View Issue Details

IDProjectCategoryView StatusLast Update
0006096unrealircdpublic2022-05-13 11:42
ReporterJobe Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version6.0.4 
Summary0006096: Security Groups options modification
DescriptionSo, as I understand it, when configuring a security group, the options identified, tls and webirc only currently have yes/no options where yes means "match only if this condition is true" and no means don't care, match both. So what I am proposing is an extra "exclude" option, where by if any of those 3 are set to "exclude" then the security group only matches a user if they do NOT match those types.

For example it appears you can have a security group for webirc users, and a security group for webirc and non-webirc users, but you cant have a security group that doesn't include webirc users.

At least that's based on my understanding and a discussion with PeGaSuS on #unreal-support. Either way, "yes" and "no" seem insufficient to choose from all 3 of "match only if", match only if not" and "match both", where "no" would apparently be the current "match both" and "yes" is currently "match only if".

We also did discuss nesting security groups using extended server bans, however whilst that would allow you to use a "not webirc" security group extended ban as an include-mask (if its possible) that wouldn't then allow you to match non-webirc users from a list of specified host masks.
TagsNo tags attached.
3rd party modules

Activities

syzop

2022-05-13 11:42

administrator   ~0022482

I knew when writing the security groups code there will be a request for this sooner or later... :D

I have now done this, see the updated documentation at https://www.unrealircd.org/docs/Security-group_block

I did not go for a VALUE of "exclude" but went for new NAMES exclude-xxx. The reason for that is that while a value works OK for things like "webirc" and "tls", they do not work for like "include-mask" which would then be "exclude-mask". That would still be OK, but then you have other things like "reputation-score" and later too with more items.

Still the same idea, of course!

https://github.com/unrealircd/unrealircd/commit/788c230bdc405a1777bd3b37be15d942eb598158

commit 788c230bdc405a1777bd3b37be15d942eb598158 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Fri May 13 11:33:57 2022 +0200

    Support exclusion criteria in security groups.
    Suggested by Jobe in https://bugs.unrealircd.org/view.php?id=6096
    
    Also add support for matching a reputation below a value ("<10").
    
    See https://www.unrealircd.org/docs/Security-group_block for info
    on all of these.

Issue History

Date Modified Username Field Change
2022-05-05 21:42 Jobe New Issue
2022-05-13 11:42 syzop Note Added: 0022482
2022-05-13 11:42 syzop Assigned To => syzop
2022-05-13 11:42 syzop Status new => resolved
2022-05-13 11:42 syzop Resolution open => fixed
2022-05-13 11:42 syzop Fixed in Version => 6.0.4