Log in | Back to darenet.org
Share

Policy:Proposals/3

Proposal #3 - Operator privilege sets

Written by culex 

Oper privilege sets
===================
 
Ops team gets no special mention -- they're just server admins.
 
"dev" means developer of the respective codebase; so "dev" in the section for
evo only means "developers of evo". "All devs" is used instead to refer to all
developers with an O:line.
 
IRCd
----
 
All-caps privileges are privs that have no configuration file option; they must
be granted through services instead.
 
## oper
 
* local = no; implies:
** whox = yes [This is only about LOGGING /whox, which we should always do]
** display = yes
** chan_limit = yes
** mode_lchan = yes [We should disable local channels anyway, nobody cares]
** deop_lchan = yes [see above]
** show_invis = yes
** show_all_invis = yes
** local_kill = yes
** local_gline = no [local bans make everything a bigger pain]
** see_chan = yes [*override* to no]
** list_chan = yes [*override* to no]
** wide_gline = yes [*override* to no]
** see_opers = yes
** local_opmode = yes [*override* to no; local channels should be disabled]
** force_local_opmode = yes [*override* to no; see above]
** kill = yes [even though it's just a pretty useless toy]
** opmode = yes [Fixing opless channels, etc.]
 
## support (global oper + support, not support oper, which is a services thing)
 
These are privileges required to help without joining all the time (which,
given some entry hazards, can be quite annoying). This has also the additional
effect that all opers will strive to get into support team for the extra privs
and thus everyone gets better support.
 
[inherits from oper]
 
* see_chan = yes
* list_chan = yes
* unlimit_query = yes [removes all brakes in /who with the other privs above]
 
## server admin
 
[inherits from oper]
 
* admin = yes [allows /shedding, /whois, see bind IP in /stats p]
* set = yes [to be used at request of EB and infra only]
* rehash = yes
* die = yes
* restart = yes
 
## all devs
 
[inherits from oper]
 
## infra
 
[inherits from oper]
 
* remoterehash = yes
* jupe = yes
* local_jupe = yes
 
## EB
 
[inherits from admin + infra]
 
(special abilities granted by umode +N: unkillable by non-services, /shedding
if not +a already)
 
## unused
 
* hide_oper [given by infra or EB on request if they have a valid reason why
    they want to use +H]
* gline [use evo instead, it's easier to track]
* shun [see above]
* zline, wide_zline, local_zline [glines are good enough]
* XTRA_OPER [after setting +X, allows overriding JOIN, KICK, KILL (even against
    +k users!), MODE -o (+k user here), PRIVMSG/NOTICE despite modes against
    sending being present; way too dangerous for no use scenario]
* CHANSERV [can set +k on self; too dangerous for no use scenario]
* badchan, local_badchan [use evo]
 
evo
---
 
Curly braces mean that I'm requesting a level change via modcmd; the levels in
the reference list are the defaults.
 
ADD* commands have their respectice DEL* command not listed unless the level
differs.
 
1000 is the max level, given to the first account. Apparently we have some more
opers with level 1000, though. 1000 SHOULD denote "do not use" and 999 means
EB-only.
 
Command -> OpServ level reference:
ACCESS                0
ADDALERT            800
ADDALERT NOTICE     800
ADDALERT [ACTION]   900
ADDBAD              800 [channels matching *word* get forbidden]
ADDBADCHAN          600 {901}
ADDEXEMPT           800 [channels to never consider forbidden for C]
ADDTRUST            800 [irrelevant, we use newserv for that in dn2]
BAN                 100 {600} [can be done with opmode and +b anyway]
BLOCK               100 {600} [equivalent of qakill with optional duration]
CHANINFO              0 {700}
CLEARBANS           300 {600} [can be done with opmode, etc.]
CLEARMODES          400 {600} [opmode etc.]
CLONE               999 {1000}
COLLIDE             800 {900}
CSEARCH             100 {700}
DEHOP               100 {600}
DEHOPALL            400 {600}
DEOP                100 {600}
DEOPALL             400 {600}
DEVOICE             300 {600} [wtf is up with that default being higher?]
DEVOICEALL          300 {600}
DIE                 999
DUMP                999 {1000}
EDITTRUST           800 [irrelevant, see ADDTRUST]
GAG                 600 [services ignore]
GLINE               600
GSYNC               600
GTRACE              100
HOP                 100 {600}
HOPALL              100 {600}
INVITE              100 {700}
INVITEME            100 {999} [invites to the debug channel, not sure if used]
JOIN                601 {900}
JUMP                900
JUPE                900 {800}
KICK                100 {600} [could be done with opmode + /kick anyway]
FORCEKICK           900
KICKALL             400 {600}
KICKBAN             100 {600}
KICKBANALL          450 {600}
LOG                 900 {400}
MODE                100 {600}
OP                  100 {600}
OPALL               400 {600}
PART                601 {900}
QUERY                 0 [gets config value] {100}
RAW                 999 {1000}
RECONNECT           900
REFRESHG            600
REFRESHS            600
REHASH              900
REOPEN              900
RESERVE             800 {999}
RESTART             900
SBLOCK              100 [qakill/BLOCK with SHUN] {600}
SET                 900
SETTIME             901 {999}
SHUN                600
SSYNC               600
STATS [STAT]          0
STRACE              100
SVSJOIN             999
SVSNICK             999
TRACE               100 {600}
TRACE GLINE         600
TRACE GAG           600
TRACE KILL          600
UNBAN               100 {600}
VOICE               300 {600}
VOICEALL            300 {600}
WARN                800 [adds join/part spam checker, I think] {600}
WHOIS                 0 {700 due to showing +s channels}
 
C + OpServ levels:
CREATENOTE/REMOVENOTE 800 {600}
 
* oper, admin, all devs: 600
* support: 700
* infra: 800
* dev: 900
* EB: 999
 
Newserv NOperserv
-----------------
 
The flags on NOperserv are quite unprecise, lots of stuff assigned to +o.
I'll probably need to sort this out and fix the distribution.
 
Flags:
s -> staff (< oper)
o -> oper
t -> access to trust modification functions
S -> security team (we have none though)
  +S affects
d -> newserv developer
Y -> relay bot
(O -> opered up)
(A -> has account on NOperserv, even if no flags)
(X -> anyone at all)
 
Command reference (only for modules I think MAY use):
s -> splitlist
o -> channel, lsmod, chanopstat, chanoplist, chanfix, showregs, chansearch,
    chanstats, channelhistogram, userhistogram, clonehistogram, chanhistogram,
    kill, kick, spewchan, spew, compare, broadcast, obroadcast, mbroadcast,
    sbroadcast, cbroadcast, deluser, fakeuser, fakelist, fakekill, nickwatch,
    listnumerics, patrol{join,part,list}, regexgline and related, serverlist,
    the trust stuff
t -> (empty, what the fuck)
S -> (empty)
d -> status, relink, die, insmod, rmmod, rehash, reload, cfdebug, cfhistogram,
    cfsample, cfexpire, cfsave, cfload, chanprofiles, expirecheck, inslua,
    rmlua, reloadlua, chanstatssave, lslua, forcegc, dumptree, usercount,
    settime
Y -> (empty, we use none of the modules that make use of it)
 
O -> whois, listusers, hello, splitdel
A -> showcommands, userflags, noticeflags
X -> help
 
* oper, admin, all devs: +ots
* dev: +otsd
* EB: +otsSd
Retrieved from "http://wiki.darenet.org/Policy:Proposals/3"