[packages/inn.git] / inn-etc-readers.conf

##  $Id$
##
##  readers.conf - Access control and configuration for nnrpd
##
##  Format:
##	auth "<name>" {
##		hosts: "<hostlist>"
##		auth: "<authprog>"
##		res: "<resprog>"
##		default: "<identity>"
##		default-domain: "<email-domain>"
##	}
##	access "<name>" {
##		users: "<userlist>"
##		newsgroups: "<newsgroups>"
##		read: "<read>"
##		post: "<post>"
##		access: "<perm>"
##	}
##
##  Other parameters are possible.  See readers.conf(5) for all the
##  details.  Only one of newsgroups or read/post may be used in a single
##  access group.
##
##  If the connecting host is not matched by any hosts: parameter of any
##  auth group, it will be denied access.  auth groups assign an identity
##  string to connections, access groups grant privileges to identity
##  strings matched by their users: parameters.
##
##  In all cases, the last match found is used, so put defaults first.
##
##  For a news server that allows connections from anyone within a
##  particular domain or IP address range, just uncomment the "local" auth
##  group and the "local" access group below and adjust the hosts: and
##  default: parameters of the auth group and the users: parameter of the
##  access group for your local network and domain name.  That's all there
##  is to it.
##
##  For more complicated configurations, read the comments on the examples
##  and also see the examples and explanations in readers.conf(5).  The
##  examples in readers.conf(5) include setups that require the user to
##  log in with a username and password (the example in this file only
##  uses simple host-based authentication).

# The only groups enabled by default (the rest of this file is
# commented-out examples).  This assigns the identity of <localhost> to
# the local machine

auth "localhost" {
    hosts: "localhost, 127.0.0.1, ipv6-localhost, ::1, stdin"
    default: "<localhost>"
}

# Grant that specific identity access to read and post to any newsgroup.

access "localhost" {
    users: "<localhost>"
    newsgroups: "*"
}


# This auth group matches all connections from example.com or machines in
# the example.com domain and gives them the identity <local>@example.com.
# Instead of using wildmat patterns to match machine names, you could also
# put a wildmat pattern matching IP addresses or an IP range specified
# using CIDR notation (like 10.10.10.0/24) here.

#auth "local" {
#    hosts: "*.example.com, example.com"
#    default: "<local>@example.com"
#}

# This auth group matches a subset of machines and assigns connections
# from there an identity of "<read>@example.com"; these systems should
# only have read access, no posting privileges.

#auth "read-only" {
#    hosts: "*.newuser.example.com"
#    default: "<read>@example.com"
#}

# This auth group matches the systems at a guest institution that should
# be allowed to read the example.events.* hierarchy but nothing else.

#auth "events-only" {
#    hosts: "*.example.org"
#    default: "<events-only>@example.org"
#}

# Finally, this auth group matches some particular systems which have been
# abusing the server.  Note that it doesn't assign them an identity at
# all; the "empty" identity created in this fashion won't match any users:
# parameters.  Note also that it's last, so anything matching this entry
# will take precedent over everything above it.

#auth "abusers" {
#    hosts: "badguy-dsl.example.com, kiosk.public-access.example.com"
#}


# Now for the access groups.  All of our access groups should have users:
# parameters so there are no access groups that match connections without
# an identity (such as are generated by the "abusers" entry above).
# First, the default case of local users, who get to read and post to
# everything.

#access "local" {
#    users: "<local>@example.com"
#    newsgroups: "*"
#}

# Now, the read-only folks, who only get to read everything.

#access "read-only" {
#    users: "<read>@example.com"
#    read: "*"
#}

# Finally, the events-only people who get to read and post but only to a
# specific hierarchy.

#access "events-only" {
#    users: "<events-only>@example.org"
#    newsgroups: "example.events.*"
#}
Commit	Line	Data
18239b2b JR	1	## $Id$
	2	##
	3	## readers.conf - Access control and configuration for nnrpd
	4	##
	5	## Format:
	6	## auth "<name>" {
	7	## hosts: "<hostlist>"
	8	## auth: "<authprog>"
	9	## res: "<resprog>"
	10	## default: "<identity>"
	11	## default-domain: "<email-domain>"
	12	## }
	13	## access "<name>" {
	14	## users: "<userlist>"
	15	## newsgroups: "<newsgroups>"
	16	## read: "<read>"
	17	## post: "<post>"
	18	## access: "<perm>"
	19	## }
	20	##
	21	## Other parameters are possible. See readers.conf(5) for all the
	22	## details. Only one of newsgroups or read/post may be used in a single
	23	## access group.
	24	##
	25	## If the connecting host is not matched by any hosts: parameter of any
	26	## auth group, it will be denied access. auth groups assign an identity
	27	## string to connections, access groups grant privileges to identity
	28	## strings matched by their users: parameters.
	29	##
	30	## In all cases, the last match found is used, so put defaults first.
	31	##
	32	## For a news server that allows connections from anyone within a
	33	## particular domain or IP address range, just uncomment the "local" auth
	34	## group and the "local" access group below and adjust the hosts: and
	35	## default: parameters of the auth group and the users: parameter of the
	36	## access group for your local network and domain name. That's all there
	37	## is to it.
	38	##
	39	## For more complicated configurations, read the comments on the examples
	40	## and also see the examples and explanations in readers.conf(5). The
	41	## examples in readers.conf(5) include setups that require the user to
	42	## log in with a username and password (the example in this file only
	43	## uses simple host-based authentication).
	44
	45	# The only groups enabled by default (the rest of this file is
	46	# commented-out examples). This assigns the identity of <localhost> to
	47	# the local machine
	48
	49	auth "localhost" {
	50	hosts: "localhost, 127.0.0.1, ipv6-localhost, ::1, stdin"
	51	default: "<localhost>"
	52	}
	53
	54	# Grant that specific identity access to read and post to any newsgroup.
	55
	56	access "localhost" {
	57	users: "<localhost>"
	58	newsgroups: "*"
	59	}
	60
	61
	62	# This auth group matches all connections from example.com or machines in
	63	# the example.com domain and gives them the identity <local>@example.com.
	64	# Instead of using wildmat patterns to match machine names, you could also
65	# put a wildmat pattern matching IP addresses or an IP range specified
66	# using CIDR notation (like 10.10.10.0/24) here.
67
68	#auth "local" {
69	# hosts: "*.example.com, example.com"
70	# default: "<local>@example.com"
71	#}
72
73	# This auth group matches a subset of machines and assigns connections
74	# from there an identity of "<read>@example.com"; these systems should
75	# only have read access, no posting privileges.
76
77	#auth "read-only" {
78	# hosts: "*.newuser.example.com"
79	# default: "<read>@example.com"
80	#}
81
82	# This auth group matches the systems at a guest institution that should
83	# be allowed to read the example.events.* hierarchy but nothing else.
84
85	#auth "events-only" {
86	# hosts: "*.example.org"
87	# default: "<events-only>@example.org"
88	#}
89
90	# Finally, this auth group matches some particular systems which have been
91	# abusing the server. Note that it doesn't assign them an identity at
92	# all; the "empty" identity created in this fashion won't match any users:
93	# parameters. Note also that it's last, so anything matching this entry
94	# will take precedent over everything above it.
95
96	#auth "abusers" {
97	# hosts: "badguy-dsl.example.com, kiosk.public-access.example.com"
98	#}
99
100
101	# Now for the access groups. All of our access groups should have users:
102	# parameters so there are no access groups that match connections without
103	# an identity (such as are generated by the "abusers" entry above).
104	# First, the default case of local users, who get to read and post to
105	# everything.
106
107	#access "local" {
108	# users: "<local>@example.com"
109	# newsgroups: "*"
110	#}
111
112	# Now, the read-only folks, who only get to read everything.
113
114	#access "read-only" {
115	# users: "<read>@example.com"
116	# read: "*"
117	#}
118
119	# Finally, the events-only people who get to read and post but only to a
120	# specific hierarchy.
121
122	#access "events-only" {
123	# users: "<events-only>@example.org"
124	# newsgroups: "example.events.*"
125	#}