Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!ukma!tut.cis.ohio-state.edu!triceratops.cis.ohio-state.edu!karl From: karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste) Newsgroups: news.misc Subject: Re: Distributed Filesystems vs. NNTP at large sites. Message-ID:Date: 28 Sep 89 17:21:18 GMT References: <509@medusa.informatik.uni-erlangen.de> Sender: news@tut.cis.ohio-state.edu Organization: OSU Lines: 44 I wrote, in error: > Our biggest problem with NNTP reading is > that the granularity with which one can define limited-access > newsgroups (by chmod'ing the spool directory) is only per-machine > instead of per-newsgroup, as we have with NFS. eckert@immd4.informatik.uni-erlangen.de writes: This is not true. You can define access to a newsgroup per-machine, and per-newsgroup. ... Which will restrict access to the secrat.all hierachy to machines on the network (or machine trusted, whatever trusted is a name for). What I had intended to say was that NNTP will allow me to restrict newsgroups on a per-machine basis, but we need to give users general access to machines with restricted access to newsgroups. NNTP can't do that, because it authenticates the machine instead of the user. What you cannot do with NNTP is restrict access per-user, but given that user mapping with NFS is usually consistent only over a small set of machines, and you want to use your server for a larger set of machines, this is really not a point for NFS (I am not talking about athena or the like). We have a single news server providing NFS news access to ~300 machines, that is, our entire department. User access to all machines is consistent, at least to the point of usernames and numeric IDs. (We do have restrictions on who can get at what machines, e.g., undergrads do not in general have any access to the news sever or its cousins. This is done by a somewhat baroque method involving fake shells for users who are not formally permitted on the system.) Also restricting access per user works correctly only with B-news 3.0. We are running 2.11.17 and find that chgrp'ing and chmod'ing the spool directories works just fine as a restriction method. We define a new group, e.g., "faculty," which owns the spool directory for cis.faculty. All faculty are members of that group. The directory is then chmod'd 0750. Only faculty can get at the newsgroup; others are informed by rn that "this newsgroup is unavailable." --Karl