-
Notifications
You must be signed in to change notification settings - Fork 5
GODS only modules can be triggered by a non-identified user on a GODS nick #20
Comments
We could check and store hostnames, ie. pass hostname to authorize.isAuthorized(nickname, hostname) and then just register the hostname as well in GODS list, admin module would add/remove users nick/host aswell. Both nick/host or just host would be needed for True. |
Hostmasks aren't permanent (unless you use a virtual host, but those can be changed too). Most servers send a message like this upon
It would be much better to search for |
The issue with checking the identified part is, do we really want to send /whois every time some one spams admin command(even if we had a register for "seen" nicks, it would do it for anyone else). It seems pretty inefficient. Also a related issue is that bhottu was designed with rizon as the use scenario, but we should go in the direction of catering networks that don't have registration services as well. I see hostname&nick checking as a way to not do password authentication(which is a option btw.) So the problem in my case is, that the user has no way to identify himself with the bot if he uses a network which does not do registrations and the users host is not registered with the bot or someone else could use the same host and nick to represent another user(ie. schools). |
Abuse is a very valid point that I didn't consider. I'd much prefer a password to hostmask-based identification, though (which I thought was ruled out). With hostmasks the bot owner would have to keep changing the (Also, just another comment, when I first started working on the bot it didn't work anywhere but Rizon as it scanned for a Rizon-only code to identify with. I fixed that in this commit. So the bot should really move in a more interoperable direction.) |
Allright, let's discuss the pwd option, since it brings trouble as well. If we have only one root pwd, this will cause issues in social sense(we are talking about irc), if one root user gets denied of access, how would we deal with that? At a quick glance it seems that we need 1 root pwd and rest should be custom based on creation and stored in a DB, which only the root can control. So only root can add/remove admins, and upon addition a pwd will be send to the user who is "promoted". The problem here is that this is getting more and more complex, but this would solve most of the security issues regarding this. |
I think that's way too complex. There is no need for an IRC-accessible root password at all. The root user is already in control of the machine and can edit the DB as they choose with SQL or with the MySQL command line tool. My proposal is:
|
you can do a WHO query to check the flags the user has. def who(self, who):
self._lsend('WHO %s' % (who.split()[0]))
resp = ""
while not "352" in resp:
resp = self._lrecv()
match = re.match(':\S+ \d+ \S+ \S+ ~(\S+) (\S+) \* (\S+) (\S+) :\d+ (\S+)', resp)
return {
"user": match.group(1),
"host": match.group(2),
"nick": match.group(3),
"mode": match.group(4),
"name": match.group(5)
} |
Fixed it: 1ac0830 |
The text was updated successfully, but these errors were encountered: