From ebe5601796be4881523149bba1fced167fdf210e Mon Sep 17 00:00:00 2001
From: Jilles Tjoelker <jilles@stack.nl>
Date: Sat, 13 Sep 2008 00:32:22 +0200
Subject: [PATCH] Document privsets in the example confs.

---
 doc/example.conf   | 14 ++++-----
 doc/reference.conf | 71 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/doc/example.conf b/doc/example.conf
index 6b11a56..688c2de 100755
--- a/doc/example.conf
+++ b/doc/example.conf
@@ -186,7 +186,9 @@ auth {
 	class = "users";
 };
 
-/* privsets... XXX document me later */
+/* privset {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before operator {}.
+ */
 privset "local_op" {
 	privs = oper:local_kill, oper:operwall;
 };
@@ -239,9 +241,8 @@ operator "god" {
 	 */
 	snomask = "+Zbfkrsuy";
 
-	/* privileges: controls the activities and commands an oper is
-	 * allowed to do on the server.  You may prefix an option with ~ to
-	 * disable it, ie ~encrypted.
+	/* flags: misc options for the operator.  You may prefix an option
+	 * with ~ to disable it, e.g. ~encrypted.
 	 *
 	 * Default flags are encrypted.
 	 *
@@ -250,10 +251,9 @@ operator "god" {
 	 * encrypted:    the password above is encrypted [DEFAULT]
 	 * need_ssl:     must be using SSL/TLS to oper up
          */
-	flags = global_kill, remote, kline, unkline,
-		die, rehash, admin, xline, operwall;
+	flags = encrypted;
 
-	/* privset: replaces flags */
+	/* privset: privileges set to grant */
 	privset = "admin";
 };
 
diff --git a/doc/reference.conf b/doc/reference.conf
index 0ddf1c7..5ff7fdc 100755
--- a/doc/reference.conf
+++ b/doc/reference.conf
@@ -18,6 +18,9 @@
  * that matches a user will be used.  So place spoofs first, then specials,
  * then general access, then restricted.
  *
+ * privset {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before operator {}.
+ *
  * Both shell style (#) and C style comments are supported.
  *
  * Files may be included by either:
@@ -362,10 +365,57 @@ auth {
 	flags = need_ident;
 };
 
-/* operator {}: defines ircd operators. (OLD O:)
- * charybdis no longer supports local operators, privileges are
- * controlled via flags.
- */
+/* privset{}: defines operator privilege sets. */
+privset "local_op" {
+	/* privs: controls the activities and commands an oper is
+	 * allowed to do on the server
+	 *
+	 * Available options:
+	 *
+	 * oper:local_kill:      allows local users to be /KILL'd
+	 * oper:global_kill:     allows local and remote users to be /KILL'd
+	 * oper:remote:          allows remote SQUIT and CONNECT
+	 * oper:kline:           allows KLINE and DLINE
+	 * oper:unkline:         allows UNKLINE and UNDLINE
+	 * snomask:nick_changes: allows oper to see nickchanges via snomask +n
+	 * oper:rehash:          allows oper to REHASH config
+	 * oper:die:             allows DIE and RESTART
+	 * oper:admin:           gives admin privileges.  admins
+	 *                       may (un)load modules and see various
+	 *                       additional information.
+	 * oper:hidden_admin:    gives admin privileges except
+	 *		         will not have the admin lines in
+	 *		         whois.
+	 * oper:xline:	         allows use of /quote xline/unxline
+	 * oper:resv:	         allows /quote resv/unresv and cmode +LP
+	 * oper:operwall:        allows the oper to send/receive operwalls
+	 * oper:spy:	         allows 'operspy' features to see through +s
+	 * 		         channels etc. see /quote help operspy
+	 * oper:hidden:          hides the oper from /stats p
+	 * oper:remoteban:       allows remote kline etc
+	 * oper:mass_notice:     allows sending wallops and mass notices
+	 */
+	privs = oper:local_kill, oper:operwall;
+};
+
+privset "server_bot" {
+	/* extends: a privset to inherit in this privset */
+	extends = "local_op";
+	privs = oper:global_kill, oper:kline, oper:remoteban, snomask:nick_changes;
+};
+
+privset "global_op" {
+	extends = "local_op";
+	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
+		oper:resv, oper:mass_notice, oper:remoteban;
+};
+
+privset "admin" {
+	extends = "global_op";
+	privs = oper:admin, oper:die, oper:rehash, oper:spy;
+};
+
+/* operator {}: defines ircd operators. (OLD O:) */
 operator "god" {
 	/* name: the name of the oper must go above */
 
@@ -399,19 +449,20 @@ operator "god" {
 	 */
 	snomask = "+Zbfkrsuy";
 
-	/* privileges: controls the activities and commands an oper is
-	 * allowed to do on the server.  You may prefix an option with ~ to
-	 * disable it, ie ~operwall
+	/* flags: misc options for the operator.  You may prefix an option
+	 * with ~ to disable it, e.g. ~encrypted.
 	 *
-	 * Default flags are operwall, remoteban and encrypted.
+	 * Default flags are encrypted.
 	 *
 	 * Available options:
 	 *
 	 * encrypted:    the password above is encrypted [DEFAULT]
 	 * need_ssl:     must be using SSL/TLS to oper up
          */
-	flags = global_kill, remote, kline, unkline,
-		die, rehash, admin, xline, operwall;
+	flags = encrypted;
+
+	/* privset: privileges set to grant */
+	privset = "admin";
 };
 
 /* connect {}: controls servers we connect to (OLD C:, N:, H:, L:) */