Policy:Proposals/3
Proposal #3 - Operator privilege sets
Written by culex
Oper privilege sets
===================
Ops team gets no special mention -- they're just server admins.
"dev" means developer of the respective codebase; so "dev" in the section for
evo only means "developers of evo". "All devs" is used instead to refer to all
developers with an O:line.
IRCd
----
All-caps privileges are privs that have no configuration file option; they must
be granted through services instead.
## oper
* local = no; implies:
** whox = yes [This is only about LOGGING /whox, which we should always do]
** display = yes
** chan_limit = yes
** mode_lchan = yes [We should disable local channels anyway, nobody cares]
** deop_lchan = yes [see above]
** show_invis = yes
** show_all_invis = yes
** local_kill = yes
** local_gline = no [local bans make everything a bigger pain]
** see_chan = yes [*override* to no]
** list_chan = yes [*override* to no]
** wide_gline = yes [*override* to no]
** see_opers = yes
** local_opmode = yes [*override* to no; local channels should be disabled]
** force_local_opmode = yes [*override* to no; see above]
** kill = yes [even though it's just a pretty useless toy]
** opmode = yes [Fixing opless channels, etc.]
## support (global oper + support, not support oper, which is a services thing)
These are privileges required to help without joining all the time (which,
given some entry hazards, can be quite annoying). This has also the additional
effect that all opers will strive to get into support team for the extra privs
and thus everyone gets better support.
[inherits from oper]
* see_chan = yes
* list_chan = yes
* unlimit_query = yes [removes all brakes in /who with the other privs above]
## server admin
[inherits from oper]
* admin = yes [allows /shedding, /whois, see bind IP in /stats p]
* set = yes [to be used at request of EB and infra only]
* rehash = yes
* die = yes
* restart = yes
## all devs
[inherits from oper]
## infra
[inherits from oper]
* remoterehash = yes
* jupe = yes
* local_jupe = yes
## EB
[inherits from admin + infra]
(special abilities granted by umode +N: unkillable by non-services, /shedding
if not +a already)
## unused
* hide_oper [given by infra or EB on request if they have a valid reason why
they want to use +H]
* gline [use evo instead, it's easier to track]
* shun [see above]
* zline, wide_zline, local_zline [glines are good enough]
* XTRA_OPER [after setting +X, allows overriding JOIN, KICK, KILL (even against
+k users!), MODE -o (+k user here), PRIVMSG/NOTICE despite modes against
sending being present; way too dangerous for no use scenario]
* CHANSERV [can set +k on self; too dangerous for no use scenario]
* badchan, local_badchan [use evo]
evo
---
Curly braces mean that I'm requesting a level change via modcmd; the levels in
the reference list are the defaults.
ADD* commands have their respectice DEL* command not listed unless the level
differs.
1000 is the max level, given to the first account. Apparently we have some more
opers with level 1000, though. 1000 SHOULD denote "do not use" and 999 means
EB-only.
Command -> OpServ level reference:
ACCESS 0
ADDALERT 800
ADDALERT NOTICE 800
ADDALERT [ACTION] 900
ADDBAD 800 [channels matching *word* get forbidden]
ADDBADCHAN 600 {901}
ADDEXEMPT 800 [channels to never consider forbidden for C]
ADDTRUST 800 [irrelevant, we use newserv for that in dn2]
BAN 100 {600} [can be done with opmode and +b anyway]
BLOCK 100 {600} [equivalent of qakill with optional duration]
CHANINFO 0 {700}
CLEARBANS 300 {600} [can be done with opmode, etc.]
CLEARMODES 400 {600} [opmode etc.]
CLONE 999 {1000}
COLLIDE 800 {900}
CSEARCH 100 {700}
DEHOP 100 {600}
DEHOPALL 400 {600}
DEOP 100 {600}
DEOPALL 400 {600}
DEVOICE 300 {600} [wtf is up with that default being higher?]
DEVOICEALL 300 {600}
DIE 999
DUMP 999 {1000}
EDITTRUST 800 [irrelevant, see ADDTRUST]
GAG 600 [services ignore]
GLINE 600
GSYNC 600
GTRACE 100
HOP 100 {600}
HOPALL 100 {600}
INVITE 100 {700}
INVITEME 100 {999} [invites to the debug channel, not sure if used]
JOIN 601 {900}
JUMP 900
JUPE 900 {800}
KICK 100 {600} [could be done with opmode + /kick anyway]
FORCEKICK 900
KICKALL 400 {600}
KICKBAN 100 {600}
KICKBANALL 450 {600}
LOG 900 {400}
MODE 100 {600}
OP 100 {600}
OPALL 400 {600}
PART 601 {900}
QUERY 0 [gets config value] {100}
RAW 999 {1000}
RECONNECT 900
REFRESHG 600
REFRESHS 600
REHASH 900
REOPEN 900
RESERVE 800 {999}
RESTART 900
SBLOCK 100 [qakill/BLOCK with SHUN] {600}
SET 900
SETTIME 901 {999}
SHUN 600
SSYNC 600
STATS [STAT] 0
STRACE 100
SVSJOIN 999
SVSNICK 999
TRACE 100 {600}
TRACE GLINE 600
TRACE GAG 600
TRACE KILL 600
UNBAN 100 {600}
VOICE 300 {600}
VOICEALL 300 {600}
WARN 800 [adds join/part spam checker, I think] {600}
WHOIS 0 {700 due to showing +s channels}
C + OpServ levels:
CREATENOTE/REMOVENOTE 800 {600}
* oper, admin, all devs: 600
* support: 700
* infra: 800
* dev: 900
* EB: 999
Newserv NOperserv
-----------------
The flags on NOperserv are quite unprecise, lots of stuff assigned to +o.
I'll probably need to sort this out and fix the distribution.
Flags:
s -> staff (< oper)
o -> oper
t -> access to trust modification functions
S -> security team (we have none though)
+S affects
d -> newserv developer
Y -> relay bot
(O -> opered up)
(A -> has account on NOperserv, even if no flags)
(X -> anyone at all)
Command reference (only for modules I think MAY use):
s -> splitlist
o -> channel, lsmod, chanopstat, chanoplist, chanfix, showregs, chansearch,
chanstats, channelhistogram, userhistogram, clonehistogram, chanhistogram,
kill, kick, spewchan, spew, compare, broadcast, obroadcast, mbroadcast,
sbroadcast, cbroadcast, deluser, fakeuser, fakelist, fakekill, nickwatch,
listnumerics, patrol{join,part,list}, regexgline and related, serverlist,
the trust stuff
t -> (empty, what the fuck)
S -> (empty)
d -> status, relink, die, insmod, rmmod, rehash, reload, cfdebug, cfhistogram,
cfsample, cfexpire, cfsave, cfload, chanprofiles, expirecheck, inslua,
rmlua, reloadlua, chanstatssave, lslua, forcegc, dumptree, usercount,
settime
Y -> (empty, we use none of the modules that make use of it)
O -> whois, listusers, hello, splitdel
A -> showcommands, userflags, noticeflags
X -> help
* oper, admin, all devs: +ots
* dev: +otsd
* EB: +otsSd
