Tip of the day: Connthrottle will limit the damage from big drone attacks. Check if the flood thresholds and exceptions are OK for your network.

Operclass permissions

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

This page shows the permissions that can be used in the Operclass block (in operclass::permissions, the new name since UnrealIRCd 4.2.1). Refer to that article for more information.

Catagories

Since UnrealIRCd 4.2.1 permissions are carefully grouped in the following catagories:

Permission category Description Example commands and actions that are affected
chat IRCOp chatting functions (communication) GLOBOPS, LOCOPS, WALLOPS, local and global notices
client Commands that affect other clients client:see: USERIP, TRACE

client:set: CHGIDENT, CHGHOST, CHGNAME

immune Server settings that the IRCOp is immune to Jointhrottle, flooding, banned nicks, spamfilter, ..
kill The ability to kill users KILL
channel Channel information and settings that the IRCOp can view or override/bypass, including OperOverride. channel:see: Seeing secret channels in /LIST and /WHOIS, allowing /WHO while not in channel, ..

channel:override: Kicking, mode changing etc. when not having chanops (+o)

route Managing routing SQUIT, CONNECT
sacmd The SAxxxx commands. SAJOIN, SAPART, SAMODE
self Options that an IRCOp can set on itself SETHOST, SETIDENT, receive bad dcc's, set special IRCOp user modes
server Managing or viewing server settings Rehash, restart, tsctl, ..
server-ban Managing server bans (tkl) KLINE, GLINE, ZLINE, SPAMFILTER
services Services-specific restrictions to bypass Currently only servicebots killing or deoping (eg: -o ChanServ)

Detailed permissions

Below is the explanation of all the permissions that are available in UnrealIRCd.

In the table, to the left of each item, there are the letters L G A S N which show you whether the privilege is included in the operclass.default.conf operclasses: Locop, Globop, Admin, Services-admin and Netadmin.

chat

IRCOp chatting functions (communication)

L G A S N Name Description
L G A S N chat:globops Can use /GLOBOPS to chat with other IRCOps.
L G A S N chat:locops Can use /LOCOPS to chat with other IRCOps.
L G A S N chat:notice:global Can send notices to all global users, with /NOTICE $* Message
L G A S N chat:notice:local Can send notices to all local users, with /NOTICE $servername Message
L G A S N chat:wallops Can send notices to wallops, via /WALLOPS

client

Commands that affect other clients (see also banning and killing, which are separate catagories).

L G A S N Name Description
L G A S N client:see:ip Can use the /USERIP command.
L G A S N client:see:trace Can use /TRACE.
L G A S N client:see:trace:global Can use /TRACE globally.
L G A S N client:see:trace:invisible-users Show invisible users in /TRACE.
L G A S N client:see:trace:local Can use /TRACE locally.
G A S N client:set:host Can use /CHGHOST to change the host of a user.
G A S N client:set:ident Can use /CHGIDENT to change the ident of a user.
G A S N client:set:reputation Can use /REPUTATION nick|ip value to change the reputation of a user / users IP.
G A S N client:set:name Can use /CHGNAME to change the realname (gecos) of a user.
G A S N client:override:message:regonlymsg Can bypass user mode +R (only receive messages from registered users)
G A S N client:override:message:secureonlymsg Can bypass user mode +Z (only receive messages from SSL/TLS users)

immune

Server settings and restrictions that the IRCOp is immune to (can bypass). Note that all channel policy settings are under channel instead.

L G A S N Name Description
L G A S N immune:anti-spam-quit-message-time Bypass set::anti-spam-quit-message-time.
L G A S N immune:away-flood Bypass set::anti-flood::away-flood.
L G A S N immune:join-flood Bypass set::anti-flood::join-flood.
L G A S N immune:lag Disable fake lag so the user can send commands (flood) at full speed.
L G A S N immune:max-concurrent-conversations Bypass set::anti-flood::max-concurrent-conversations.
L G A S N immune:maxchannelsperuser Bypass set::maxchannelsperuser.
L G A S N immune:nick-flood Bypass set::anti-flood::nick-flood.
L G A S N immune:restrict-extendedbans Bypass set::restrict-extendedbans.
L G A S N immune:restrict-usermodes Bypass set::restrict-usermodes
L G A S N immune:server-ban:ban-nick Bypass banned nicks (qlines).
L G A S N immune:server-ban:ban-realname Bypass realname bans
L G A S N immune:server-ban:deny-channel Bypass deny channel restrictions.
L G A S N immune:server-ban:shun /SHUN is not effective on this user.
L G A S N immune:server-ban:spamfilter Spamfilter will not affect this user.
L G A S N immune:server-ban:viruschan The 'viruschan' action restrictions are not imposed on this user.
L G A S N immune:target-flood set::anti-flood::everyone::target-flood limits do not apply to this user.

kill

This group grants the ability to kill users.

L G A S N Name Description
L G A S N kill:global Permit to /KILL global users.
L G A S N kill:local Permit to /KILL local users.

channel

Information and settings regarding channels that the IRCOp can bypass/override. There's also a specific sub-section channel:see that only affects bypassing "viewing restrictions" (such as seeing secret channels).

NOTE: Items in the LGASN rows marked with an asterisk (*) are granted only to globop-with-override, admin-with-override, etc. and not to the oper classes without the -with-override suffix. See OperOverride for more information.

L G A S N Name Description
G* A* S* N* channel:operonly:ban For +O (oper only) channels, if you are also banned (+b) then you need this privilege to bypass the ban.
G* A* S* N* channel:operonly:join Allows you to join channels that are +O (Oper only)
G* A* S* N* channel:operonly:set Allows you to set channel mode +O (Oper only)
G* A* S* N* channel:operonly:topic Allows you to modify the topic on a +O (Oper only) channel
G* A* S* N* channel:override:banpartmsg Show /PART message, even when banned in the channel.
L G A S N channel:override:flood Bypass channel mode +f flood protection.
G* A* S* N* channel:override:invite:self Allow the user to /INVITE him/herself to the channel. This is called OperOverride and will make it so the IRCOp can bypass any channel restrictions (eg: +k and +i).
G* A* S* N* channel:override:invite:invite-only Allow /INVITE if the channel is +i (invite only) and you are not a channel operator.
G* A* S* N* channel:override:invite:noinvite Allow /INVITE even if channel mode +V (no invite) is set.
G* A* S* N* channel:override:invite:notinchannel Allow /INVITE even if you're not in the channel.
G* A* S* N* channel:override:kick:nokick Allow /KICK to kick users, even if channel mode +Q (no kick allowed) is set.
G* A* S* N* channel:override:kick:no-ops Allow /KICK to kick users, even if not having channel operator privileges.
G* A* S* N* channel:override:kick:owner Allow to /KICK users which have channel mode +q (channel owner) set.
G* A* S* N* channel:override:message:ban Allows talking in the channel, even if banned.
G* A* S* N* channel:override:message:moderated Allows talking in the channel, even if the channel is +m and you have no +vhoaq.
G* A* S* N* channel:override:message:prefix Allows sending messages to prefixes (eg: /NOTICE @#chan Hey ops!) even if you don't have channel operator privileges.
G* A* S* N* channel:override:message:regonlyspeak Allows talking in the channel, even if the channel is set to +M and you are not registered.
G* A* S* N* channel:override:mlock Allows you to bypass MLOCK mode restrictions when Services are down.
G* A* S* N* channel:override:mode Allows you to set channel modes using /MODE, even if you don't have channel operator privileges.
G* A* S* N* channel:override:mode:del Same, but you can only delete modes.
G* A* S* N* channel:override:mode:extban Allows you to bypass extended ban restrictions.
G* A* S* N* channel:override:privsecret A very odd feature. Don't ask.
G* A* S* N* channel:override:secureonly Allows you to join a +z channel (secure only), even if you are not connected through SSL/TLS.
G* A* S* N* channel:override:topic Allows you to set the topic using /TOPIC, even if you normally would have no permission to.
G A S N channel:see:list:secret Allows you to see secret channels in /LIST.
G A S N channel:see:names:invisible Allows you to see all users in /NAMES.
G A S N channel:see:names:secret Allows you to use /NAMES on secret channels (+s).
G A S N channel:see:mode:remote Allows you to view the full mode (with parameters) without being in the channel (/MODE #channel).
G A S N channel:see:mode:remotebanlist Allows you to view the banlist without being in the channel (/MODE #channel b).
G A S N channel:see:mode:remoteinvexlist Allows you to view the ban exception and the invite exception list without being in the channel (eg: /MODE #channel I).
G A S N channel:see:mode:remoteownerlist Allows you to view the list of channel owners/admins without being in the channel (eg: /MODE #channel q).
G A S N channel:see:topic Allows you to see the topic (via /TOPIC #chan) of a channel without being in the channel.
G A S N channel:see:whois Show information in /WHOIS that is normally hidden. Eg: secret channels.
G A S N channel:see:who:onchannel Show information in /WHO that is otherwise not shown (user in channel you are not a member of).
G A S N channel:see:who:secret Show information in /WHO that is otherwise not shown (user in +s channel).

route

Routing commands, to disconnect and connect servers (server linking).

L G A S N Name Description
G A S N route:global Can use /CONNECT and /SQUIT to route server links.
L G A S N route:local Can use /CONNECT and /SQUIT to route server links. Only on the locally connected server.

sacmd

These commands bypass channel restrictions. Also, 2 out of 3 force an action on a user.

L G A S N Name Description
L G A S N sacmd:sajoin Permits the use of the /SAJOIN command. This forces a user to join a channel, bypassing any channel restrictions.
L G A S N sacmd:samode Permits the use of the /SAMODE command to set any channel modes you desire. The MODE is shown as if it came from the server, instead of you.
L G A S N sacmd:sapart Permits the use of the /SAPART command. This forces a user to part from a channel, bypassing any channel restrictions.

self

Options that an IRCOp can set on itself.

NOTE: Items in the LGASN rows marked with an asterisk (*) are granted only to globop-with-override, admin-with-override, etc. and not to the oper classes without the -with-override suffix. See OperOverride for more information.

L G A S N Name Description
L G A S N self:getbaddcc Can receive(!) DCC's that are on the blacklist.
L G A S N self:opermodes May set "oper only" IRC modes
L* G* A* S* N* self:unkickablemode Can set the +q user mode (you cannot be kicked by others from channels)
L G A S N self:set:host May use /SETHOST to change own visible hostname.
L G A S N self:set:ident May use /SETIDENT to change own ident.

server

This catagory is for viewing and managing server settings.

L G A S N Name Description
A S N server:addmotd Allow /ADDMOTD to add a line to the Message of the Day file.
A S N server:addomotd Allow /ADDOMOTD to add a line to the IRCOP version of the Message of the Day file.
L G A S N server:close Allow the /CLOSE command, to close pending server connections.
A S N server:description Allow the /SDESC command, to set the server description.
server:die Allow the use of the /DIE command. This will terminate the IRC server.

Granting this privilege is not recommended.

L G A S N server:dns Allow the /DNS command to view status and reinitialize the DNS Resolver.
L G A S N server:info:lag Permit the /LAG command, to see server to server link lag.
L G A S N server:info:lusers See some additional oper-only information in /LUSERS. Only relevant if set::options::flat-map is enabled.
L G A S N server:info:stats See oper only server statistics with /STATS
L G A S N server:info:map:real-map See the "real" server map. Only relevant if set::options::flat-map is enabled.
L G A S N server:info:map:ulines See u-lined servers. Only relevant if set::options::hide-ulines is enabled (this is usually the case).
L G A S N server:module Allows to see additional oper-only module information in /MODULE.
L G A S N server:opermotd Can execute the /OPERMOTD command to see the IRCOp Message of the Day.
L G A S N server:rehash Can use /REHASH to rehash the IRCd.
G A S N server:remote Allows sending some commands to remote servers (not very useful): /INFO, /DALINFO, /LICENSE and /CREDITS.
server:restart Allow the use of the /RESTART command. This will restart the IRC server. Granting this privilege is not recommended. A restart may not succeed if there are problems with the configuration file or for other reasons. Such a failure will leave the server terminated.
G A S N server:tsctl:view Allows viewing server clocks.
N server:tsctl:set Allows changing the server clock offset. This command is VERY dangerous. If misused, it may freeze the server or cause major issues.

server-ban

Managing server bans (previously called: tkl).

L G A S N Name Description
G A S N server-ban:dccdeny Can use /DCCDENY to manage the list of denied DCC files.
G A S N server-ban:gline Can use /GLINE to manage the network-wide user bans (G-line).
L G A S N server-ban:kline:local:add Can use /KLINE to add a new local user ban (K-line).
L G A S N server-ban:kline:remove Can use /KLINE to remove a local user ban (unkline).
G A S N server-ban:shun Can use /SHUN to "shun" (shut up) a user.
G A S N server-ban:shun:temporary Can use /TEMPSHUN to temporarily "shun" (shut up) a user, for the session only.
A S N server-ban:spamfilter Can use /SPAMFILTER command to add spam filters.
A S N server-ban:spamreport Can use /SPAMREPORT to report spam to a blacklist.
G A S N server-ban:zline:global Can use /GZLINE to add a new global z-line.
L G A S N server-ban:zline:local:add Can use /ZLINE to add a new local z-line.

services

Services-specific restrictions to bypass

L G A S N Name Description
S N services:servicebot:deop Can deop a (services) user that user mode +S. Eg: /MODE #chan -o ChanServ.
S N services:servicebot:kill Can kill a (services) user that has user mode +S. Eg: /KILL ChanServ.