| 1 |
=head1 Fine grained operator privileges |
| 2 |
|
| 3 |
Terminology: |
| 4 |
|
| 5 |
=over |
| 6 |
|
| 7 |
=item IRCop |
| 8 |
|
| 9 |
user with user mode +o, usually obtained with /oper |
| 10 |
users whose operator status is indicated by a different user mode |
| 11 |
than +o, or whose user mode +o is not propagated to other servers, |
| 12 |
are not IRCops from ermyth's point of view |
| 13 |
|
| 14 |
=item operclass |
| 15 |
|
| 16 |
group of privileges defined in an operclass{} block in ermyth.conf |
| 17 |
|
| 18 |
=item config services operator |
| 19 |
|
| 20 |
user logged into an account named in an operator{} block in |
| 21 |
ermyth.conf |
| 22 |
|
| 23 |
=item services operator |
| 24 |
|
| 25 |
user logged into an account named in an operator{} block in |
| 26 |
ermyth.conf or an account granted privileges with /os soper |
| 27 |
|
| 28 |
=back |
| 29 |
|
| 30 |
Note that an account cannot have both an operator{} block and privileges |
| 31 |
granted with /os soper. If this happens, the privileges from /os soper |
| 32 |
will be discarded. |
| 33 |
|
| 34 |
A few privileges are granted independently of operclasses: |
| 35 |
|
| 36 |
=over |
| 37 |
|
| 38 |
=item To all IRCops and services operators (has_any_priv()): |
| 39 |
|
| 40 |
more detailed "not authorized" messages telling which priv they are |
| 41 |
missing, ability to use /os help |
| 42 |
|
| 43 |
=item To all config services operators: |
| 44 |
|
| 45 |
account does not expire (unlike HOLD, registered channels do); |
| 46 |
this is to avoid someone else registering the account and taking |
| 47 |
the privs |
| 48 |
|
| 49 |
=item To all services operators: |
| 50 |
|
| 51 |
operations like drop, sendpass and return are restricted |
| 52 |
|
| 53 |
=back |
| 54 |
|
| 55 |
All IRCops get the privileges in the "ircop" operclass. Services operators |
| 56 |
get the privileges in the operclass in their operator{} block or the |
| 57 |
operclass set with /os soper. However, if the operclass has the needoper |
| 58 |
flag set, privileges are only granted to IRC users if they are IRCops. If |
| 59 |
both conditions apply, the union of the privileges is granted. |
| 60 |
|
| 61 |
The OperServ SPECS command shows the privileges granted to an online user |
| 62 |
or operclass, in a somewhat wordy format. /stats o and SOPER LIST show all |
| 63 |
services operators. SOPER LISTCLASS shows all operclasses. |
| 64 |
|
| 65 |
Description of the privileges in operclasses: |
| 66 |
|
| 67 |
=over |
| 68 |
|
| 69 |
=item special:ircop |
| 70 |
|
| 71 |
bound to AC_IRCOP, if you still have modules using that |
| 72 |
|
| 73 |
=item user:auspex |
| 74 |
|
| 75 |
see the invisible about user registrations, |
| 76 |
ns/us info/list mainly |
| 77 |
also allows searching information about online users, |
| 78 |
os rnc/rmatch/rwatch |
| 79 |
|
| 80 |
=item user:admin |
| 81 |
|
| 82 |
administer users |
| 83 |
|
| 84 |
=item user:sendpass |
| 85 |
|
| 86 |
send user passwords to their email addresses |
| 87 |
|
| 88 |
=item user:vhost |
| 89 |
|
| 90 |
set vhosts |
| 91 |
|
| 92 |
=item user:fregister |
| 93 |
|
| 94 |
use /ns fregister (contrib module) to register accounts on behalf of |
| 95 |
someone else |
| 96 |
|
| 97 |
=item chan:auspex |
| 98 |
|
| 99 |
see the invisible about channels and channel registrations, |
| 100 |
cs info/list/flags, ns/us listchans, os compare mainly |
| 101 |
|
| 102 |
=item chan:admin |
| 103 |
|
| 104 |
administer channels |
| 105 |
|
| 106 |
=item chan:cmodes |
| 107 |
|
| 108 |
change oper-only cmodes in mode locks (but only on own channels) |
| 109 |
|
| 110 |
=item chan:joinstaffonly |
| 111 |
|
| 112 |
join channels set staffonly |
| 113 |
|
| 114 |
=item user:mark |
| 115 |
|
| 116 |
use ns/us/cs mark and override marks |
| 117 |
|
| 118 |
=item user:hold |
| 119 |
|
| 120 |
use ns/us/cs hold to prevent things from expiring |
| 121 |
|
| 122 |
=item user:regnolimit |
| 123 |
|
| 124 |
exempt from limits on numbers of registrations (does not work |
| 125 |
fully if set on the ircop operclass) |
| 126 |
|
| 127 |
=item general:auspex |
| 128 |
|
| 129 |
see general information about services: most privileged /stats, |
| 130 |
/trace, /os modinspect, /os modlist, /os uptime |
| 131 |
the idea is that this does not violate user privacy |
| 132 |
|
| 133 |
=item general:viewprivs |
| 134 |
|
| 135 |
see all operator{} blocks, see the privs users and operclasses have: |
| 136 |
/stats o, /os specs |
| 137 |
|
| 138 |
=item general:flood |
| 139 |
|
| 140 |
exempt from services flood control (general::flood* in ermyth.conf) |
| 141 |
|
| 142 |
=item general:metadata |
| 143 |
|
| 144 |
mess with private metadata (but only on own accounts and channels) |
| 145 |
|
| 146 |
=item general:admin |
| 147 |
|
| 148 |
restart/shutdown/rehash services, load modules, use raw/inject (if |
| 149 |
globally allowed in ermyth.conf), resetpass/sendpass on accounts |
| 150 |
with operator{} blocks |
| 151 |
|
| 152 |
|
| 153 |
=item operserv:omode |
| 154 |
|
| 155 |
use /os mode |
| 156 |
|
| 157 |
=item operserv:akill |
| 158 |
|
| 159 |
use /os akill and /stats k |
| 160 |
|
| 161 |
=item operserv:massakill |
| 162 |
|
| 163 |
do mass kills and akills on channels and regular expressions |
| 164 |
os clearchan/rakill/rwatch |
| 165 |
this also needs chan:admin or user:auspex depending on the command |
| 166 |
|
| 167 |
=item operserv:jupe |
| 168 |
|
| 169 |
use /os jupe |
| 170 |
|
| 171 |
=item operserv:noop |
| 172 |
|
| 173 |
use /os noop |
| 174 |
|
| 175 |
=item operserv:global |
| 176 |
|
| 177 |
send global notices |
| 178 |
|
| 179 |
=item operserv:grant |
| 180 |
|
| 181 |
use /os soper add/del |
