[leafnode-list] group access controll - take 3
Matthew Parry
mettw at yahoo.com.au
Fri Jul 21 11:34:14 CEST 2006
Sorry about this,
there was a bug in the last diff...
--- leafnode-2.0.0.alpha20060711a/nntpd.c 2006-06-09 08:51:09.000000000 +1000
+++ nntpd.c 2006-07-21 19:31:07.619192448 +1000
@@ -82,6 +82,49 @@
static int authflag = 0; /* TRUE if authenticated */
static char *peeraddr = NULL; /* peer address, for X-NNTP-Posting header */
+/*
+ * Determine if the env var LEAFNODE_GROUPS is set and if so then
+ * whether the group passed as an argument is in it.
+ *
+ * LEAFNODE_GROUPS is a space seperated list of newsgroups to
+ * allow access to. Can use wildmat patterns.
+ *
+ * On GROUP, NEWNEWS, ARTICLE and POST, if LEAFNODE_GROUPS is set and
+ * non-empty and the group is not listed in LEAFNODE_GROUPS then the
+ * server sends a "484 access to the group xxx is restricted" error.
+ *
+ * BUGS:
+ *
+ * No checks done on the format of LEAFNODE_GROUPS.
+ *
+ * Matthew Parry <mettw at yahoo.com.au>
+ */
+
+static int
+allow_access_to_group(char *name)
+{
+ static struct stringlisthead *allowed_groups = NULL;
+ static int allow_all_groups = FALSE;
+
+ if(allow_all_groups)
+ return TRUE;
+ else if(!allowed_groups){
+ char *leafnode_groups = getenv("LEAFNODE_GROUPS");
+
+ if(!leafnode_groups || strlen(leafnode_groups) == 0){
+ allow_all_groups = TRUE;
+ return TRUE;
+ } else
+ allowed_groups = cmdlinetolist(leafnode_groups);
+
+ }
+
+ if(matchlist(allowed_groups->head, name) == NULL)
+ return FALSE;
+ else
+ return TRUE;
+}
+
/*
* this function avoids the continuous calls to both ln_log and printf
* it also appends \r\n automagically
@@ -564,6 +607,11 @@
assert(what >= 0 && what <= 3);
+ if(!allow_access_to_group(group->name)){
+ nntpprintf("484 access to group %s is restricted",
+ group->name);
+ return;
+ }
f = fopenart(group, arg, artno);
if (!f) {
if (arg && *arg != '<' && !group)
@@ -689,6 +737,12 @@
rereadactive();
g = findgroup(arg, active, -1);
if (g) {
+ if(!allow_access_to_group(g->name)){
+ nntpprintf("484 access to the group %s is restricted",
+ g->name);
+ return group;
+ }
+
opengroup(g);
if (is_pseudogroup(g->name))
@@ -1015,6 +1069,12 @@
return;
}
+ if(!allow_access_to_group(l->head->string)){
+ nntpprintf("484 acces to the group %s is restricted",
+ l->head->string);
+ freelist(l);
+ return;
+ }
nntpprintf_as("230 List of new articles since %ld in newsgroup %s",
(long int)age, l->head->string);
s = mastr_new(LN_PATH_MAX);
@@ -1478,6 +1538,16 @@
/* apply filter for all newsgroups found in turn */
for (t = strtok(u, ", "); t; t = strtok(NULL, ", ")) {
struct filterlist *fi = selectfilter(t);
+
+ /* Check first if access to group is permitted */
+ if(!allow_access_to_group(t)) {
+ nntpprintf("484 access to the group %s is restricted",
+ t);
+ log_unlink(inname, 0);
+ free(u);
+ goto cleanup;
+ }
+
if (killfilter(fi, l)) {
nntpprintf("441 Article rejected by filter.");
log_unlink(inname, 0);
Send instant messages to your online friends http://au.messenger.yahoo.com
More information about the leafnode-list
mailing list