|
|
| Author |
Message |
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1022
|
 Posted: Dec 13, 2007 7:33pm Post subject: removing an oper from network access |
 |
|
| How would one remove an unauthorized oper that did not have permission to add themselves to SIRC's Control Panel without wiping the whole list? |
|
| Back to top |
|
 |
PingBad
Guru
Joined: 05 Feb 2005
Posts: 1941
Location: New Zealand
|
| Posted: Dec 13, 2007 7:34pm Post subject: |
|
|
| I don't believe searchirc has some sort of access system within the network pages (as far as who is higher than who on the information ranks) - so it'd be a difficult task for Jason to implement some sort of system where one of the opers listed on the network has the ability to remove others from the same list. |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1022
|
| Posted: Dec 13, 2007 7:41pm Post subject: |
|
|
I believe that something should be done other than allow every single oper that wishes to have access to edit the networks presence on SearchIRC the ability to do so.
I don't see it as difficult to allow the admin that submitted the network in the first place the privilege you say is a difficult task. This admin has already submitted information and if said admin emails for an oper to be removed from the list. I can't see that as an overwhelming task.
Additionally a simple check box that disallows any further additions that can be toggled by admins already having access as a large task either.
Neither of which requires any form of access levels.
Just my opinion though. |
|
| Back to top |
|
|
PingBad
Guru
Joined: 05 Feb 2005
Posts: 1941
Location: New Zealand
|
| Posted: Dec 13, 2007 7:46pm Post subject: |
|
|
| katsklaw wrote: | I believe that something should be done other than allow every single oper that wishes to have access to edit the networks presence on SearchIRC the ability to do so.
I don't see it as difficult to allow the admin that submitted the network in the first place the privilege you say is a difficult task. This admin has already submitted information and if said admin emails for an oper to be removed from the list. I can't see that as an overwhelming task.
Additionally a simple check box that disallows any further additions that can be toggled by admins already having access as a large task either.
Neither of which requires any form of access levels.
Just my opinion though. |
But who's to say that the person who submitted the network's original information is indeed the founder/responsible for the PR of the network? Then there's the possibility that that person may (for one reason or another) be no longer part of the network's staff, so how about handling handover of control of network information (esp if the person left in bad blood)? |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 681
|
| Posted: Dec 13, 2007 8:52pm Post subject: |
|
|
Login to your control panel, go to MyNetworks, select your network and you will be brought to the edit page. The very LAST item says:
Wipe out network access: [checkbox]
This option will remove access to your network information from all users. This is useful to "start over" with a clean slate and remove users who shouldn't have access.
You'll have to revalidate to gain access again.
Click the checkbox. This wipes out YOU and EVERYONE ELSE who has access. Then revalidate, so you gain access again. No one else will be able to edit your SIRC info. |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 681
|
| Posted: Dec 13, 2007 9:02pm Post subject: |
|
|
| Quote: | | But who's to say that the person who submitted the network's original information is indeed the founder/responsible for the PR of the network? Then there's the possibility that that person may (for one reason or another) be no longer part of the network's staff, so how about handling handover of control of network information (esp if the person left in bad blood)? |
We have had situations where opers tell us the network has disbanded, the admin left, etc. We wised up to that a long time ago. lol They'd get access and wipe everything out... and usually leave a neener neener message too.
There is no way to determine identity online. Someone else can be sitting at your computer. We don't know you so we wouldn't know if someone was pretending to be you. Short of having admins drive down to Tampa and show us their ID, we have a validation process in the submission of new networks. The person sending in the request for submission MUST email us from the same domain as the network. Its not foolproof, but its either the admin or someone the admin gave access to.
Networks DO sometimes change hands, they merge and unmerge, etc. Its best to get the parting admin to remove himself and all others from access, and then the new admin can sign in. But if the old admin is gone forever, and you need access, just use the contact form http://searchirc.com/contact and we'll help you out. |
|
| Back to top |
|
|
PingBad
Guru
Joined: 05 Feb 2005
Posts: 1941
Location: New Zealand
|
| Posted: Dec 13, 2007 9:50pm Post subject: |
|
|
| Mary wrote: | | Short of having admins drive down to Tampa and show us their ID |
Or flying up to Tampa, in my case - not withstanding the fact that my driver's license lacks a "PingBad" written on it  |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1022
|
| Posted: Dec 14, 2007 5:23am Post subject: |
|
|
| Mary wrote: | | They'd get access and wipe everything out... and usually leave a neener neener message too. |
The current set-up allows disgruntled "rogue opers" to already do just this very thing! That's the problem. They add themselves via your current automated process and *poof* there goes all the hard word the REAL admins did.
The submitting admin has to have an account to submit their network anyway, why can't you simply grant them access when the network is approved and let them add from the control panel? |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 681
|
| Posted: Dec 14, 2007 6:23am Post subject: |
|
|
| I hear you, katsklaw... paging Jason.... |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 681
|
| Posted: Dec 14, 2007 6:28am Post subject: |
|
|
| PingBad wrote: | | Mary wrote: | | Short of having admins drive down to Tampa and show us their ID |
Or flying up to Tampa, in my case - not withstanding the fact that my driver's license lacks a "PingBad" written on it :P |
Oh yes, you'd have a long ways to go. About as far as its Possible to go. However, in your case I would be willing to travel to the city of the Elves and meet in Arwen's castle to verify your ID. Perhaps you have an identifying mark... a tattoo or such, saying PingBad, Admin of Mordor (or whatever) ? |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1124
Location: Tampa, FL
|
| Posted: Dec 14, 2007 7:04am Post subject: |
|
|
| katsklaw wrote: | | Mary wrote: | | They'd get access and wipe everything out... and usually leave a neener neener message too. |
The current set-up allows disgruntled "rogue opers" to already do just this very thing! That's the problem. They add themselves via your current automated process and *poof* there goes all the hard word the REAL admins did.
The submitting admin has to have an account to submit their network anyway, why can't you simply grant them access when the network is approved and let them add from the control panel? |
To submit a network to SearchIRC, you just head to the submit network screen and fill out a network's RR and your email address. If the email address matches the RR, then a validation email is sent. If validated, the network is allowed to enter the review process where we manually look at it then OK or deny it.
We can't count on any mechanisms from the network submission process because:
1. Most of our networks are preexisting. Adding a feature now in the addition process wouldn't help most networks.
2. You can't make any claims that someone submitting the network is any more desirable than a current oper on the network. We used to allow ANYONE to submit a network. That stopped when people started to complain about not wanting to be listed and demanding to know who submitted it!
3. Even if someone was responsible and the owner of a network at submission time, we cannot lock down network modification to that person because seldom does ownership reside in one person forever.
4. Some networks give out email addresses @ircdomain. So giving more access than just the ability to submit a network isn't wise.
The goal of the process in place currently is to AUTOMATE. We used to do this manually, and people got pissed off when we slept or didn't respond immediately. The current system is automated, and works right away.
I figure that if someone has oper access, you trust them enough to link and split servers, kill users, etc. That is good enough for me to also allow access to modify network information.
If someone gets access and screws up the posted info on SearchIRC, it's well within your control to reprimand the oper. If they continue, well, it's still within your control to remove their oper access.
The reason why the purge access list purges everyone, is so that an ex-oper can't sit in the access list hitting purge non stop. Everyone is gone, now everyone who wants access has to revalidate. In this situation, the ex-oper can no longer mess with it since he's gone. If we put in a flag to lock down the access list so that no new user accounts can be added, then we end up with a situation where an ex-oper can lock it down and prevent you from getting access and purging him.
If you guys can come up with a better automated method that doesn't eventually require human intervention, I'm all ears, but I haven't heard of a better solution yet. |
|
| Back to top |
|
|
Jobe
Idler
Joined: 30 Jul 2006
Posts: 330
Location: Lurking in the shadows of some random channel!
|
| Posted: Dec 14, 2007 8:43am Post subject: |
|
|
You could use a method of verifying control over the networks domain name by having them add a record of a specific type, say TXT with a value that's generated by SearchIRC.
Fox example (in the ZONE file):
| Code: | | irc TXT "2jNAFskri1B9a4zZa81OB0I1B7h718DyuMYWtg6z0j47CQ677b" |
would be a TXT record for irc.domain.tld, which you could then do an automated lookup on after say 48 hours (to give it time to propogate) and if the value matches gives them elevated access to the networks details (such as managing access)
Add to that the same or similar method to reset who has network access administration access so if the current admin for the network becomes an ex-admin, the old TXT record can be removed and replaced by a new one with a new value.
The only down side to this diea is it only proves control over the domain, nothing more. If you combined that with say an email check to an email address you specify (possibly) and the IRC based is oper test you start to get a lil more secure. Maybe even add a HTTP hosted flag file the network has to add (a file of a random name with .html extension which an automated test can easily check for)
And yes there are downsides and possibilities for loss of control either way. But whatever happens there will ALWAYS be those posibilities. |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1124
Location: Tampa, FL
|
| Posted: Dec 14, 2007 9:01am Post subject: |
|
|
| heh. We already have people complain about not having email for the domain, or ircds with odd numerics that don't match up with the IRC RFC for isAnOper. Having them change DNS records is going to be too far out there. |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1022
|
| Posted: Dec 14, 2007 2:49pm Post subject: |
|
|
I hear ya jason. I know this isn't the easiest of conversations. If for no other reason than there are several types of people and not all ircds act the same so it's hard to create a solution that could be usable by most everyone.
If I think of a plausible solution I'll be sure to mention it. |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1124
Location: Tampa, FL
|
| Posted: Dec 16, 2007 6:56pm Post subject: |
|
|
| I've found checking for isAnOper numeric to work pretty well. I've only had one server be unable to validate, and that's because they changed oper to network administrator or something, and also changed the numeric for it too. |
|
| Back to top |
|
|
|
Register
Log in
