angiosperm/modules/m_oper.c
Ed Kellett ed3ca2ff16
Propagate OPER
Move opername and privset storage to struct User, so it can exist for
remote opers.

On /oper and when bursting opers, send:

    :foo OPER opername privset

which sets foo's opername and privset. The contents of the privset on
remote servers come from the remote server's config, so the potential
for confusion exists if these do not match.

If an oper's privset does not exist on a server that sees it, it will
complain, but create a placeholder privset. If the privset is created by
a rehash, this will be reflected properly.

/privs is udpated to take an optional argument, the server to query, and
is now local by default:

    /privs [[nick_or_server] nick]
2019-09-13 10:08:27 +01:00

232 lines
6.7 KiB
C

/*
* ircd-ratbox: A slightly useful ircd.
* m_oper.c: Makes a user an IRC Operator.
*
* Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
* Copyright (C) 1996-2002 Hybrid Development Team
* Copyright (C) 2002-2005 ircd-ratbox development team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
* USA
*/
#include "stdinc.h"
#include "client.h"
#include "match.h"
#include "ircd.h"
#include "numeric.h"
#include "s_conf.h"
#include "s_newconf.h"
#include "logger.h"
#include "s_user.h"
#include "s_serv.h"
#include "send.h"
#include "msg.h"
#include "parse.h"
#include "modules.h"
#include "packet.h"
#include "cache.h"
static const char oper_desc[] = "Provides the OPER command to become an IRC operator";
static void m_oper(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
static void mc_oper(struct MsgBuf *, struct Client *, struct Client *, int, const char **);
static bool match_oper_password(const char *password, struct oper_conf *oper_p);
struct Message oper_msgtab = {
"OPER", 0, 0, 0, 0,
{mg_unreg, {m_oper, 3}, {mc_oper, 3}, mg_ignore, mg_ignore, {m_oper, 3}}
};
mapi_clist_av1 oper_clist[] = { &oper_msgtab, NULL };
DECLARE_MODULE_AV2(oper, NULL, NULL, oper_clist, NULL, NULL, NULL, NULL, oper_desc);
/*
* m_oper
* parv[1] = oper name
* parv[2] = oper password
*/
static void
m_oper(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{
struct oper_conf *oper_p;
const char *name;
const char *password;
name = parv[1];
password = parv[2];
if(IsOper(source_p))
{
sendto_one(source_p, form_str(RPL_YOUREOPER), me.name, source_p->name);
send_oper_motd(source_p);
return;
}
/* end the grace period */
if(!IsFloodDone(source_p))
flood_endgrace(source_p);
oper_p = find_oper_conf(source_p->username, source_p->orighost,
source_p->sockhost, name);
if(oper_p == NULL)
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed OPER attempt - host mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
if(IsOperConfNeedSSL(oper_p) && !IsSSLClient(source_p))
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- requires SSL/TLS",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - missing SSL/TLS by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
if (oper_p->certfp != NULL)
{
if (source_p->certfp == NULL || rb_strcasecmp(source_p->certfp, oper_p->certfp))
{
sendto_one_numeric(source_p, ERR_NOOPERHOST, form_str(ERR_NOOPERHOST));
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s) -- client certificate fingerprint mismatch",
name, source_p->name,
source_p->username, source_p->host, source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Failed OPER attempt - client certificate fingerprint mismatch by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
return;
}
}
if(match_oper_password(password, oper_p))
{
oper_up(source_p, oper_p);
ilog(L_OPERED, "OPER %s by %s!%s@%s (%s)",
name, source_p->name, source_p->username, source_p->host,
source_p->sockhost);
return;
}
else
{
sendto_one(source_p, form_str(ERR_PASSWDMISMATCH),
me.name, source_p->name);
ilog(L_FOPER, "FAILED OPER (%s) by (%s!%s@%s) (%s)",
name, source_p->name, source_p->username, source_p->host,
source_p->sockhost);
if(ConfigFileEntry.failed_oper_notice)
{
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE,
"Failed OPER attempt by %s (%s@%s)",
source_p->name, source_p->username, source_p->host);
}
}
}
/*
* mc_oper - server-to-server OPER propagation
* parv[1] = opername
* parv[2] = privset
*/
static void
mc_oper(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{
struct PrivilegeSet *privset;
sendto_server(client_p, NULL, CAP_TS6, NOCAPS, ":%s OPER %s %s", use_id(source_p), parv[1], parv[2]);
privset = privilegeset_get(parv[2]);
if(privset == NULL)
{
/* if we don't have a matching privset, we'll create an empty one and
* mark it illegal, so it gets picked up on a rehash later */
sendto_realops_snomask(SNO_GENERAL, L_NETWIDE, "Received OPER for %s with unknown privset %s", source_p->name, parv[2]);
privset = privilegeset_set_new(parv[2], "", 0);
privset->status |= CONF_ILLEGAL;
}
privset = privilegeset_ref(privset);
if (source_p->user->privset != NULL)
privilegeset_unref(source_p->user->privset);
source_p->user->privset = privset;
source_p->user->opername = rb_strdup(parv[1]);
}
/*
* match_oper_password
*
* inputs - pointer to given password
* - pointer to Conf
* output - true if match, false otherwise
* side effects - none
*/
static bool
match_oper_password(const char *password, struct oper_conf *oper_p)
{
const char *encr;
/* passwd may be NULL pointer. Head it off at the pass... */
if(EmptyString(oper_p->passwd))
return false;
if(IsOperConfEncrypted(oper_p))
{
/* use first two chars of the password they send in as salt */
/* If the password in the conf is MD5, and ircd is linked
* to scrypt on FreeBSD, or the standard crypt library on
* glibc Linux, then this code will work fine on generating
* the proper encrypted hash for comparison.
*/
if(!EmptyString(password))
encr = rb_crypt(password, oper_p->passwd);
else
encr = "";
}
else
encr = password;
if(encr != NULL && strcmp(encr, oper_p->passwd) == 0)
return true;
else
return false;
}