jxxl@cs.nps.navy.mil (vibo) (10/25/89)
Thanks to all who replied. The problem I presented was in having a private newsgroup where reading could be restricted to a particular user group. Following is a summation of the consensus reply. The steps for restricting access to a newsgroup: > The group must be specified in /etc/group > Change the group of /usr/spool/news/newsgroupname with chgrp > Change the permissions of same to 750 with chmod This works like a charm on the news server. However, the catch is that access cannot be restricted by readers who use NNTP to come over the net. NNTP currently has no facility for identifying the user and the nntpd runs with root privileges so file restrictions don't apply. NNTP will allow restrictions by host or by network, but in our case we cannot generalize about where the users will be. My solution is to follow the above procedure for restricting the newsgroup on the server and then to deny any network access to the newsgroup by an appropriate entry in /usr/lib/news/nntp_access. Users are forced to rlogin to the server to read the restricted newsgroup. This is not the ideal distributed solution but seems to be the best we can do with the current software. Other suggestions which bear on the problem: Use the "notes" public domain software. Clunky user interface, but does the trick. I haven't investigated this myself. Set the FASCIST option in B news to control posting.
henry@utzoo.uucp (Henry Spencer) (10/25/89)
In article <352@cs.nps.navy.mil> jxxl@cs.nps.navy.mil (vibo) writes: >This works like a charm on the news server. However, the catch is that >access cannot be restricted by readers who use NNTP to come over the >net. NNTP currently has no facility for identifying the user... This is actually a generic problem: there is no reliable authentication over most current networks. (It's marginally feasible if you control all machines on the network *and* have your gateways to the outside world do fairly paranoid packet filtering, but that combination is rare.) NNTP per se is not to blame here. -- A bit of tolerance is worth a | Henry Spencer at U of Toronto Zoology megabyte of flaming. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
ps@fps.com (Patricia Shanahan) (10/27/89)
In article <1989Oct25.162059.28776@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes: >In article <352@cs.nps.navy.mil> jxxl@cs.nps.navy.mil (vibo) writes: >>This works like a charm on the news server. However, the catch is that >>access cannot be restricted by readers who use NNTP to come over the >>net. NNTP currently has no facility for identifying the user... > >This is actually a generic problem: there is no reliable authentication >over most current networks. (It's marginally feasible if you control all >machines on the network *and* have your gateways to the outside world do >fairly paranoid packet filtering, but that combination is rare.) NNTP >per se is not to blame here. >-- >A bit of tolerance is worth a | Henry Spencer at U of Toronto Zoology >megabyte of flaming. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu I suspect that any attempt to introduce authentication may be counter-productive. With the current system, anyone forging messages to stuff a vote would not feel clever, because it would be so easy that anyone could do it. If it was not impossible to stuff the votes, but it took some significant amount of special knowledge and cleverness to do so, I think it would be much more likely to happen. This is based on a theory that at least one motive for computer crime and cheating is a wish to feel clever. People who would not, for example, destroy books in a library to which they have access will destroy files in a computer to which they have access. I do not think it can be made truly impossible to forge votes, especially if the network is to retain a reasonable degree of flexibility. Patricia Shanahan ps@fps.com uucp : {decvax!ucbvax || ihnp4 || philabs}!sdcsvax!celerity!ps phone: (619) 271-9940