Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!ukma!tut.cis.ohio-state.edu!triceratops.cis.ohio-state.edu!karl
From: karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste)
Newsgroups: news.misc
Subject: Re: Distributed Filesystems vs. NNTP at large sites.
Message-ID: 
Date: 28 Sep 89 17:21:18 GMT
References: 
	<509@medusa.informatik.uni-erlangen.de>
Sender: news@tut.cis.ohio-state.edu
Organization: OSU
Lines: 44

I wrote, in error:
   > Our biggest problem with NNTP reading is
   > that the granularity with which one can define limited-access
   > newsgroups (by chmod'ing the spool directory) is only per-machine
   > instead of per-newsgroup, as we have with NFS.

eckert@immd4.informatik.uni-erlangen.de writes:
   This is not true. You can define access to a newsgroup 
   per-machine, and per-newsgroup.
   ...
   Which will restrict access to the secrat.all hierachy to machines
   on the  network (or machine trusted, whatever trusted is a
   name for).

What I had intended to say was that NNTP will allow me to restrict
newsgroups on a per-machine basis, but we need to give users general
access to machines with restricted access to newsgroups.  NNTP can't
do that, because it authenticates the machine instead of the user.

   What you cannot do with NNTP is restrict access per-user, but given
   that user mapping with NFS is usually consistent only over a small set of
   machines, and you want to use your server for a larger set of machines,
   this is really not a point for NFS (I am not talking about athena
   or the like).

We have a single news server providing NFS news access to ~300
machines, that is, our entire department.  User access to all machines
is consistent, at least to the point of usernames and numeric IDs.
(We do have restrictions on who can get at what machines, e.g.,
undergrads do not in general have any access to the news sever or its
cousins.  This is done by a somewhat baroque method involving fake
shells for users who are not formally permitted on the system.)

   Also restricting access per user works correctly
   only with B-news 3.0.

We are running 2.11.17 and find that chgrp'ing and chmod'ing the spool
directories works just fine as a restriction method.  We define a new
group, e.g., "faculty," which owns the spool directory for
cis.faculty.  All faculty are members of that group.  The directory is
then chmod'd 0750.  Only faculty can get at the newsgroup; others are
informed by rn that "this newsgroup is unavailable."

--Karl