[leafnode-list] group access control - take 2

Matthew Parry mettw at yahoo.com.au
Fri Jul 21 11:07:38 CEST 2006


--- leafnode-2.0.0.alpha20060711a/nntpd.c    2006-06-09 08:51:09.000000000 +1000
+++ nntpd.c    2006-07-21 19:05:26.022550760 +1000
@@ -82,6 +82,49 @@
 static int authflag = 0;    /* TRUE if authenticated */
 static char *peeraddr = NULL;    /* peer address, for X-NNTP-Posting header */
 
+/* 
+ * Determine if the env var LEAFNODE_GROUPS is set and if so then
+ * whether the group passed as an argument is in it.
+ *
+ * LEAFNODE_GROUPS is a space seperated list of newsgroups to
+ * allow access to.  Can use wildmat patterns.  
+ *
+ * On GROUP, NEWNEWS, ARTICLE and POST, if LEAFNODE_GROUPS is set and
+ * non-empty and the group is not listed in LEAFNODE_GROUPS then the 
+ * server sends a "484 access to the group xxx is restricted" error.
+ * 
+ * BUGS:
+ *
+ * No checks done on the format of LEAFNODE_GROUPS.
+ *
+ * Matthew Parry <mettw at yahoo.com.au>
+ */
+
+static int
+allow_access_to_group(char *name)
+{
+    static struct stringlisthead *allowed_groups = NULL;
+    static int allow_all_groups = FALSE;
+
+    if(allow_all_groups)
+        return TRUE;
+    else if(!allowed_groups){
+        char *leafnode_groups = getenv("LEAFNODE_GROUPS");
+
+        if(!leafnode_groups || strlen(leafnode_groups) == 0){
+            allow_all_groups = TRUE;
+            return TRUE;
+        } else 
+            allowed_groups = cmdlinetolist(leafnode_groups);
+        
+    } 
+    
+    if(matchlist(allowed_groups->head, name) == NULL)
+        return FALSE;
+    else 
+        return TRUE;
+}
+
 /*
  * this function avoids the continuous calls to both ln_log and printf
  * it also appends \r\n automagically
@@ -564,6 +607,11 @@
 
     assert(what >= 0 && what <= 3);
 
+    if(!allow_access_to_group(group->name)){
+        nntpprintf("484 access to group %s is restricted",
+                group->name);
+        return;
+    }
     f = fopenart(group, arg, artno);
     if (!f) {
     if (arg && *arg != '<' && !group)
@@ -689,6 +737,12 @@
     rereadactive();
     g = findgroup(arg, active, -1);
     if (g) {
+        if(!allow_access_to_group(g->name)){
+        nntpprintf("484 access to the group %s is restricted",
+                g->name);
+        return group;
+    }
+
     opengroup(g);
 
     if (is_pseudogroup(g->name))
@@ -1015,6 +1069,12 @@
     return;
     }
 
+    if(!allow_access_to_group(l->head->string)){
+            nntpprintf("484 acces to the group %s is restricted",
+                l->head->string);
+            freelist(l);
+            return;
+    }    
     nntpprintf_as("230 List of new articles since %ld in newsgroup %s",
             (long int)age, l->head->string);
     s = mastr_new(LN_PATH_MAX);
@@ -1478,6 +1538,16 @@
         /* apply filter for all newsgroups found in turn */
         for (t = strtok(u, ", "); t; t = strtok(NULL, ", ")) {
         struct filterlist *fi = selectfilter(t);
+
+        /* Check first if access to group is permitted */
+        if(!allow_access_to_group(t)) {
+            nntpprintf("502 access to the group %s is restricted",
+                    t);
+            log_unlink(inname, 0);
+            free(u);
+            goto cleanup;
+        }
+
         if (killfilter(fi, l)) {
             nntpprintf("441 Article rejected by filter.");
             log_unlink(inname, 0);


 Send instant messages to your online friends http://au.messenger.yahoo.com 


More information about the leafnode-list mailing list