<chapter id="oprivs">
    <title>Oper privileges</title>
    <sect1 id="oprivlist">
      <title>Meanings of oper privileges</title>
      <para>
        These are specified in privset{}.
      </para>
      <sect2>
	<title>oper:admin, server administrator</title>
	<para>
	  Various privileges intended for server administrators.
	  Among other things, this automatically sets umode +a and allows
	  loading modules.
	</para>
      </sect2>
      <sect2>
	<title>oper:die, die and restart</title>
	<para>
	  This grants permission to use DIE and RESTART, shutting down
	  or restarting the server.
	</para>
      </sect2>
      <sect2>
	<title>oper:global_kill, global kill</title>
	<para>
	  Allows using KILL on users on any server.
	</para>
      </sect2>
      <sect2>
	<title>oper:hidden, hide from /stats p</title>
	<para>
	  This privilege currently does nothing, but was designed
	  to hide bots from /stats p so users will not message them
	  for help.
	</para>
      </sect2>
      <sect2>
	<title>oper:hidden_admin, hidden administrator</title>
	<para>
	  This grants everything granted to the oper:admin privilege,
	  except the ability to set umode +a. If both oper:admin and oper:hidden_admin
	  are possessed, umode +a can still not be used.
	</para>
      </sect2>
      <sect2>
	<title>oper:kline, kline and dline</title>
	<para>
	  Allows using KLINE and DLINE, to ban users by user@host mask
	  or IP address.
	</para>
      </sect2>
      <sect2>
	<title>oper:local_kill, kill local users</title>
	<para>
	  This grants permission to use KILL on users on the same server,
	  disconnecting them from the network.
	</para>
      </sect2>
      <sect2>
	<title>oper:mass_notice, global notices and wallops</title>
	<para>
	  Allows using server name ($$mask) and hostname ($#mask) masks in
	  NOTICE and PRIVMSG to send a message to all matching users, and
	  allows using the WALLOPS command to send a message to all users
	  with umode +w set.
	</para>
      </sect2>
      <sect2>
	<title>oper:operwall, send/receive operwall</title>
	<para>
	  Allows using the OPERWALL command and umode +z to send and
	  receive operwalls.
	</para>
      </sect2>
      <sect2>
	<title>oper:rehash, rehash</title>
	<para>
	  Allows using the REHASH command, to rehash various configuration
	  files or clear certain lists.
	</para>
      </sect2>
      <sect2>
	<title>oper:remoteban, set remote bans</title>
	<para>
	  This grants the ability to use the ON argument on
	  DLINE/KLINE/XLINE/RESV and UNDLINE/UNKLINE/UNXLINE/UNRESV to set
	  and unset bans on other servers, and the server argument on REHASH.
	  This is only allowed if the oper may perform the action locally,
	  and if the remote server has a shared{} block.
	</para>
	<note><para>
	  If a cluster{} block is present, bans are sent remotely even
	  if the oper does not have oper:remoteban privilege.
	</para></note>
      </sect2>
      <sect2>
	<title>oper:resv, channel control</title>
	<para>
	  This allows using /resv, /unresv and changing the channel
	  modes +L and +P.
	</para>
      </sect2>
      <sect2>
	<title>oper:routing, remote routing</title>
	<para>
	  This allows using the third argument of the CONNECT command, to
	  instruct another server to connect somewhere, and using SQUIT
	  with an argument that is not locally connected.
	  (In both cases all opers with +w set will be notified.)
	</para>
      </sect2>
	  <sect2>
	<title>oper:override, operator access in all channels</title>
	<para>
	  This allows the operator to have implicit operator access
	  in all channels. It is enabled by setting user mode +p which
	  will automatically expire after a period of time set in the
	  configuration file.
	</para>
      <sect2>
	<title>oper:spy, use operspy</title>
	<para>
	  This allows using /mode !#channel, /whois !nick, /who !#channel,
	  /chantrace !#channel, /topic !#channel, /who !mask,
	  /masktrace !user@host :gecos and /scan umodes +modes-modes global list
	  to see through secret channels, invisible users, etc.
	</para>
	<para>
	  All operspy usage is broadcasted to opers with snomask +Z set
	  (on the entire network) and optionally logged.
	  If you grant this to anyone, it is a good idea to establish 
	  concrete policies describing what it is to be used for, and
	  what not.
	</para>
	<para>
	  If operspy_dont_care_user_info is enabled, /who mask is operspy
	  also, and /who !mask, /who mask, /masktrace !user@host :gecos
	  and /scan umodes +modes-modes global list do not generate +Z notices
	  or logs.
	</para>
      </sect2>
      <sect2>
	<title>oper:unkline, unkline and undline</title>
	<para>
	  Allows using UNKLINE and UNDLINE.
	</para>
      </sect2>
      <sect2>
	<title>oper:xline, xline and unxline</title>
	<para>
	  Allows using XLINE and UNXLINE, to ban/unban users by realname.
	</para>
      </sect2>
      <sect2>
	<title>snomask:nick_changes, see nick changes</title>
	<para>
	  Allows using snomask +n to see local client nick changes.
	  This is designed for monitor bots.
	</para>
      </sect2>
    </sect1>
  </chapter>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-namecase-general:t
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document: ("charybdis-oper-guide.sgml" "book")
sgml-exposed-tags:nil
fill-column: 105
sgml-validate-command: "nsgmls -e -g -s -u charybdis-oper-guide.sgml"
End:
-->