View Issue Details

IDProjectCategoryView StatusLast Update
0005130unrealircdpublic2018-09-13 20:10
ReportercapitaineAssigned Tosyzop 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSOS Version
Product Version 
Target VersionFixed in Version4.2.0 
Summary0005130: Permissions issues
DescriptionWe have bots with minimal ircop privileges, but they loose their o-line when setting modes on themselves.
Also when they /oper, they gets numerics 381 and 481 at the same time.
Steps To Reproduce
oper bb :qwe123
:test MODE test :+ostqW
:Foo.chat 008 test :Server notice mask (+kcfFjveGnNqSso)
:Foo.chat 381 test :You are now an IRC Operator
:Foo.chat 481 test :Permission Denied- You do not have the correct IRC operator privileges
:Foo.services NOTICE test :from OperServ: USERS: test!test@localhost is now an IRC operator.

mode :test
:Foo.chat 221 test +owsxqpW
:Foo.chat 008 test :Server notice mask (+kcfFjveGnNqSso)

mode test :+B
:Foo.chat NOTICE test :- Foo.chat Bot Message of the Day -
:Foo.chat NOTICE test :- !
:Foo.chat NOTICE test :End of /BOTMOTD command.
:test MODE test :-oqW+B
:Foo.chat 008 test :Server notice mask (+k)

same with other ones like +i, +H
Additional InformationThe configuration is the following :

operclass bobot
{
    privileges
    {
        immune;
        client:host;
    };
};

oper bb
{
    mask 127.0.0.1;
    password "qwe123";
    class clients;
    operclass bobot;
    maxlogins 1;
};

plaintext-policy
{
    oper allow;
};
TagsNo tags attached.
3rd party modules

Activities

syzop

2018-09-09 16:43

administrator   ~0020300

I don't get the (confusing) 481 numeric on OPER but I can reproduce the problem with MODE nick +B. Culprit is this code:

/* Don't let non-ircops set ircop-only modes or snomasks */
if (!ValidatePermissionsForPath("self:restrictedumodes",sptr,NULL,NULL,NULL))
{
        remove_oper_privileges(sptr, 0);
}

The idea of the code is good, but... yeah... I'll see what I can do :D

syzop

2018-09-09 17:03

administrator   ~0020301

Fixed in git. Fix will be in 4.0.19-rc2 / 4.0.19 final:

commit 681640024ad76c918e1177b10b7afab897da8997 (HEAD -> unreal40, origin/unreal40, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sun Sep 9 17:01:35 2018 +0200

    Fix permission issues with minimal IRCOps.
    Reported by capitaine in https://bugs.unrealircd.org/view.php?id=5130


****

That leaves your strange 481 numeric error. Not sure where that is coming from.
Do you perhaps have additional settings that apply to all IRCOps that could cause this?

syzop

2018-09-09 17:04

administrator   ~0020302

Oh and by the way, the fix I added was to make it so ircops without self:restrictedumodes (such as a restricted oper you created), to make it that those opers cannot add oper-only modes to themselves, they may only remove. The same applies to snomasks.

syzop

2018-09-13 20:10

administrator   ~0020324

Issue resolved. Feel free to elaborate / report / show debug info on the 481 message you were getting, I could not reproduce.

Issue History

Date Modified Username Field Change
2018-08-06 14:00 capitaine New Issue
2018-09-03 08:52 syzop Status new => acknowledged
2018-09-09 16:41 syzop Assigned To => syzop
2018-09-09 16:41 syzop Status acknowledged => assigned
2018-09-09 16:43 syzop Note Added: 0020300
2018-09-09 17:03 syzop Note Added: 0020301
2018-09-09 17:03 syzop Status assigned => feedback
2018-09-09 17:04 syzop Note Added: 0020302
2018-09-13 20:10 syzop Status feedback => resolved
2018-09-13 20:10 syzop Resolution open => fixed
2018-09-13 20:10 syzop Fixed in Version => 4.2.0
2018-09-13 20:10 syzop Note Added: 0020324