[NNTP] Interoperability with 502 answer to GROUP command

Clive D.W. Feather clive at davros.org
Tue May 15 04:07:42 PDT 2012


Julien LIE said:
> We had a question on inn-workers about the response code a news server
> should give to a GROUP command for an existing newsgroup to which the
> client does not have access:
>    https://lists.isc.org/pipermail/inn-workers/2010-September/017275.html

Hi,

Found this while looking into the errata.

> It appears that INN answers 480/502 (depending on the state of 
> authentication)
> but a few news clients (amongst them are tin and Thunderbird) immediately
> close the connection.
> As a matter of fact, according to RFC 3977:
> 
>   502:  It is necessary to terminate the connection and to start a new
>                            ^^^^^^^^^^^^^^^^^^^^^^^^
>         one with the appropriate authority before the command can be used.

That's for a *command*, not for a specific set of parameters.

> Suppose we have three groups on a news server :
> * group.public, readable by everybody
> * group.auth1, readable by user1
> * group.auth2, readable by user2
> 
> Are the following answers the right ones?
> 
> 200 Hello!
> 
> LIST ACTIVE
> 215 Newsgroups in form "group high low status"
> group.public 0000000003 0000000001 y
> .

Whether you list group.auth[12] depends on whether you want to publish the
fact of existence to people who don't have authority to read it. There
isn't a "right" answer.

> GROUP group.auth2
> 480 Read access denied

Correct.

> AUTHINFO USER user1
> 381 Enter password
> AUTHINFO PASS pass1
> 281 Authentication succeeded
> 
> LIST ACTIVE
> 215 Newsgroups in form "group high low status"
> group.public 0000000003 0000000001 y
> group.auth1 0000000003 0000000001 y
> .

Fine.

> GROUP group.auth2
> 502 Read access denied

No, this should be another 480. After all, in principle you could
reauthenticate as user2.

>  Another possibility would be 411 but it would mean that the
>  newsgroup is unknown (and therefore does not exist).  It is not
>  the case.

If you want to hide the presence of group.auth2 entirely from people who
don't have access to it, you could use a 411. But then why did you return
480 to group.auth1?

You need to decide one of:
(1) People can know about groups they don't have access to. They appear
in LIST ACTIVE. You return 480 to any attempt to get at the group with
authority.
(2) People can't know about groups they don't have access to. They don't
appear in LIST ACTIVE and you return 411 to attempts to get them. The user
has to know that she needs to authenticate and they will magically appear.
(3) Any mix of the above.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


More information about the ietf-nntp mailing list