Secure admin access

[kj7rrv]

This is a pretty major security bug. Anyone can become admin if one of the admins if offline.
Suppose firespeaker (@jonorthwash), who is an admin, is offline. Anyone (literally ANYONE) can take over admin access:

/nick firespeaker
/msg begiak .something

NickServ enforce mode is not effective, because you can do damage in under 30 seconds, especially with an attack bot. Simply putting the following text into netcat connected to freenode port 6667 is an exploit (using the example of shutting down the git server and giving me a greeting):

USER begiak-attacker 0 * :Begiak Attacker
NICK firespeaker
PRIVMSG begiak :.gitserver stop
PRIVMSG begiak :.greeting add scoopgracie b3g1ak 1s pwn3d

We should ask NickServ if the person is identified before allowing admin access. The "Last seen" field says "now" if the person is online and identified.

I also suggest that we create a new method, phenny.is_admin(nick), to check if nick is an adm
in. This would replace modules checking the admin list. Modules using a method would allow us to replace the admin-rights system quite easily.

[sushain97]

That's why admins should have registered nicks.

[kj7rrv]

I still think this needs a fix.

[kj7rrv]

There has been some discussion on IRC, and we need to discuss solutions. We need to

1. Do something with NickServ to add protection,
2. Create a dedicated admin nick and not use it in public channels to keep it a secret, or
3. Use a different mechanism altogether.

[wei2912]

<!-- How would awarding admin permissions based on SASL authentication work? As I understand it's merely used to bypass the need to send NickServ the password in plaintext, and doesn't change the fact that somebody could still take control of the nick for half a minute. --> I'd recommend only allowing admin if the person has been verified by NickServ. This would require an additional command to NickServ. (note from @scoopgracie: I removed a part referring to comments I made and deleted)

…

On Thu, 23 Jan 2020, 00:08 scoopgracie, ***@***.***> wrote: There has been some discussion on IRC, and we need to discuss solutions. We need to 1. Do something with NickServ to add protection, 2. Create a dedicated admin nick and not use it in public channels to keep it a secret, or 3. Use a different mechanism altogether. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#534?email_source=notifications&email_token=AAPZPF5GHRKET62BFIME3LLQ7BVQLA5CNFSM4KC4KHZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJUESJQ#issuecomment-577259814>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAPZPF7QWL3HZ4CA7VEAZJDQ7BVQLANCNFSM4KC4KHZA> .

[kj7rrv]

I think NickServ verification is a good idea.

[kj7rrv]

Another thought is to replace all admin commands with a Web panel.

[kj7rrv]

Or, only let admin commands work in a special channel in which only admins are invited. This would have the added benefit of letting admins other than those with server access grant/revoke adminship.