Fine grained operator privileges
--------------------------------

Terminology:

IRCop
	user with user mode +o, usually obtained with /oper
	users whose operator status is indicated by a different user mode
	than +o, or whose user mode +o is not propagated to other servers,
	are not IRCops from atheme's point of view
operclass
	group of privileges defined in an operclass{} block in atheme.conf
services operator
	user logged into an account named in an operator{} block in
	atheme.conf

A few privileges are granted independently of operclasses:

To all IRCops and services operators (has_any_priv()):
	more detailed "not authorized" messages telling which priv they are
	missing, ability to use /os help

To all services operators:
	account does not expire (unlike HOLD, registered channels do);
	this is to avoid someone else registering the account and taking
	the privs

All IRCops get the privileges in the "ircop" operclass. Services operators
get the privileges in the operclass in their operator{} block. If both
conditions apply, the union of the privileges is granted.

The OperServ SPECS command shows the privileges granted to an online user
or operclass, in a somewhat wordy format.

Description of the privileges in operclasses:

special:ircop
	bound to AC_IRCOP, if you still have modules using that

user:auspex
	see the invisible about user registrations,
	ns/us info/list/listchans mainly
user:admin
	administer users
user:vhost
	set vhosts

chan:auspex
	see the invisible about channel registrations,
	cs info/list/flags mainly
chan:admin
	administer channels
chan:cmodes
	change oper-only cmodes in mode locks (but only on own channels)
chan:joinstaffonly
	join channels set staffonly

user:mark
	use ns/us/cs mark and override marks
user:hold
	use ns/us/cs hold to prevent things from expiring
user:regnolimit
	exempt from limits on numbers of registrations (does not work
	fully if set on the ircop operclass)

general:auspex
	see general information about services: most privileged /stats,
	/trace, /os modinspect, /os modlist, /os uptime
general:viewprivs
	see all operator{} blocks, see the privs users and operclasses have:
	/stats o, /os specs
general:flood
	exempt from services flood control (general::flood* in atheme.conf)
general:metadata
	mess with private metadata (but only on own accounts and channels)
general:admin
	restart/shutdown/rehash services, load modules, use raw/inject (if
	globally allowed in atheme.conf), resetpass/sendpass on accounts
	with operator{} blocks

operserv:omode
	use /os mode
operserv:akill
	use /os akill and /stats k
operserv:jupe
	use /os jupe
operserv:noop
	use /os noop
operserv:global
	send global notices

$Id: PRIVILEGES 5394 2006-06-17 12:56:36Z jilles $
