Xref: utzoo news.groups:6038 news.sysadmin:1138
Path: utzoo!utgpu!attcan!uunet!cos!asp
From: asp@cos.com (Andrew S. Partan)
Newsgroups: news.groups,news.sysadmin
Subject: Re: restrict access to a newsgroup (was Re: Proposal for comp.security)
Message-ID: <9818@cos.com>
Date: 4 Nov 88 14:39:35 GMT
References: <1005@cps3xx.UUCP>
Organization: Corporation for Open Systems, McLean, VA
Lines: 29

In article <1005@cps3xx.UUCP>, rang@cpsin3.cps.msu.edu (Anton Rang) writes:
>   Is it possible to restrict access to a newsgroup (on a particular
>   machine)?  For instance, by changing the mode of its spool dir?
>   If so, this would solve 99% of the problems with a security group,
>   at least here--just don't give ordinary users privs to see it!

It is possible to restrict a set of newsgroups to a group of readers -
just make the news dirs 750, uid news, gid restricted group.

Eg, in /usr/spool/news, we have (partial list):
	drwxr-xr-x 28 news     news          512 Oct 12 22:40 alt
	drwxr-xr-x 42 news     news         1024 Oct 25 21:42 comp
	drwxr-x---  7 news     tsd           512 Sep 27 14:05 cos
Where alt & comp are open for all to read, and the cos.* newsgroups can
only be read by people in the 'tsd' group (or by the uids news and
root).  This does not restrict *posting* - anyone can post to the cos.*
newsgroups, but it does restrict *reading* - by any newsreader.

Note that you can NOT turn this on & off (by time periods, i.e.: to
restrict newsreading of certain newsgroups during the working day)
because most newsreaders (at least vnews & readnews do) will assume
that there is NO news if they can not get access to the article (they
do not distinguish between no access & no such file, I would guess),
and then update the .newsrc marking ALL of the articles as read.

	--asp (Andrew Partan @ Corporation for Open Systems)
	-- asp@cos.com or asp%cos.com@uunet.uu.net
	-- {uunet, sundc, decuac, hqda-ai, hadron}!cos!asp
	ASN.1 Object Identifier: "{joint-iso-ccitt mhs(6) group(6) 157}"