Controlling access to your channel

Version 1.3.0


Last revised by h () and Fredfred () on 2019-01-10

Originally written by quen () on 1997-06-20

Please direct any comments or feedback about this document (only! no help requests!) to docs@dal.net. If you need help on issues not covered in this document, please see the information at http://help.dal.net.

Introduction

This guide explains how to control who has access to certain privileges on your registered channel. These privileges are used to help maintain the channel's normal operation, so that other people (whom you trust) can keep order in the channel when you're not there.

This guide also explains how to ban people from the channel permanently using ChanServ. Bans that you set in the normal way will disappear if the channel becomes empty of people at any point.

If you haven't already registered your channel with ChanServ, you should first do that - read question 1.8 "How do I register my channel?" of the Services FAQ before continuing with this.

Finally, some brief notes - whenever I give a command to type such as

/chanserv identify #channel password

The command should be typed as it is shown, except that you should replace required parameters (here '#channel' and 'password') with the appropriate piece of information. For instance, in the above example, if your password was 'apple' and your channel was '#mychannel', you would actually type

/chanserv identify #mychannel apple

When commands begin with /chanserv (or /nickserv , /memoserv ), that is an alias used to message the service securely. If your client does not understand the command, you can either begin the commands with /quote chanserv , or with /msg chanserv@services.dal.net .

Contents

1 · Why you need to know this information

DALnet encourages you to read this guide because:

  • If your channel encounters problems such as abusive behaviour or a takeover, and you are not there, you will need HOPs, AOps and possibly SOps/Managers so that the problem can be solved.

  • We have added a Manager access in Channels oplist, to know more about how to add Managers please visit http://docs.dal.net/docs/chanserv.html#5.

  • If your channel becomes large, you may need Managers to help manage it.

  • Adding the wrong people as HOPs/AOps/SOps/Managers, or adding HOPs/AOps/SOps/Managers in the wrong way, can cause security loopholes that might let unfriendly users cause problems in the channel, so you should be fully informed about using these features.

  • If you need permanent bans on users, you'll need to know how to set AKICKs.

A summary can be found in section 9 , which briefly explains who you should add as SOps, AOps or HOPs and how to add them.

2 · What HOPs/AOps/SOps and Managers are

HOPs / AOps / SOps and Managers people whom you trust enough to allow them certain powers on your channel.

Managers are the "highest" level of channel ops (@). They have *almost* full control over the channel with the exception of changing the channel's foundership. Please visit http://docs.dal.net/docs/chanserv.html#5 for more instructions.

SOps are a "higher" level than AOps and have all the AOp privileges in addition to some extra powers. As the founder, you are at a higher level still and you have all the SOp and AOp privileges, plus some founder-only powers. There is no need to add yourself to the SOp or AOp lists. HOPs have the lowest access level in the channel.

It's beyond the scope of this guide to give help on how to use all the ChanServ powers that are granted to AOps and SOps. However, by each ability the appropriate help command is given; typing this while on IRC will provide more information.

HOPs have the following powers:

  • They are given ops (%) when they enter the channel; if for some reason they are in the channel without ops, they can get ChanServ to give them ops at any time. ( /chanserv help op )

  • They can kick other users who aren't opped (+o) or voiced (+v).

  • They can change the topic of the channel even if +t is set.

  • They can unban themselves from the channel if they are banned. ( /chanserv help unban )

  • They receive memos that are sent to the whole 'channel'. They may also be able to send memos to the whole channel; there is a channel setting that determines whether HOPs, AOps, SOps, or just the founder can send memos to the channel. ( /chanserv help set memo , /memoserv help send )

  • They can invite themselves to the channel (useful if it is invite-only) unless it has been set "private". ( /chanserv help invite )

  • They can view the channel HOp, AOp, SOp, and AKICK lists. (see section 4 )

AOps have the following powers:

  • They are given ops (@) when they enter the channel; if for some reason they are in the channel without ops, they can get ChanServ to give them ops at any time. ( /chanserv help op )

  • They can use ChanServ to give/remove ops to/from other members of the channel (if they do this, a notice will be sent to the channel alerting others on the channel of the action, so it is not anonymous). ( /chanserv help op )

  • They can unban themselves from the channel if they are banned. ( /chanserv help unban )

  • They receive memos that are sent to the whole 'channel'. They may also be able to send memos to the whole channel; there is a channel setting that determines whether HOps, AOps, SOps, or just the founder can send memos to the channel. ( /chanserv help set memo , /memoserv help send )

  • It is possible to set channels so that only ops can change the topic. (However it's also possible to set them so that only Managers/SOps or only the founder can change the topic.) ( /chanserv help set topiclock )

  • They can use the MDEOP commands to solve channel takeover problems, but this will not work if SOps or the founder are on the channel. ( /chanserv help mdeop )

  • They can invite themselves to the channel (useful if it is invite-only) unless it has been set "private". ( /chanserv help invite )

  • They can view the channel HOp, AOp, SOp, and AKICK lists. (see section 4 )

SOps have the following powers:

  • They can use the MKICK command to solve channel takeover problems, but this will not work if the founder is on the channel. ( /chanserv help mkick ) (see section 4 )

  • They can give, and take away, AOp privileges from people. (see section 4 )

  • They can set or remove AKICKs (permanent bans) for the channel. (see section 7 and section 8 )

  • They can remove all bans from the channel using ChanServ. ( /chanserv help unban )

  • They receive memos sent to channel SOps. ( /memoserv help sendSOp )

Managers have the following additional powers:

Channel Managers can:
- Manage the SOp list (add/remove SOps)
- Change WEBPASSWD                
- Wipe HOp/VOp/AOp/SOp lists
- Change channel description
- Masskick and massdeop a channel up to and including the access level of AOp
- Set/unset OPGUARD
- Set/unset VOICEGUARD
- Set/unset HOPGUARD
- Set/unset MLOCK
- Set/unset IDENT
- Set/unset KEEPTOPIC
- Set/unset RESTRICT
- Set/unset URL
- Set/unset VERBOSE
- Set/unset TOPICLOCK (unless it's locked to the founder)
- Set/unset LEAVEOPS
- Set/unset PRIVATE
- Set/unset MEMO level (unless it's locked to the founder)
- See successor's nick with ChanServ INFO

Channel Managers can *NOT*:
- Change channel password
- Change founder
- Set/unset successor
- Set/unset mailblock
- Add/remove other Managers
- Set/unset UNSECURE (currently broken and doesn't do anything)
- Use sendpass

3 · Things to consider when giving op (@, %) access privileges

HOPs/AOps/SOps and Managers are the people who can handle channel problems such as flooding and takeovers when you are not there. If you intend to run a successful channel, it is your reponsibility to ensure there are sufficient HOPs, AOps (especially) and SOps so that order in the channel can be maintained. If the channel is being used with no HOPs/AOps present, then it is an easy target for flooding and abuse.

When you give people op (@, %) access privileges, you give them some control over the channel, but they are still answerable to you - you could remove their access privileges at any time.

However, you should still make sure only to give op (@, %) access to people that you trust as they can cause problems. Although they cannot do any permanent damage - the founder can undo any changes they make - they can certainly cause serious problems especially when you're not there. You should keep this in mind when giving op (@, %) access privileges.

On a similar note: never give out the password to the channel to anyone. This is the same as handing over the channel to them - co-founderships are not supported by DALnet and in a dispute, anybody with the password is considered the sole owner of the channel. If you want to share power on your channel with others who you trust, make them Managers.

If a different arrangement is desirable, you can use socially agreed restrictions (for example, the founder might agree never to add Managers without consulting the existing Managers). However DALnet's software and staff will always consider the founder of a channel to be the only person finally responsible for how that channel is run. And please note that DALnet will never help anyone who loses a channel because they shared a password; passwords should always be kept secure.

4 · How to add or remove Managers/SOps/AOps and HOPs

The channel founder or Manager are the only ones who can give or take away SOp privileges. However, the founder is the only one who can give or take away Manager privileges. Managers/SOps and the founder can give or take away HOp/AOp privileges. The list commands are available to AOps/SOps or Managers and the founder, but not to ordinary users.

4.1 Listing current channel access

/chanserv Manager #channel list
/chanserv SOp #channel list
/chanserv AOp #channel list
/chanserv HOp #channel list

These commands list all the Managers/SOps/AOps/HOPs (respectively) on the channel.

If you have a large channel, you may find it useful to list only selected Managers/SOps/AOps/HOPs based on their nicknames or masks:

/chanserv Manager #channel list wildcard
/chanserv SOp #channel list wildcard
/chanserv AOp #channel list wildcard
/chanserv HOp #channel list wildcard

(For example, /chanserv AOp #mychannel list g* would list all AOps on #mychannel whose nicknames began with g.)

Whichever list command you use, each AOp or SOp or Manager is listed with a number which makes it easier to remove them if necessary (see below).

4.2 Xlisting channel staff

/chanserv Manager #channel xlist
/chanserv SOp #channel xlist
/chanserv AOp #channel xlist
/chanserv HOp #channel xlist
/chanserv VOp #channel xlist

This command shows an extended information of your channel staff, and who they were added by and when. Also, you can see the reason why they're added to the channel.

NOTE: Only AOp and above can check the Xlist command

Example of issuing the command:

/msg ChanServ@services.dal.net VOp #Docsteam XLIST

-ChanServ- VOp list for #docsteam
1) h (h@2607:f8f8:790:5::1234)
Added by Fredfred!fredfred@dalnet on Mon 26-Nov-2018 09:38:15 GMT
Last Op Time: Mon 26-Nov-2018 10:21:26 GMT
Reason: Documentation Team Arabic Translator
End of list.

For more information about VOps please visit http://docs.dal.net/docs/chanserv.html.

4.3 Adding channel access

/chanserv Manager #channel add nick only!! [reason]
/chanserv SOp #channel add nick or mask [reason]
/chanserv AOp #channel add nick or mask [reason]
/chanserv HOp #channel add nick or mask [reason]

These commands add people to the Manager/SOp/AOp/HOp lists. This is equivalent to giving people Manager/SOp or AOp privileges.

Note: Founders can no longer be added to HOp/AOp/SOp/Manager/AKICK lists.

Generally you should add HOPs, AOps, SOps or Managers using their nick (which should be registered) but you can also do so with a mask if necessary. Masks work in the same way as channel ban masks - though of course here they have the effect of granting HOp, AOp, SOp or Managers privileges to the target, not banning them - and are not explained in this guide; for more information see the Ban Guide.

If you want to make somebody an SOp who is currently an AOp (or vice versa), you don't need to remove them from the AOp list, because Services will automatically remove them for you at the same time as adding them to the SOp list.

You should check somebody has a registered nick before you give them op (@, %) access by typing

/nickserv info nick

and ask them to register if their nick isn't registered. If you try to add AOps for somebody whose nick isn't registered, it will add them using a mask, which isn't really a good idea (see section 5 ).

Each channel is limited to a maximum of 300 HOps, 300 AOps , 100 SOps and 5 Managers. ChanServ will warn you if you attempt to add more than this.

Note: Users can set a nickname mode NOOP which will mean they can't be added to any channel HOp, AOp or SOp lists. See /nickserv help set noop for more information.

4.4 Removing channel access

/chanserv Manager #channel del number or entry in list
/chanserv SOp #channel del number or entry in list
/chanserv AOp #channel del number or entry in list
/chanserv HOp #channel del number or entry in list

These commands are used to remove people from the Manager/SOp/AOp or HOp lists. Managers/SOps/AOps may be removed for misconduct or for whatever the reason may be.

You can use these commands in several ways; the easiest is to first use the appropriate list command, and then give the number of the entry you want deleted. Alternatively, you can give the nick or the access mask you want deleted; if you use this method you must specify the nick or mask exactly as it is given in the list.

If you are deleting entries based on their numbers in the list, you should only delete a single entry at a time. The numbers may change after each deletion, so you will need to repeat the list command to check what the correct number is.

4.5 VERBOSE mode

If the VERBOSE mode is turned on for a channel, then whenever there is a change to certain aspects of the channel (in particularly, when somebody adds or removes AOp/SOps/Managers or AKICKs), all ops currently on the channel will be informed with a notice.

To enable this feature:

/chanserv set #channel verbose on

5 · Advice on using address masks in your access list

It's generally best to use nicknames, rather than address masks, in op(@, %) access lists. You can only add a channel manager using a nickname and not a hostmask. There are several reasons for this:

  • You can always tell exactly who has HOP/AOp/SOp access.

  • It's not really possible to make a mistake and give lots more people AOps than were intended (for example if you put a * in the wrong place in a mask.)

  • If you encounter problems with somebody using the same server as an AOp and getting ops meant for the AOp, these can be solved without removing AOps from the genuine person.

There is one advantage to using address masks:

  • You can always tell exactly what address masks will get ops automatically.

If you do decide to use address masks to give AOps, see the Ban Guide which explains address masks.

Note that although that guide explains how to use them to ban people, when you use them on the AOp list they are not banned but given AOps.

6 · Problems with the wrong people getting access

(Note: This section is written about AOps, but all of it applies to SOps as well.)

There are times you may find someone you did not add to the access list(s) gain access to the channel. The reason why this happens is because of the ops (@) hostmask matches the one listed in the Op's NickServ's access list.

People can get ops in the channel (but not access to any of the ChanServ AOp commands) if ChanServ is down and your channel is empty when they enter it. Unfortunately, there's nothing you can do about this, but ChanServ rarely stays down for more than a few minutes.

People can also get ops if they are given them by somebody who already has ops (e.g. an AOp/SOp or Managers). If you do not want to allow this, you can use a feature called OPGUARD which is explained at the end of this section.

6.1 Finding out why somebody has privileges

To discover why somebody has HOp/AOp/SOp or Manager privileges in a channel, you can use the ChanServ why command:

/chanserv why #channel nickname

This will explain the op (@, %) list entry (if any) that is responsible for granting that person privileges, so it can be temporarily removed if there is a problem.

6.2 Access list problems

When you have people added to your AOp list by nickname, this means that anybody matching the 'access list' of any of your AOps will get AOp privileges in the channel.

If people who aren't AOps get opped by ChanServ on the channel, there may well be a problem with access lists - you can normally tell which AOp's list is the problem because the non-AOp who got opped will come from the same service provider (eg aol.com, netcom.com, iquest.net, etc.) as one of your AOps. You can confirm this with the why command given above.

You should contact the AOp (by memo if they are not online) suggesting that they improve their access list or remove it entirely, identifying to NickServ with their password when they log on to DALnet. In the meantime, if the person who has ops is causing trouble you may want to temporarily remove the relevant AOp privileges.

If you or they don't fully understand the concept of NickServ access lists - which allow you to use your nickname on DALnet without giving the password every time, but introduce security weaknesses if you use a major Internet service provider - then the NickServ Access Guide contains the explanation you need.

You've probably realised by now that a malicious AOp could intentionally set their access list to, for instance, allow everybody ops on the channel. This is another reason for making sure you trust people before you give them AOps.

As a temporary solution if there is a problem with access masks, or if security needs to be high, you can set IDENT mode on for the channel. This means that ChanServ will only allow those AOps who've also identified to NickServ (with the password for their nick) access to their privileges on the channel, including ops.

The founder and Manager can set IDENT mode for a channel using

/chanserv set #channel ident on

Note that if you do this, any entries using masks rather than nicknames will not have any effect. For more information:

/chanserv help set ident

6.3 Unwanted ops

Even when ChanServ manages a channel, it is possible that some people who are not HOPs, AOps or SOps might get ops (@,%) in that channel. The main way this can happen is if an AOp gives them ops.

If you as channel founder or Manager and you do not want this to happen, you can enable the OPGUARD feature. When this feature is turned on, ChanServ will not allow people to have ops (@,%) on a channel (even temporarily) unless they are on the HOp/AOp/SOp/Manager list or are the founder. If somebody else is given ops, ChanServ will remove their ops immediately.

To enable this feature:

/chanserv set #channel opguard on

7 · What AKICKs are

AKICKs are the ChanServ equivalent of a ban from the channel and are used to remove offending users from your channel. They do not disappear if the channel becomes empty; they stay until the channel founder or Manager or SOp removes them.

The key problem with standard channel bans (the sort you get when you click the 'Ban' option on popup menus, or type /ban or /mode #channel +b mask commands) is that these are temporary; if everybody leaves the channel so that it's empty, the system 'forgets' all the normal bans that were set.

Normally bans are set to deal with temporary nuisances so this is not a problem. However, sometimes you can encounter problems with a user who continually comes to the channel to cause problems - in this case, you need to ban them permanently.

In this situation you use AKICKs, which work similarly to bans but are handled by Services - when a user on the AKICK list enters a channel, they are automatically banned and kicked out by ChanServ. As mentioned above, AKICKs don't disappear until they are removed, even if the channel becomes empty.

8 · How to add or remove AKICKs

Only channel founders/Managers and SOps have the power to add or remove AKICKs.

8.1 Listing current AKICKs

/chanserv akick #channel list

This command, which can be used by channel AOps/SOps as well as Managers and the founder, lists all of the AKICKs currently in place on the channel.

Each AKICK is listed together with a number which you can use to remove it more easily.

8.2 Adding an AKICK by mask

/chanserv akick #channel add mask [reason]

This command adds an AKICK to the channel. You must specify the user's mask in the same way as for a ban - nickname ! username @ hostname .

If the address in /whois of a user you were trying to ban was user@dialup22-81.provider.com and your channel was called #frogs, you would typically use /chanserv akick #frogs add *!user@*.provider.com ('AKICK people with any nickname, if they have the username "user", and are coming from provider.com')

For more guidance on address masks for bans, which work the same way in AKICKs as in channel, please see the Ban Guide.

NOTE: It's your choice to add a reason for your akick.

This is what Peanutbutter will get when you add a reason for his akick:

* PeanutButter was kicked by ChanServ (User has been autokicked from the channel (You're NOT welcome here anymore))

You can add a maximum of 200 AKICKs for a single channel.

8.3 Adding an AKICK by nickname

/chanserv akick #channel add nickname [reason]

If the person has a registered nickname, you can add an AKICK using their nick. This may or may not be useful because in some cases they can simply connect with a different nickname to evade the ban.

So if you don't understand address masks for bans, you can use this method instead, but it is more reliable to do it by manually specifying the mask.

NOTE: It's your choice to add a reason for your akick.

This is what Peanutbutter will get when you add a reason for his akick:

* PeanutButter was kicked by ChanServ (User has been autokicked from the channel (You're NOT welcome here anymore))

Note: Founders can no longer be added to AOp/SOp/AKICK lists.

8.4 Removing an AKICK

/chanserv akick #channel del number or mask

You can use this commands in two ways; the easiest is to first use the list command (given above), and then give the number of the entry you want deleted. Alternatively, you can give the mask you want deleted; if you use this method you must specify the mask exactly as it is given in the list.

If you are deleting entries based on their numbers in the list, you should only delete a single entry at a time. The numbers may change after each deletion, so you will need to repeat the list command to check what the correct number is.

9 · Summary

Managers/SOps, AOps and HOps are people you trust enough to give them some power on your channel. Among other things, this means that they will automatically be given ops (@,%) when they enter. Managers can change some of the channel's settings, can add or remove SOps/AOps/HOps and AKICKs (only trusted users can gain this access). SOps also have the ability to add and remove AOps, hOps and AKICKs (permanent bans from the channel), so you should be especially careful when making people SOps.

If there is somebody you trust whom you think should have AOps on your channel

Type /nickserv info nick to check their nick is registered - if it is not, ask them to register it and repeat the above when they've done so. Once you're sure the nickname is registered, type /chanserv AOp #channel add nick .

If your channel needs a Manager or SOp for some reason - for instance if it is a large channel and you need help with channel management such as choosing AOps

Be certain you can trust the person you'd like to make an Manager or SOp, and check their nick is registered as above. Then type /chanserv Manager #channel add nick . /chanserv SOp #channel add nick .

If at a later date you need to remove an HOp, AOp, SOp or Manager from the channel list because they have proven untrustworthy, left IRC, or similar

Type /chanserv HOp or AOp or SOp or Manager #channel list . When you find the entry for that person, you should note the number and type /chanserv HOp or AOp or SOp or Manager #channel del number .

If you need to ban somebody permanently

You (or an Manager or SOp on the channel; not AOps) can add them to the AKICK list by using /chanserv akick #channel add mask , where mask is a standard ban mask for the troublemaker. You can remove AKICKs at a later date in a similar way to removing AOps or SOps or Managers. (See section 8 .)