Difference between revisions of "IRC Advanced Privilege Control Model"

The IRC Advanced Privilege Control Model is the permissions control model created by members of the IRCv3 working group for IRCv3 IRC daemons. It replaces the permissions model used by traditional IRCds.

Overview

A few IRCd projects involved in the IRCv3 working group decided that a new permissions model was needed. This permissions model was implemented in Charybdis 3.0 and InspIRCd 1.2. The full permissions model is still a work in progress, but covers:

• Privilege set declaration
• Privilege set transition (such as from 'user' role to 'ircop' role or 'admin' role) via:
  • /OPER command
  • /CHALLENGE command (charybdis extension)
  • Connection class
• Naming suggestions for common permissions and namespaces

Additional privilege set transition methods are planned, such as:

• Targeted SASL authentication result (IRCv3.2 proposal)
• CERTFP (planned inspircd extension)

Other eventual goals include describing RFC1459 user permissions and state/role transitions as a function of IAPCM configuration.

Additionally both Atheme 6 and Anope 1.9 implement the basis of the IAPCM standard with the following role transitions (but with different permissions schemes):

• NickServ IDENTIFY command
• IRC role transitions with fallback to usermode +o/+a detection
• OperServ IDENTIFY command
• X.509 fingerprint verification (CERTFP) result
• SASL authentication result (Atheme only)

Example

This example assumes Charybdis-style config syntax, InspIRCd config syntax will be different, but similar (mainly XML-like).

privset "ircop" {
    flags = oper:kill, oper:local_kill, oper:rehash, oper:override;
};
   
privset "admin" {
    inherits = "ircop";
    flags = oper:die, oper:restart;
};

If a user transitions into the admin role, she will also receive the permissions of the ircop role because of `privset::inherits`.

See Also

• IRCd Comparison (including a list of IRCds implementing the IRC Advanced Privilege Control Model).