[news.sysadmin] Limiting access to a certain group

roger@binky.Binky.COM (Roger Taranto) (10/17/90)

We have an internal group that may potentially contain sensitive
articles, and, therefore, would like to limit access to the newsgroup
to only certain individuals.  We set the permissions on the directory
to be 640 so that only people in a specific group can access the articles
(the directory is owned by news).  That works if people read news
on that machine.  However, if they read news via nntp, the nntpd is
owned by news, making the newsgroup readable by anyone.

Is it possible to limit access to a certain newsgroup via nntp?

Thanks,
-Roger
roger@binky.Binky.COM	...!{pacbell,ucbcad,rtech}!binky!roger

jxxl@huxley.cs.nps.navy.mil (John Locke) (10/17/90)

In article <> roger@binky.Binky.COM (Roger Taranto) writes:
 
> We have an internal group that may potentially contain sensitive
> articles, and, therefore, would like to limit access to the newsgroup
> to only certain individuals.  We set the permissions on the directory
> to be 640 so that only people in a specific group can access the articles
> (the directory is owned by news).  That works if people read news
> on that machine.  However, if they read news via nntp, the nntpd is
> owned by news, making the newsgroup readable by anyone.
 
> Is it possible to limit access to a certain newsgroup via nntp?

I posed this same question a year ago here and the responses were very
helpful. To sum up the situation: nntp does not include read/write permissions
but may be expanded to do so in the future. However, using the nntp_access
file, you can block the group from being read remotely. The privileged users
must log in to the server to read the protected group. Since they don't like
logging into another machine just to perform one function (if that is the
situation), this solution doesn't work well.

If you have NFS on your machines, you can solve the problem in a better, more
distributed, fashion by getting rid of nntp except for news transfer between
your news server and remote sites. Then you cross-mount the news spool and lib
directory to your local machines that make news available. On those machines,
replace rrn with rn. User and group ids will have to be consistent across all
machines for the protected group to be available to the right accounts. A good
minimal configuration is for each client to have rn, inews, Pnews, and Rnmail.