About HyperNews

Source: Installation: HyperNews Security

This forum is for all aspects of HyperNews security including installation, authentication, access control, security holes, and email attacks.

Installation

There are several aspects of security to be concerned with when installing HyperNews. The installation instructions give the details that are important there, but here we give some more background.

There are two levels of permissions to be concerned with: Unix filesystem permissions and web server permissions. In the filesystem, you only need to be concerned with use of chmod (and maybe chown and chgrp).

Authentication

First we consider authentication, which is ensuring that the user is someone that HyperNews knows about. HyperNews only knows about members who have previously joined the site. There are several ways that authentication might be done, several of which are supported in HyperNews. In the current state of the web, generally we must check that a password supplied by the user each time matches one that the server associates with the user. Notice that it is not sufficient to trust that the user is authenticated just because they have been authenticated previously in some sequence of URLs. Since each URL request is independent from the others (there are no HTTP "sessions" yet) each script must reauthenticate.

By the way, HyperNews does not store passwords of users in unencrypted form, to reduce risk of exposure. Instead, it only stores the encrypted form, and it checks a supplied password by encrypting it the same way and comparing to the stored encrypted password.

The need for public/private keys

HyperNews, along with several other WWW servers, allows users to authenticate themselves by providing a password. But the major flaw with these systems is that they store a separate password at each site, or worse, for each realm at the site. Even if I always use the same password everywhere so I can remember it (which is unsafe because if it is discovered anywhere, it is known everywhere), if I want to change the password, I have to change it everywhere or risk forgetting which old password applies where.

But there are ways to authenticate users while not requiring them to send any private information out to servers, such as a public/private key mechanism. We can't use such mechanisms yet because software is not widely available to users; the web is still growing support for doing security in these more reasonable ways.

Instead, we have four principal ways to authenticate in HyperNews: form-based, server-based, cookie-based, and external.

Form-based, "manual security"

The user enters a userid and password in a form that is submitted. The userid and password might be hidden in a form generated after a previous authentication (to avoid reauthenticating on every request), so this is not particularly secure since the document might be cached somewhere and snooped or reused (intentionally or unintentionally).

If you want to change the configuration of HyperNews from internal security to manual security, you need to run setup.pl from the command line at least once. The reason is that the .htaccess file is still present.

Server-based, "internal security"

The server must be configured to know about the authentication requirement. This means HyperNews must set up an ".htaccess" file, or equivalent. When a user makes a URL request to a restricted area, the server responds with a code that means the browser must supply a userid and password. If it doesn't know the userid and password associated with this area (or "realm") the browser will typically pop up a dialog box to ask the user. Thereafter, until the user quits the browser, the browser will send the same userid and password for requests to the same realm.

On the server, directories are typically restricted with a ".htaccess" file. HyperNews creates a single .htaccess file stored in the hnpeople directory, called .htgroupaccess. A symbolic link is made to this file from the SECURED, Admin, and .scripts directories, and from the HyperNews directory if all reading is restricted. For external security or manual security, the links to the .htaccess file are removed.

The .htaccess file references a password file, called .htpasswd, stored in the hnpeople directory, containing a list of userids paired with encrypted passwords. Other .htaccess files may reference the same .htpasswd file, but HyperNews wants to manage the contents of this file. The .htaccess file may also be used to perform access control, by referencing a file that associates group names with group members, but HyperNews no longer uses that mechanism (because servers tend to have bugs and large variance in this feature), and we were only checking membership in the group of all members or all administrators).

Notice that server-based authentication overrides form-based and cookie-based authentication in the sense that the server will request a userid and password from the browser regardless of their presense in forms or cookies. But once the server gets what it wants, HyperNews allows a separate userid and password to be provided in a form.

Cookie-based, optional authentication

Once a user has authenticated by some other mechanism, the server can send a cookie back to the browser (using a Set-Cookie header) which the browser will send back to the server (using a Cookie header) each time it makes a request in the same area. HyperNews uses cookies, if configured to allow it, and if the user requests it, to hold an encrypted form of the password. These cookies are made to expire at the end of the browser session.

Cookies provide optional authentication because if they are sent by the browser, they can be used, but if not sent, form-based authentication can still be used if necessary. The userid and password provided by a Cookie is used with the lowest priority, since a browser will keep sending cookies even if a different user is using the browser.

External Security

For some installations of HyperNews, it is appropriate to use a security mechanism established outside of HyperNews. There are two ways this can be done, one using server-based security and the other using cookies. In both cases, HyperNews won't know any more about the user than the userid given to it, unless there is some other mechanism added to HyperNews to look up such information.

Notice that external security is not the same as "internal" server-based authentication. If you want to make use of the server-based authentication mechanism that HyperNews sets up and manages, then don't use "external" security.

Access Control

Access control is distinguished from authentication, which merely checks that the user is someone we know. After we know who the user is, we can impose access control which restricts who can do what actions. Some actions may be permitted by anyone, others only by administrators.

The .htaccess file, supported by several servers, can reference a list of groups of users who have access to particular operations, but this list of groups or the list of members in the group files might be long enough to overflow buffers in some servers. Furthermore, we only distinguish three kinds of users, non-members, members, and members who are also administrators. It is easy enough to have HyperNews check which kind of user we have, so that is what we do now. But when we support more groups of users, such as editors or moderators of particular forums, we will still probably do our own access control rather than relying on server mechanisms.

HyperNews identifies several kinds of actions and for each action, a different level of access control may be applied. These actions are things like Reading forums and messages, Writing messages, Creating or Editing forums. For each action, the HyperNews configuration specifies whether it may be performed by no one, anyone, members-only, or administrators-only. Administrators can generally do anything, even actions permitted by "no one", but the difference is whether there is any visible interface to access these actions.

Regardless of the configuration, HyperNews performs another kind of access control based on the URL used to access a script. If the URL contains '/SECURED/', then the user must be a member, and if it contains '/Admin/' or /.scripts/, the user must be an administrator. With that restriction, HyperNews sometimes changes the interface displyed to the user to enable some addition actions or display more information.

Some actions have data that will be affected and an owner of that data. For example, if the action is "delete a message", the author of a message is the owner, or the user who will be affected by the action. For each action, there is a hard-coded parameter used to specify what kind of user can be affected. For the example of deleting a message, the member doing the deletion must be the same member who owns the message. See access1 in member-lib.pl for the details.

Unix Filesystem Security

HyperNews uses the Unix filesystem to store its forums, messages, and member information. See more about this in the installation instructions.
Daniel LaLiberte (liberte@hypernews.org)
Last modified: Thu Feb 25 23:30:45 EST 1999

Next-in-Thread Next Message
Inline: 1 All Outline: 1 2 All

1 Warning: HyperNews fails with server authentication enabled by Chris Nims, 1995, Jun 27
1 Question: Browser Question? by @void.ncsa.uiuc.edu, 1995, Jun 28
1 Server Authentication Different? by liberte@hypernews.org, 1995, Jun 29
...
2 Definitely not browser by nims@cstar.ac.com, 1995, Jun 29
...
2 Question: simmilar problem using apache by dfi@software-ag.de, 1995, Oct 10
1 Question: Apache access authorization by eric@aloha.net, 1995, Oct 12
...
3 Question: Authentication Fails here, too. by kevin_austin@merck.com, 1995, Dec 18
1 Docs referenced by HyperNews must be accessible by liberte@hypernews.org, 1995, Dec 19
...
4 Angry: MEMBERSHIP DELITED by RENO.F@USA.NET, 1997, Oct 09
5 None: Netscape Enterprise 3.0 , 1998, Jun 22
2 Question: Problem with Authentication on Netcsape Communications server by John Graham, 1995, Jun 30
1 Note: Problems with Authentication on Netscape Communications server by melo@ncsa.uiuc.edu, 1995, Jun 30
2 Warning: if you cannot see security forum try this .... , 1999, Mar 01
3 Disagree: Not so sure... by Matt Westby, 1995, Jul 14
1 Untrusted users are untrusted by liberte@hypernews.org, 1995, Jul 14
(_ Setting the uid for CGI-scripts by matthew.westby@wadham.ox.ac.uk, 1995, Jul 15
4 Question: Email security hole? by Robin Burke, 1995, Jul 25
1 Feedback: Email is a security hole by itself by liberte@hypernews.org, 1995, Jul 25
1 More: email & security by burke@cs.uchicago.edu, 1995, Jul 25
...
2 Question: hoax email by @lcz050.ust.hk, 1995, Aug 22
...
3 More: Give more information in email body, and no fake From-line by boldt@emile.math.ucsb.edu, 1995, Sep 12
...
5 Question: Differential security provisions by Robin Burke, 1995, Jul 25
1 On its way by liberte@hypernews.org, 1995, Jul 25
1 Agree: Great. Security is needed everywhere by mnguyen@pcug.org.au, 1995, Aug 13
...
2 Idea: Setup security so that one group can not read other group news by mnguyen@pcug.org.au, 1995, Aug 30
1 Sad: Giving user specific rights? by jonathan@asterix.environ.se, 1996, Nov 29
...
6 Question: Client permissions by Chris Osborn, 1995, Jul 31
1 Problem Solved by liberte@hypernews.org, 1995, Aug 01
7 Question: setuid bit and HyperNews by Graham Bignell, 1995, Aug 12
1 More: Still Looking by bignell@io.org, 1995, Aug 28
2 Warning: It's not so simple; cf perlsec by vladimir@cs.ualberta.ca, 1997, Sep 05
8 Authenticating Users (including code) by Elliotte Rusty Harold, 1995, May 08
1 Thanks - security plans in the works by liberte@hypernews.org, 1995, May 23
1 Security options in current version by athey@key.ctron.com, 1995, Jun 09
...
2 Idea: Cookie-based authentication? by caffeine@toodarkpark.org, 1997, Jan 29
...
9 User Authentication by Alessio Radaelli, 1995, May 11
1 Verify email address by elliotte@blackstar.com, 1995, May 15
1 Sad: Good luck...it won't work by dittrich@cac.washington.edu, 1995, Aug 31
... 4 Message(s)
2 None: Untitled , 1998, Apr 11
10 Who can change passwords and other personal information? by Paul G. Smith, 1995, Jul 17
1 Should be fixed in 1.9 by liberte@hypernews.org, 1995, Aug 29
(_ Sad: Unfortunately, can't get passwords for administrators by ndavis@intellicorp.com, 1995, Aug 31
11 Neat, but no security? by ton, 1995, Feb 25
3 Security? In a WWW context? surely you jest! by ab006@cfn.cs.dal.ca, 1995, Mar 13
(_ Not getting mail is not a disincentive by elliotte@blackstar.com, 1995, Apr 17
12 Method of verifing email accounts names... by Craig Goranson, 1995, Sep 03
1 Agree: Sounds good by liberte@hypernews.org, 1995, Sep 03
13 Idea: HyperNews ip Lockouts needed by Gary Schmidt, 1995, Aug 09
1 Agree: Great Idea! by mshopper@iag.net, 1995, Sep 02
1 Password Reset Option by liberte@hypernews.org, 1995, Sep 02
...
2 None: domain checking..... by marc@interak.com, 1996, Apr 20
14 Warning: Beware of server side includes/ Too much stuff visible by Axel Boldt, 1995, Sep 12
1 Potential Dangers are Real by liberte@hypernews.org, 1995, Sep 15
2 Warning: The Grinch cometh to server-side includes by dunlop@eol.ists.ca, 1995, Sep 29
15 Problems with first installation of 1.9B by De Clarke, 1995, Sep 12
1 Perhaps these are pre 1.9B3.1 bugs by liberte@hypernews.org, 1995, Sep 14
(_ Found another password bug by liberte@hypernews.org, 1995, Sep 14
16 Question: Problem with initial Passwords by George Gal, 1995, Sep 19
1 Note: Use the New Password fields for new passwords by liberte@hypernews.org, 1995, Sep 19
17 Question: HyperNews as a security hole by Torre Wenaus, 1995, Oct 06
1 Feedback: Holes or shadows by liberte@hypernews.org, 1995, Oct 07
18 Level 2 security by roy@cs.uiuc.edu, 1995, Oct 11
19 I cannot login in as the Hypernews Admin by Chris Christian, 1995, Oct 13
20 Question: How do I use an existing password file for membership? by Dwayne Jacques Fontenot, 1995, Oct 13
1 Feedback: Probably can't by Daniel LaLiberte, 1995, Oct 13
(_ Question: Will it be possible ? Maybe TODO ???? by Marcin.Klimowski@pk.edu.pl, 1996, Sep 05
(_ None: Almost there now by liberte@hypernews.org, 1996, Sep 05
(_ None: User data management by liberte@hypernews.org, 1996, Sep 05
(_ Question: Has there been any progress in this area? by xkahn@cybersites.com, 1997, Jun 11
(_ None: Question: Has there been any progress in this area? by liberte@hypernews.org, 1997, Jun 12
21 Warning: DUDE COOL by @lpcdept176.lib.depaul.edu, 1995, Oct 14
1 Open and Anonymous forums by Daniel LaLiberte, 1995, Oct 15
(_ None: ImGlobal by Harry, 2005, Feb 06
22 None: Securing get by Jon Tara, 1996, Feb 17
1 None: get is secured by liberte@hypernews.org, 1996, Feb 18
(_ Feedback: Here's how to do it for Netscape by jtara@stockclub.com, 1996, Feb 18
23 Idea: Groups and user permissions by joe@mit.edu, 1995, Jul 19
1 Feedback: Feature Coming very Soon by melo@cs.uiuc.edu, 1995, Jul 19
(_ I am posting a note here to put me on your list--is there a better way? by john.wells@bea.doc.gov, 1995, Jul 22
(_ Already done or in the works by liberte@hypernews.org, 1995, Jul 22
(_ more info needed on this by @198.76.170.19, 1995, Jul 22
1 a small question for later--the system does not pick up my email address by john.wells@bea.doc.gov, 1995, Jul 22
...
2 Oops, you have to be a member first by liberte@hypernews.org, 1995, Jul 22
...
24 Question: Why using .htaccess groups? by Ben Y. Yoshino, 1996, Jan 23
1 Feedback: Planning for the Future by liberte@hypernews.org, 1996, Jan 24
25 Support of Protected html files by Rob Lanzone, 1995, Jan 20
1 Probably not by liberte@hypernews.org, 1995, Jan 23
27 Question: Authentication of body text by Larry Mills-Gahl, 1995, Oct 28
28 Idea: HTTPD access design problem and possible workarounds by Ulrich Kroener - EIBA, 1996, Feb 26
1 Feedback: Authentication Tricks by liberte@hypernews.org, 1996, Feb 26
(_ Idea: Authentication via scripts only (?) by ulrich@eiba.com, 1996, Feb 27
(_ None: Script Directories to Parallel Document Directories by liberte@hypernews.org, 1996, Feb 27
2 Feedback: Script directory(s) to any document directory by ulrich@eiba.com, 1996, Feb 28
...
3 More: Approaches are not exclusive by ulrich@eiba.com, 1996, Feb 28
...
29 Question: How to log in as such & such user ? / interaction with netscape httpd by Guillaume Mallet, 1996, Feb 27
1 None: Rassling with Bugs by liberte@hypernews.org, 1996, Feb 27
(_ Ok: Thank you by guillaum@asap.unimelb.edu.au, 1996, Feb 27
30 Question: Per-Page Security Idea by Jeff Heinen, 1996, Mar 18
1 Agree: Good idea by liberte@hypernews.org, 1996, Mar 19
31 Warning: Is hnrc file visible as a document? by Daniel LaLiberte, 1996, Mar 21
32 Idea: Current per-page security plan by Daniel LaLiberte, 1996, Mar 21
33 None: ID security? by Russ Hunt, 1996, Mar 24
1 None: ID stays by liberte@hypernews.org, 1996, Mar 24
(_ None: Stopping the problem early by allenjk@frontiernet.net, 1996, Apr 15
(_ Feedback: No problem with non-unique userids by liberte@hypernews.org, 1996, Apr 15
(_ More: userids, mail addresses, and real people by hunt@StThomasU.ca, 1996, Apr 15
34 None: Distributed accounts? by Jay Allen, 1996, Apr 10
1 Idea: Or account servers? by liberte@hypernews.org, 1996, Apr 10
35 Question: Access control on a per-discussion basis? by penev@panarea.usc.edu, 1995, Aug 23
1 More: I would need it too... by alessio@lysator.liu.se, 1995, Sep 26
36 Question: base articles with different access rights by Marc Goossens, 1995, Oct 18
1 Feedback: this is in 1.9B4 - I want it too!! by fontenot@argiope.com, 1995, Oct 18
(_ 1.9b4 will not include per-article access by liberte@hypernews.org, 1995, Oct 18
1 Sad: when approximately? by marc@eiba.com, 1995, Oct 19
...
3 Closer? by joe@smartlink.net, 1995, Oct 31
...
37 Question: How do I configure HN such that I have base articles anyone can access by ulrich@eiba.com, 1995, Nov 16
1 Feedback: Not configurable yet by liberte@hypernews.org, 1995, Nov 16
38 Question: HyperNews over SSL Anyone?? by Randy Cosby, 1995, Dec 30
39 Question: Members Only Page ( and a few other things) by Jeff Heinen, 1996, Feb 14
1 Members-only should work now by liberte@hypernews.org, 1996, Feb 14
(_ Note: Let Me Clarify Myself by jeffh@ee.pdx.edu, 1996, Feb 14
1 Feedback: More to chew on by liberte@hypernews.org, 1996, Feb 15
...
2 .htgroupmembers bug by liberte@hypernews.org, 1996, Feb 15
...
3 Question: It works, but... by jeffh@ee.pdx.edu, 1996, Feb 15
...
40 Question: Authentication Question by tvd@ctron.com, 1996, May 15
1 Feedback: Authentic Answer by liberte@hypernews.org, 1996, May 24
41 Idea: Suggestion: FirsaAccess: and Lastaccess: in hnpeople by jtara@stockclub.com, 1996, May 13
1 Feedback: Possible but expensive by liberte@hypernews.org, 1996, May 30
(_ None: More on authenticating from hnpeople by jtara@stockclub.com, 1996, May 31
(_ None: Searching for people by liberte@hypernews.org, 1996, May 31
42 Idea: The need for simple authentification by Jean-Claude Wippler, 1996, Jun 23
1 None: Is it much simpler? by liberte@hypernews.org, 1996, Jul 01
43 Question: How to set up a secure HyperNews site? by Richard Nagel, 1995, Aug 01
1 Me too! by joeespo@ix.netcom.com, 1995, Aug 12
2 Feedback: I don't know , 1996, Jul 02
44 Question: Hypernews on server already using authentication by tvd@ctron.com, 1996, May 16
1 Feedback: Thats an interesting question.. by jeffh@ee.pdx.edu, 1996, May 20
45 Disagree: Testing (carefully) the security :-) by Ira Abramov, 1996, Aug 10
1 Warning: Per-forum security not available yet by liberte@hypernews.org, 1996, Aug 20
46 Question: Using our own user authentication and user IDs with HN by Eric Holstege, 1996, Aug 12
1 Feedback: Use external security by liberte@hypernews.org, 1996, Aug 20
47 Sad: secure READ messages (how to make?) by Carlos A. F. Brefe, 1996, Jul 22
48 Question: HyperNews 1.9.2 and Multiple Installations by Philipp Bachmann, 1996, Oct 25
1 None: Good question by liberte@hypernews.org, 1996, Oct 25
(_ Idea: Answer (for administrators of CERN / W3C httpd 3.0) by bachlipp@ruf.uni-freiburg.de, 1996, Oct 30
(_ None: Idea: Answer (for administrators of CERN / W3C httpd 3.0) by liberte@hypernews.org, 1996, Oct 30
49 Question: Apache server with Postgres95 authentication? by James Hughes, 1996, Nov 21
1 Idea: PostgreSQL authent ... even content by bgingery@gtcs.com, 1997, Apr 15
(_ More: Where to get it by Bruce Gingery, 1997, Apr 17
(_ None: pgPerl & friends by jamesh@interpath.com, 1997, Apr 17
50 Question: Limits to posting excessively *large* responses? by Leo Ramos, 1996, Dec 04
51 Question: Adding authname config option by Martin Huntley, 1996, Dec 27
1 Question: Good idea by liberte@hypernews.org, 1996, Dec 31
(_ None: Re: Question: Good idea by mhuntley@bbn.com, 1997, Jan 02
52 Question: Members can't post messages by Jay Littman, 1997, Jan 17
53 None: Duplicate authentication by Daniel LaLiberte , 1997, Feb 03
54 Question: Authorisation problems when using MS Internet Explorer 3.01 by Marcel Verrijdt, 1997, Feb 12
55 None: "Only members may read" in HyperNews 1.92 does not work by Daniel LaLiberte , 1997, Feb 14
56 Question: Subject: Sad: Problems with add message & Security Password by JOEYJOHNSTON@worldnet.att.net, 1997, May 03
57 Question: Two times of Authentification Required ? by Jo, 1997, May 21
1 Question: Similiar Problem. by widjaja@hso.astra.co.id, 1997, Oct 21
58 Question: Source Code/Pics by Trey, 1997, Oct 17
59 Question: Problem authenticating on admin functions by Rob Reuss, 1997, Nov 07
1 None: I have a similar problem but it occurs with Password Reset by hjessup@iname.com, 1998, Jun 22
60 Question: Limiting access to a directory? by Morten J., 1998, Jan 13
1 Feedback: RE: limiting access to a dir by taugi1@aol.com, 1998, Jul 16
61 Question: Using the UIUC CCSO NameServer with HyperNews by Jim Smith, 1998, Mar 17
62 Question: Easy way to prevent "open membership" ? by ITS Systems Group, 1998, Apr 13
1 None: External Security and turning off Members button by liberte@emancholl.pair.com, 1998, Apr 13
63 None: setup security group by pele@cereq.fr, 1998, Apr 29
64 None: Problems with $0 when setuid bit is set by Ryan Rempel, 1998, Jun 07
1 None: SCRIPT_FILENAME saves the day by liberte@emancholl.pair.com, 1998, Jun 07
65 Question: SSL and HyperNews by Raymond Beaupre, 1998, Jun 11
1 None: SSL should be transparent by liberte@emancholl.pair.com, 1998, Jun 11
2 None: Hmm...no but it can easily transformed to run in SSL mode , 1998, Jun 26
1 Feedback: Use of "https" should be transparent too by liberte@hypernews.org, 1998, Jun 26
66 Question: HyperNews Files by Raymond Beaupre, 1998, Jun 24
1 Feedback: html-auth.cgi won't help with HyperNews by liberte@hypernews.org, 1998, Jun 24
67 None: lock problems by jstudy@purdue.edu, 1998, Jul 30
1 None: workaround by jstudy@purdue.edu, 1998, Jul 30
68 None: setuid, Solaris, cgiwrap by Daniel LaLiberte, 1998, Jul 30
1 Idea: Another solution by rgrempel@magi.com, 1998, Sep 06
69 Question: Excluding an Email address from Membership by Don, 1998, Aug 15
70 Question: Creating groups and users by Ersin Basaran, 1998, Sep 23
1 None: Groups only supported via multiple installations by liberte@emancholl.pair.com, 1998, Sep 23
71 Question: Having problem with membership & groups by Shash Chatterjee, 1998, Sep 29
1 None: Bug in getMember - doesn't get from $hnGroup by liberte@emancholl.pair.com, 1998, Sep 30
72 Question: How do I give access to different memebers to different Forums by Kalpit Jain, 1998, Oct 06
1 None: All forums in one installation/configuration have same access by liberte@emancholl.pair.com, 1998, Oct 09
73 Question: Authorization problems using Internet Explorer by Monique de Moree, 1998, Nov 13
1 None: Authentication problem with redirects maybe? by liberte@emancholl.pair.com, 1998, Nov 15
74 Question: How is the cookie value generated? by John Paul Lorenti, 1998, Nov 18
1 Feedback: Relevant lines of source code by johnpaul@prometheus.barnard.columbia.edu, 1998, Nov 20
75 Question: Manual Security not working right for version 1.9.8.1 by Mark Ohrenschall, 1998, Nov 23
1 None: Adding message by non-admin broken by liberte@emancholl.pair.com, 1998, Nov 23
76 Question: Built-in Security Problem with Apache 1.3.1? by Mark Ohrenschall, 1998, Nov 24
1 None: No known problems with Apache 1.3.1 by liberte@emancholl.pair.com, 1998, Nov 24
77 Question: Two HyperNews Server authentication , 1998, Dec 09
1 None: No sharing across servers allowed by liberte@emancholl.pair.com, 1998, Dec 10
(_ Idea: public and private keys , 1998, Dec 17
78 Question: Why it doesn't generate a password? by Angie, 1999, Jan 13
79 Feedback: directories, authentication by D Robinson, 1999, Feb 03
80 Question: Anyone may register new members - no they can't! by Peter Westley, 1999, Mar 03
1 None: Problem: current members registering new members by liberte@hypernews.org, 1999, Mar 04
(_ More: Is there a patch for this? by peter_westley@hp.com, 1999, Mar 04
(_ None: No patch this time by liberte@hypernews.org, 1999, Mar 04
81 Question: Can't Inquire About Users and Can't Subscribe! by Mark MacGregor, 1999, Mar 09
1 None: Confusing instructions by liberte@hypernews.org, 1999, Mar 09
1 Question: How is "Inquire" Useful, Then? , 1999, Mar 10
... 1 Message(s)
2 Warning: My Head is About to Explode! , 1999, Mar 10
1 None: Software release value needed by liberte@hypernews.org, 1999, Mar 11
... 4 Message(s)
83 Warning: Only "Memebers may read" Option not Working by Chris Brougham, 1999, Mar 25
1 None: Is your HyperNews configured right? by liberte@hypernews.org, 1999, Mar 26
2 Sad: Doesn't work for me either by acraig@liv.ac.uk, 2000, Aug 18
84 Question: Integrating Hypernews in a system with its own security by Alejandro Escalante Medina, 1999, Apr 08
1 None: Some support exists for integration with external security mechanisms by liberte@hypernews.org, 1999, Apr 08
(_ Idea: Perhaps using multiple installations... by adinamo@df1.telmex.net.mx_, 1999, Apr 09
(_ None: Multiple installations + cookie translation by liberte@hypernews.org, 1999, Apr 11
(_ More: What I think I could do by adinamo@df1.telmex.net.mx, 1999, Apr 12
(_ None: What does Auth::Cookie provide? by liberte@hypernews.org, 1999, Apr 12
85 Sad: I can make ANYTHING!!!!! by Javier Alexandro Del Pino Coronel, 1999, Apr 10
1 None: Figure out who is causing the error and why by liberte@hypernews.org, 1999, Apr 11
86 None: Access control; HN future, etc. by Daniel LaLiberte, 1999, Apr 26
87 None: Re: Access control; HN future, etc. by Daniel LaLiberte, 1999, May 03
1 Feedback: Justifications for a wrapper script by magog@the-wire.com, 1999, May 03
(_ None: A wrapper sounds good by liberte@hypernews.org, 1999, May 04
88 Question: Hypernews Installation - Password is blank for HNMail by Steve Goldsby, 1999, May 07
1 Feedback: HNMail mixed up with your admin userid? by liberte@hypernews.org, 1999, May 07
89 Question: Why when I run setup-form.pl, the result of password is blank by juniar, 1999, Jun 04
90 Question: .htaccess and .htpasswd by JavierAlexandro Del Pino Coronel, 1999, Jun 07
92 Question: Two tier security by Jon, 1999, Jun 11
1 None: How about 1.5 tiers? by liberte@hypernews.org, 1999, Jun 11
93 Question: SECURED.... by Javier Alexandro Del Pino Coronel, 1999, Jul 01
1 None: Permission denied? by liberte@hypernews.org, 1999, Jul 01
94 Question: external auth. failure running edit-article,pl by Greg Kresko, 1999, Sep 08
1 None: external security needs default case by liberte@hypernews.org, 1999, Sep 10
95 Question: Problem with Netscape Enterprise Server and HyperNews security by Rafael Valcarcel, 1999, Sep 17
1 None: Netscape Enterprise Server may not be fully supported by liberte@hypernews.org, 1999, Sep 17
(_ None: Re: Netscape Enterprise Server may not be fully supported by valcarcel@caracas.geoquest.slb.com, 1999, Sep 20
96 Sad: Admin edit-member problem in multi-user installation by Jonathan Hartzog, 1999, Sep 21
1 More: oops ... account = group by jth@csun.edu, 1999, Sep 21
(_ Feedback: Group names live with User IDs by liberte@hypernews.org, 1999, Sep 21
97 Question: Can't add users by Dan Meigs, 1999, Nov 08
1 More: Tried change-member.pl by dmeigs@tlinenm.com, 1999, Nov 08
(_ None: Avoiding access control with edit-member.pl by liberte@hypernews.org, 1999, Nov 13
(_ Question: Thanks, but... by dmeigs@tlinenm.com, 1999, Nov 15
98 None: passwords - delete members by Giulio, 1999, Nov 19
1 None: Use the source by liberte@hypernews.org, 1999, Nov 23
99 Question: LDAP authentication and access control by Thibaut de Chauny, 2000, Jan 06
1 None: LDAP member info at least by liberte@hypernews.org, 2000, Jan 10
(_ Ok: Thanks, it does help by mcy@eurocontrol.fr, 2000, Jan 10
101 Question: Admin Pages show for members by John Constant, 2000, Jan 17
1 None: Pages are identical for all users, if possible by liberte@hypernews.org, 2000, Jan 17
1 Question: access control by certweb@us.ibm.com, 2000, Jan 19
2 More: more on access control by certweb@us.ibm.com, 2000, Jan 19
102 None: batch-add-member.pl by John Constant, 2000, Jan 19
1 None: batch-add-member.pl - works so far by liberte@hypernews.org, 2000, Jan 21
2 Question: doesn't work... by head_shok@yahoo.com, 2000, Feb 07
1 Sad: Same Problem by John Constant, 2000, Feb 07
... 1 Message(s)
2 None: i can't seem to figure out by adam, 2001, Sep 17
103 Question: How to decouple sever/HyperNews security? by Peter Soderquist, 2000, Feb 03
1 Feedback: New option needed to ignore REMOTE_USER by liberte@hypernews.org, 2000, Feb 04
(_ Sad: HyperNews now tries to authenticate multiple times by pgs@segsrv.hlo.dec.com, 2000, Feb 04
(_ None: Sounds like icons are authenticated by liberte@hypernews.org, 2000, Feb 21
104 Warning: Malicious scripting and HyperNews by Daniel LaLiberte, 2000, Feb 08
1 None: Some Thoughts on HTML Filtering by jhartzog@w00f.com, 2000, Feb 21
106 Question: Apache user authentication by iz@earthling.net, 2000, Apr 20
1 Note: "Logout" with server authentication by liberte@hypernews.org, 2000, Apr 20
107 Idea: userid of one character length by Kees Couprie, 2000, May 16
1 None: Only 62 single char IDs allowed by liberte@hypernews.org, 2000, May 16
(_ Ok: I meant single digit numbers. by K.Couprie@GenD.nl, 2000, May 17
108 Question: Security - passwords are send back to the user in plaintext by joe, 2000, Sep 19
1 None: plaintext passwords in email - it's a feature by Daniel LaLiberte, 2000, Sep 20
(_ Question: So... now that crypt operation is out ofthe way how do you add base articles? by E, 2000, Nov 30
109 Question: HyperNews Forum Access Control , 2000, Sep 28
1 None: Simple structured dialogs: Q&A by Daniel LaLiberte, 2000, Sep 28
110 Question: password problem by echarters@primus.ca, 2000, Nov 23
111 Question: Apache Problem. But Revelant. by E. Charters, 2000, Nov 22
1 Note: Ambiguities in Apache Bug Revisited by echarters@primus.ca, 2000, Nov 22
2 Feedback: Secretary of the Uninformed by E., 2000, Nov 26
112 None: forbidded error when making a topic by earnest, 2001, Nov 28
113 None: Hyper News Security download net HyperNews by warner, 2003, Sep 04
114 Sad: Apache-1.3.6 & Apache-1.3.9 with HyperNews-1.10 (HELP WANTED!!! URGENT!!!!!!!!) by Javier Alexandro Del Pino Coronel, 2000, Feb 29

Add to: "HyperNews Security"

Members Subscribe Admin Mode
Show Frames Help

Installation Topics:
  • Creating Base Articles, also called Forums.
  • Security Issues regarding HyperNews
  • Bidirectional E-mail gateway
    Google
     
    Web www.HyperNews.org