@example.com" # newsgroups: "*" #} # Now, the read-only folks, who only get to read everything. #access "read-only" { # users: "@example.com" # read: "*" #} # Finally, the events-only people who get to read and post but only to a # specific hierarchy. #access "events-only" { # users: "@example.org" # newsgroups: "example.events.*" #}