headers
Julien ÉLIE | 23 Sep 2010 21:02
Favicon

[NNTP] Interoperability with 502 answer to GROUP command

Hi all,

We had a question on inn-workers about the response code a news server
should give to a GROUP command for an existing newsgroup to which the
client does not have access:
    https://lists.isc.org/pipermail/inn-workers/2010-September/017275.html

It appears that INN answers 480/502 (depending on the state of authentication)
but a few news clients (amongst them are tin and Thunderbird) immediately
close the connection.
As a matter of fact, according to RFC 3977:

   502:  It is necessary to terminate the connection and to start a new
                            ^^^^^^^^^^^^^^^^^^^^^^^^
         one with the appropriate authority before the command can be used.

So...  what are clients and servers expected to do?

Suppose we have three groups on a news server :
 * group.public, readable by everybody
 * group.auth1, readable by user1
 * group.auth2, readable by user2

Are the following answers the right ones?

200 Hello!

LIST ACTIVE
215 Newsgroups in form "group high low status"
group.public 0000000003 0000000001 y
(Continue reading)

Permalink | Reply |
headers
Clive D.W. Feather | 15 May 2012 13:07

Re: [NNTP] Interoperability with 502 answer to GROUP command

Julien LIE said:
> We had a question on inn-workers about the response code a news server
> should give to a GROUP command for an existing newsgroup to which the
> client does not have access:
>    https://lists.isc.org/pipermail/inn-workers/2010-September/017275.html

Hi,

Found this while looking into the errata.

> It appears that INN answers 480/502 (depending on the state of 
> authentication)
> but a few news clients (amongst them are tin and Thunderbird) immediately
> close the connection.
> As a matter of fact, according to RFC 3977:
> 
>   502:  It is necessary to terminate the connection and to start a new
>                            ^^^^^^^^^^^^^^^^^^^^^^^^
>         one with the appropriate authority before the command can be used.

That's for a *command*, not for a specific set of parameters.

> Suppose we have three groups on a news server :
> * group.public, readable by everybody
> * group.auth1, readable by user1
> * group.auth2, readable by user2
> 
> Are the following answers the right ones?
> 
> 200 Hello!
(Continue reading)

Permalink | Reply |
headers
Russ Allbery | 15 May 2012 19:00
Picon
Favicon
Gravatar

Re: [NNTP] Interoperability with 502 answer to GROUP command

"Clive D.W. Feather" <clive <at> davros.org> writes:
> Julien LIE said:

>> GROUP group.auth2
>> 502 Read access denied

> No, this should be another 480. After all, in principle you could
> reauthenticate as user2.

No, you can't; see RFC 4643:

   After a successful authentication, the client MUST NOT issue another
   AUTHINFO command in the same session.  A server MUST NOT return the
   AUTHINFO capability in response to a CAPABILITIES command, and a
   server MUST reject any subsequent AUTHINFO commands with a 502
   response.

After you've authenticated, if you still can't read the group but the
group is not hidden, "permission denied" is the correct error code so far
as I can see.

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>
Permalink | Reply |
headers
Julien ÉLIE | 15 May 2012 23:27
Favicon

Re: [NNTP] Interoperability with 502 answer to GROUP command

Hi Clive,

> If you want to hide the presence of group.auth2 entirely from people who
> don't have access to it, you could use a 411. But then why did you return
> 480 to group.auth1?
>
> You need to decide one of:
> (1) People can know about groups they don't have access to. They appear
> in LIST ACTIVE. You return 480 to any attempt to get at the group with
> authority.
> (2) People can't know about groups they don't have access to. They don't
> appear in LIST ACTIVE and you return 411 to attempts to get them. The user
> has to know that she needs to authenticate and they will magically appear.
> (3) Any mix of the above.

Understood, and agreed.  Many thanks for your answer.
It is up to the implementation to decide how it wants to handle the case.

--

-- 
Julien ÉLIE

« Mieux vaut allumer une bougie que maudire les ténèbres. » (Lao
   Zi)
Permalink | Reply |

Gmane