dcox@ssd.kodak.com (Don Cox (253-7121)) (12/13/90)
System: Sun4/260, SunOS4.0.3
Cnews with nntp
I have installed Cnews with nntp on our news-server. I have in the
nntp_access file the following:
default xmit no
This tells me that unless a machine is defined in the nntp_access file,
they can only transfer files and can not post. This is true ONLY IF the
machine is in the /etc/hosts file on the YP master. For example,
my machine, tweety, is in the /etc/hosts of the YP master, and another
machine, granny, is not. Neither machine is in the nntp_access file.
When I execute the following command from tweety:
telnet news-server 119
I am told that posting on the nntp port IS NOT permitted. When I
try the same command from granny (NOT in the /etc/hosts file):
telnet news-server 119
I am told that posting IS permitted. Why didn't the default of no
posting tell granny the same as it did tweety?
If I put granny into the /etc/hosts file, then it is restricted from
posting also.
We have limited machinenames in our /etc/hosts file on the YP (NIS) master;
we are trying to have our nameserver resolve the IP addresses and machine-
names. Is this a problem with the nameserver on Sun? Or a problem with
nntp? Or what? I definately don't want every machine in the world able
to post from my news-server, (or read from it either) and I sure can't
put every machine in the world in my /etc/hosts file.
One of my colleagues seems to remember hearing about a bug in the way
the nameserver resolves addresses in SunOS4.0.3, but I couldn't verify
this. I don't even know if this could be causing the problem if such a
bug did exist.
Sorry for another posting similar to one I posted yesterday, but I never
got a reply, and I consider this some-what of a serious security problem.
Thanks very much.
--
Don Cox
Phone (716) 253-7121 KMX (716) 253-7998
INTERNET dcox@ssd.kodak.com
When an eel bites your leg, and the pain makes you beg, that's a moray!dcox@ssd.kodak.com (Don Cox (253-7121)) (12/16/90)
<I have installed Cnews with nntp on our news-server. I have in the
<nntp_access file the following:
<default xmit no
<
<This tells me that unless a machine is defined in the nntp_access file,
<they can only transfer files and can not post. This is true ONLY IF the
<machine is in the /etc/hosts file on the YP master. For example,
<my machine, tweety, is in the /etc/hosts of the YP master, and another
<machine, granny, is not. Neither machine is in the nntp_access file.
<
<When I execute the following command from tweety:
<telnet news-server 119
<I am told that posting on the nntp port IS NOT permitted. When I
<try the same command from granny (NOT in the /etc/hosts file):
<telnet news-server 119
<I am told that posting IS permitted. Why didn't the default of no
<posting tell granny the same as it did tweety?
Nothing like replying to your own original message :=). The problem
was in my nntp_access file.
As stated in /nntp/services/README:
"The file "access_file" is the file which tells the news server
which hosts can read, which can post, and which can transfer.
... Further, remember that the entry "default" must be first in
the table."
My nntp_access file looked like:
#
# format host/net/*domain.suffix read/xfer/no post/no newsgroups
#
# nntpd access file
#
default xfer no
..
The blank line (between the pound sign and the default statement) was
causing all of the problems. Once I removed the blank line, the nntp
port (119) on my news-server was secure again. I also changed the line to:
default no no
and then gave xfer permissions to the sites that I feed news to.
Now, unless a machine is defined in my nntp_access file, they will get
a "connection refused" when trying to access port 119.
Sorry for the confusion, and I hope that this will be the solution for
those who e-mailed me with the same concern.
Thanks.
--
Don Cox
Phone (716) 253-7121 KMX (716) 253-7998
INTERNET dcox@ssd.kodak.com
When an eel bites your leg, and the pain makes you beg, that's a moray!