1 |
=head1 Fine grained operator privileges |
2 |
|
3 |
Terminology: |
4 |
|
5 |
=over |
6 |
|
7 |
=item IRCop |
8 |
|
9 |
user with user mode +o, usually obtained with /oper |
10 |
users whose operator status is indicated by a different user mode |
11 |
than +o, or whose user mode +o is not propagated to other servers, |
12 |
are not IRCops from ermyth's point of view |
13 |
|
14 |
=item operclass |
15 |
|
16 |
group of privileges defined in an operclass{} block in ermyth.conf |
17 |
|
18 |
=item config services operator |
19 |
|
20 |
user logged into an account named in an operator{} block in |
21 |
ermyth.conf |
22 |
|
23 |
=item services operator |
24 |
|
25 |
user logged into an account named in an operator{} block in |
26 |
ermyth.conf or an account granted privileges with /os soper |
27 |
|
28 |
=back |
29 |
|
30 |
Note that an account cannot have both an operator{} block and privileges |
31 |
granted with /os soper. If this happens, the privileges from /os soper |
32 |
will be discarded. |
33 |
|
34 |
A few privileges are granted independently of operclasses: |
35 |
|
36 |
=over |
37 |
|
38 |
=item To all IRCops and services operators (has_any_priv()): |
39 |
|
40 |
more detailed "not authorized" messages telling which priv they are |
41 |
missing, ability to use /os help |
42 |
|
43 |
=item To all config services operators: |
44 |
|
45 |
account does not expire (unlike HOLD, registered channels do); |
46 |
this is to avoid someone else registering the account and taking |
47 |
the privs |
48 |
|
49 |
=item To all services operators: |
50 |
|
51 |
operations like drop, sendpass and return are restricted |
52 |
|
53 |
=back |
54 |
|
55 |
All IRCops get the privileges in the "ircop" operclass. Services operators |
56 |
get the privileges in the operclass in their operator{} block or the |
57 |
operclass set with /os soper. However, if the operclass has the needoper |
58 |
flag set, privileges are only granted to IRC users if they are IRCops. If |
59 |
both conditions apply, the union of the privileges is granted. |
60 |
|
61 |
The OperServ SPECS command shows the privileges granted to an online user |
62 |
or operclass, in a somewhat wordy format. /stats o and SOPER LIST show all |
63 |
services operators. SOPER LISTCLASS shows all operclasses. |
64 |
|
65 |
Description of the privileges in operclasses: |
66 |
|
67 |
=over |
68 |
|
69 |
=item special:ircop |
70 |
|
71 |
bound to AC_IRCOP, if you still have modules using that |
72 |
|
73 |
=item user:auspex |
74 |
|
75 |
see the invisible about user registrations, |
76 |
ns/us info/list mainly |
77 |
also allows searching information about online users, |
78 |
os rnc/rmatch/rwatch |
79 |
|
80 |
=item user:admin |
81 |
|
82 |
administer users |
83 |
|
84 |
=item user:sendpass |
85 |
|
86 |
send user passwords to their email addresses |
87 |
|
88 |
=item user:vhost |
89 |
|
90 |
set vhosts |
91 |
|
92 |
=item user:fregister |
93 |
|
94 |
use /ns fregister (contrib module) to register accounts on behalf of |
95 |
someone else |
96 |
|
97 |
=item chan:auspex |
98 |
|
99 |
see the invisible about channels and channel registrations, |
100 |
cs info/list/flags, ns/us listchans, os compare mainly |
101 |
|
102 |
=item chan:admin |
103 |
|
104 |
administer channels |
105 |
|
106 |
=item chan:cmodes |
107 |
|
108 |
change oper-only cmodes in mode locks (but only on own channels) |
109 |
|
110 |
=item chan:joinstaffonly |
111 |
|
112 |
join channels set staffonly |
113 |
|
114 |
=item user:mark |
115 |
|
116 |
use ns/us/cs mark and override marks |
117 |
|
118 |
=item user:hold |
119 |
|
120 |
use ns/us/cs hold to prevent things from expiring |
121 |
|
122 |
=item user:regnolimit |
123 |
|
124 |
exempt from limits on numbers of registrations (does not work |
125 |
fully if set on the ircop operclass) |
126 |
|
127 |
=item general:auspex |
128 |
|
129 |
see general information about services: most privileged /stats, |
130 |
/trace, /os modinspect, /os modlist, /os uptime |
131 |
the idea is that this does not violate user privacy |
132 |
|
133 |
=item general:viewprivs |
134 |
|
135 |
see all operator{} blocks, see the privs users and operclasses have: |
136 |
/stats o, /os specs |
137 |
|
138 |
=item general:flood |
139 |
|
140 |
exempt from services flood control (general::flood* in ermyth.conf) |
141 |
|
142 |
=item general:metadata |
143 |
|
144 |
mess with private metadata (but only on own accounts and channels) |
145 |
|
146 |
=item general:admin |
147 |
|
148 |
restart/shutdown/rehash services, load modules, use raw/inject (if |
149 |
globally allowed in ermyth.conf), resetpass/sendpass on accounts |
150 |
with operator{} blocks |
151 |
|
152 |
|
153 |
=item operserv:omode |
154 |
|
155 |
use /os mode |
156 |
|
157 |
=item operserv:akill |
158 |
|
159 |
use /os akill and /stats k |
160 |
|
161 |
=item operserv:massakill |
162 |
|
163 |
do mass kills and akills on channels and regular expressions |
164 |
os clearchan/rakill/rwatch |
165 |
this also needs chan:admin or user:auspex depending on the command |
166 |
|
167 |
=item operserv:jupe |
168 |
|
169 |
use /os jupe |
170 |
|
171 |
=item operserv:noop |
172 |
|
173 |
use /os noop |
174 |
|
175 |
=item operserv:global |
176 |
|
177 |
send global notices |
178 |
|
179 |
=item operserv:grant |
180 |
|
181 |
use /os soper add/del |