From 0212da7205e6be14e61d06cec670a8f2bcc65ca8 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 5 Oct 2013 23:56:31 +0200 Subject: [PATCH] ngIRCd Release 21~rc1 --- common/download.inc | 22 ++ doc/AUTHORS | 44 ++-- doc/ChangeLog | 147 ++++++++++- doc/Commands.txt | 553 +++++++++++++++++++++++++++++++++-------- doc/INSTALL | 9 +- doc/NEWS | 88 ++++++- doc/PAM.txt | 15 +- doc/Platforms.txt | 8 +- doc/Protocol.txt | 4 +- doc/Services.txt | 8 +- doc/sample-ngircd.conf | 50 +++- news.php.de | 1 + news.php.en | 3 +- 13 files changed, 810 insertions(+), 142 deletions(-) diff --git a/common/download.inc b/common/download.inc index 43a965e..577c9a8 100644 --- a/common/download.inc +++ b/common/download.inc @@ -21,4 +21,26 @@ (Sig) +
+ ngIRCd Release 20~rc1 (2013-10-05): +
+
+

Server: ftp.berlios.de + (ftp): + ngircd-21~rc1.tar.gz + (Sig), + tar.xz + (Sig), + tar.Z + (Sig) +
Server: ngircd.barton.de + (http): + ngircd-21~rc1.tar.gz + (Sig), + tar.xz + (Sig), + tar.Z + (Sig) + +

diff --git a/doc/AUTHORS b/doc/AUTHORS index 1d061a6..605df2d 100644 --- a/doc/AUTHORS +++ b/doc/AUTHORS @@ -18,29 +18,41 @@ Don't mail the people listed here directly, if possible! Main Authors ~~~~~~~~~~~~ -Alexander Barton, (alex) -Florian Westphal, +Alexander Barton +Florian Westphal Contributors ~~~~~~~~~~~~ -Ali Shemiran, -Ask Bjørn Hansen, -Benjamin Pineau, -Brandon Beresini, -Bryan Caldwell, -Dana Dahlstrom, -Eric Grunow, -Goetz Hoffart, -Ilja Osthoff, -Jari Aalto, -Rolf Eike Beer, -Scott Perry, -Sean Reifschneider, +Ali Shemiran +Ask Bjørn Hansen +Benjamin Pineau +Brandon Beresini +Brett Smith +Brian Collins +Bryan Caldwell +Christoph Biedl +DNS +Dana Dahlstrom +David Kingston +Eric Grunow +Federico G. Schwindt +Gabor Adam Toth +Goetz Hoffart +Ilja Osthoff +Jari Aalto +Neale Pickett +Rolf Eike Beer +Scott Perry +Sean Reifschneider +Sebastian Köhler +Tassilo Schweyer +William Pitcock +xor Code snippets ~~~~~~~~~~~~~ J. Kercheval: pattern matching functions -Patrick Powell, : snprintf()-function +Patrick Powell : snprintf()-function Andrew Tridgell & Martin Pool: strl{cpy|cat}()-functions diff --git a/doc/ChangeLog b/doc/ChangeLog index 08d337f..cbf5d2c 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -9,10 +9,151 @@ -- ChangeLog -- +ngIRCd 21~rc1 (2013-10-05) + + - Actually KILL clients on GLINE/KLINE. (Closes bug #156) + - Adjust log messages for invalid and spoofed prefixes, which cleans up + logging of commands related to already KILL'ed clients. And don't + forward KILL commands for (already) unknown clients any more to prevent + unnecessary duplicates. + - Add support to show all user links using the "STATS L" (uppercase) + command (restricted to IRC Operators). + - Fixed blocking of server reconnects in some error confitions. + - Don't ignore SSL-related errors during startup any more: abort startup + when SSL is requested by the configuration but can't be initialized and + don't continue only listening on plain text communicaiton ports. + (Closes bug #163) + - Implement configurable SSL cipher list selection for GnuTLS and OpenSSL + using the new configuration option "CipherList". In addition, this + changes the defaults to more secure values: "HIGH:!aNULL:@STRENGTH" for + OpenSSL, and "SECURE128" for GnuTLS. + - Fix "TRACE": Correctly return ERR_NEEDMOREPARAMS(461) (which basically + is "syntax error") when there are too many parameters. + - Clean up lots of permission and parameter checks in functions handling + IRC commands; and more consistently add penalty times on errors. + - Fix error numeric of WHOIS when no nick namename has been provided: + as per RFC it shoud be ERR_NONICKNAMEGIVEN(431). + - Only log "IDENT ... no result" messages when an IDENT looked took place + and didn't return any data, not when IDENT has been disabled. + - Show connection flag "s" (SSL) in RPL_TRACE{LINK|SERVER} messages: now + you can check if a server-to-server link is SSL-encrypted or not using + the IRC "TRACE" command. + - Correctly discard supplementary groups on server startup. + - Save client IP address text for "WebIRC" users and correctly display + it on WHOIS, for example. (Closes bug #159) + - Implement the new configuration option "DefaultUserModes" which lists + user modes that become automatically set on new local clients right + after login. Please note that only modes can be set that the client + could set on itself, so you can't set "a" (away) or "o" (IRC Op), + for example! User modes "i" (invisible) or "x" (cloaked) etc. are + "interesting", though. (Closes bug #160) + - Add support for the new METADATA "account" property, which allows + services to automatically identify users after netsplits and across + service restarts. + - Enforce "penalty times" on error conditions more consistently and in + more places. Now most error codes sent back from the IRC server to the + client should result in a 2 second "penalty". + - Implement a new configuration option "AllowedChannelTypes" that lists + all allowed channel types (channel prefixes) for newly created channels + on the local server. By default, all supported channel types are allowed. + If set to the empty string, local clients can't create new channels at + all, which equals the old "PredefChannelsOnly = yes" setting. + This change deprecates the "PredefChannelsOnly" variable, too, but it is + still supported and translated to the apropriate "AllowedChannelTypes" + setting. When the old "PredefChannelsOnly" variable is processed, a + warning message is logged. (Closes bug #152) + - Add support for "client certificate fingerprinting". When a client + passes an SSL certificate to the server, the "fingerprint" will be + forwarded in the network which enables IRC services to identify the + user using this certificate and not using passwords. + - IRC Operator names, as defined in ngircd.conf, are logged now when + handling successful OPER commands. + - Some error conditions while handling IRC commands, like "permission + denied" or "need more parameters", result in more penalty times. + - The numeric replies of some commands became split too early which + resulted in more numeric reply lines than necessary. + - Implement a new configuration option "IncludeDir" in the "[Options]" + section that can be used to specify a directory which can contain + further configuration files and configuration file snippets matching + the pattern "*.conf". These files are read in after the main server + configuration file ("ngircd.conf" by default) has been read in and + parsed. The default is "$SYSCONFDIR/ngircd.conf.d", so that it is + possible to adjust the configuration only by placing additional files + into this directory. (Closes bug #157) + - Fix use-after-free in the Lists_CheckReason() function, which is used + to check if a client is a member of a particular ban/invite/... list. + - Xcode: fix detection of host OS, vendor, and CPU type, and update + project settings for Xcode 5. + - OS X PackageMaker: use relative path names in project files and package + with correct file permissions (requires root privileges on "make"). + - Add Travis-CI configuration file (".travis.yml") to project. + - Look for possible cloaked Masks in Lists. Users with +x usermode can + be banned with their cloaked hostname now. + - Don't read SSL client data before DNS resolver is finished which could + have resulted in discarding the resolved client hostname and IDENT + reply afterwards, because in some situations (timing dependent) the + NICK and USER commands could have already been read in from the client, + stored in the buffer, and been processed. + Thanks to Julian Brost for reporting the issue and testing, and to + Federico G. Schwindt for helping to debug it! + - Increase password length limit to 64 characters. (Closes bug #154) + - doc/Services.txt: Update Anope status and URL. + - Clean up Xcode project file, remove outdated files, add missing ones. + - Update Doxygen configuration file. + - configure: search for iconv_open as well as libiconv_open, because + on some installations iconv_open() is actually libiconv_open(). + iconv_open() is the glibc version while libiconv_open() is the + libiconv version, now both variants are supported. (Closes bug #151) + - ngIRCd now accepts user names including "@" characters, saves the + unmodified name for authentication but stores only the part in front + of the "@" character as "IRC user name". And the latter is how + ircd2.11, Bahamut, and irc-seven behave as well. (Closes bug #155) + - Lots of IRC "information functions" like ADMIN, INFO, ... now accept + server masks and names of connected users (in addition to server names) + for specifying the target server of the command. (Closes bug #153) + - Implement a new configuration option "IdleTimeout" in the "[Limits]" + section of the configuration file which can be used to set a timeout + in seconds after which the whole daemon will shutdown when no more + connections are left active after handling at least one client. + The default is 0, "never". + This can be useful for testing or when ngIRCd is started using "socket + activation" with systemd(8), for example. + - Implement support for systemd(8) "socket activation". + - contrib/README: add description for more files. + - Enable WHOIS to display information about IRC Services using the new + numeric 310(RPL_WHOISSERVICE) This numeric is used for this purpose by + InspIRCd, for example -- but as usual, other numerics are in use, too, + like 613 in UltimateIRCd ... + Please note that neither the Operator (+o) not the "bot status" (+B) + of an IRC service id displayed in the output. + - Exit message: use singular & plural :-) + - autogen.sh: Check for autoconf/automake wrapper scripts + - Add missing punctuation marks in log messages, adjust some severity + levels, and make SSL-related messages more readable. + - AUTHORS file: Update list of contributors. + - Update systemd(8) example configuration files in ./contrib/ directory: + the "ngircd.service" file now uses the "forking" service type which + enhances the log messages shown by "systemctl status ngircd.service", + and the new "ngircd.socket" file configures a systemd socket that + configures a socket for ngIRCd and launches the daemon on demand. + - Enhance help system and the HELP command: now a "help text file" can be + set using the new configuration option "HelpFile" ("global" section), + which is read in and parsed on server startup and configuration reload, + and then is used to output individual help texts to specific topics. + Please see the file ./doc/Commands.txt for details. + +ngIRCd 20.3 (2013-08-23) + + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - Security: Fix a denial of service bug in the function handling KICK - commands that could be used by arbitrary users to to crash the daemon. + commands that could be used by arbitrary users to to crash the daemon + (CVE-2013-1747). - WHO command: Use the currently "displayed hostname" (which can be cloaked!) for hostname matching, not the real one. In other words: don't display all the cloaked users on a specific real hostname! @@ -35,7 +176,7 @@ ngIRCd 20.2 (2013-02-15) - autogen.sh: Enforce serial test harness on GNU automake >=1.13. The new parallel test harness which is enabled by default starting with automake 1.13 isn't compatible with our test suite. - And don't use "egrep -o", insetead use "sed", because it isn't portable + And don't use "egrep -o", instead use "sed", because it isn't portable and not available on OpenBSD, for example. ngIRCd 20.1 (2013-01-02) @@ -56,7 +197,7 @@ ngIRCd 20 (2012-12-17) - Allow user names ("INDENT") up to 20 characters when ngIRCd has not been configured for "strict RFC mode". This is useful if you are using - external (PAM) authenticaion mechanisms that require longer user names. + external (PAM) authentication mechanisms that require longer user names. Patch suggested by Brett Smith , see . diff --git a/doc/Commands.txt b/doc/Commands.txt index 2d3cab2..e4f0090 100644 --- a/doc/Commands.txt +++ b/doc/Commands.txt @@ -97,53 +97,123 @@ Connection Handling Commands clients using UTF-8, which should be the default today. References: - - - - doc/Protocol.txt + - IRC+, + - IRC+, doc/Protocol.txt - NICK - NICK + NICK + NICK [] + NICK . - Change your nickname to . + Set or change the of a client (first form) and register + remote clients (second and third form; servers only). + + References: + - RFC 1459, 4.1.2 "Nick message" (old client and server protocol) + - RFC 2812, 3.1.2 "Nick message" (client protocol) + - RFC 2813, 4.1.3 "Nick" (server protocol) - PASS + PASS PASS [] . - Set a connection . This command must be sent before the - NICK/USER registration combination. + Set a connection . This command must be the first command + sent to the server, even before the NICK/USER or SERVER commands. . - See doc/Protocol.txt for more info. + The first form is used by user sessions or (old) RFC 1459 servers, + the second form is used by RFC 2812 or IRC+ compliant servers and + enables the server to indicate its version and supported protocol + features. + + References: + - RFC 1459, 4.1.1 "Password message" (old client and server protocol) + - RFC 2812, 3.1.1 "Password message" (client protocol) + - RFC 2813, 4.1.1 "Password message" (server protocol) + - IRC+, + - IRC+, doc/Protocol.txt - PING - PING [] + PING [] + . + Tests the presence of a connection to a client or server. . - Tests the presence of a connection. A PING message results in a PONG - reply. If is specified, the message gets passed on to it. + If no has been given, the local server is used. User clients + can only use other servers as , no user clients. + . + A PING message results in a PONG reply containing the , which + can be arbitrary text. + + Please note: + The RFCs state that the parameter is used to specify the + origin of the PING command when forwarded in the network, but this + is not the case: the sender is specified using the prefix as usual, + and the parameter is used to identify the PONG reply in practice. + + References: + - RFC 2812, 3.7.2 "Ping message" - PONG - PONG [] + PONG [] . - This command is a reply to the PING command and works in much the - same way. + Reply to a "PING" command, indicate that the connection is alive. + . + The is the arbitrary text received in the "PING" command and + can be used to identify the correct PONG sent as answer. + . + When the "PONG" command is received from a user session, the + parameter is ignored; otherwise the PONG is forwarded to this client. + + References: + - RFC 2812, 3.7.3 "Pong message" - QUIT QUIT [] . - End IRC session and disconnect from the server. + Terminate a user session. + . + When received from a user, the server acknowledges this by sending + an "ERROR" message back to the client and terminates the connection. . - If a has been given, it is displayed to all the - channels that you are a member of when leaving. + When a has been given, it is sent to all the channels + that the client is a member of when leaving. + + References: + - RFC 2812, 3.1.7 "Quit" + - RFC 2813, 4.1.5 "Quit" - USER - USER + USER . - This command is used at the beginning of a connection to specify the - name, hostname, and initial user of the - connecting client. + Register (and authenticate) a new user session with a short + and a human-readable . . - may contain spaces, and thus must be prefixed with a colon. + The parameter is only used when received by an other server + and ignored otherwise; and the parameter is always ignored. + But both parameters are required on each invocation by the protocol + and can be set to arbitrary characters/text when not used. + . + If contains an "@" character, the full is used + for authentication, but only the first part up to this character is + set as "user name" for this session. + + References: + - RFC 2812, 3.1.3 "User message" - WEBIRC - See doc/Protocol.txt + WEBIRC + . + Allow Web-to-IRC gateway software (for example) to set the correct + user name and host name of users instead of their own. + . + It must be the very first command sent to the server, even before + USER and NICK commands! + . + The must be set in the server configuration file to prevent + unauthorized clients to fake their identity; it is an arbitrary string. + + References: + - IRC+, + - IRC+, doc/Protocol.txt General Commands @@ -157,6 +227,9 @@ General Commands . If is omitted, the away status is removed. + References: + - RFC 2812, 4.1 "Away" + - HELP HELP [] . @@ -173,32 +246,102 @@ General Commands ngIRCd replies using "NOTICE" commands like ircd 2.10/2.11; other implementations are using numerics 704, 705, and 706. - - MODE - MODE (user) - MODE [] + MODE [{+|-}[] [{+|-}[] [...]]] + MODE [{+|-}[] [ [ [...]]] [{+|-}[] [ [ [...]]] [...]]] . - The MODE command is dual-purpose. It can be used to set both (user) and - modes. + Set and get user and channel modes. . - See doc/Modes.txt for more information. + When no mode parameters are given, the currently set user or channel + modes are returned. Otherwise the modes are adjusted accordingly + and the changes will be reported back to the client. + . + All user and channel "modes" are indicated by single case-sensitive + characters. + . + Please note that a user can only get and set his own modes, and not + all user "levels" are allowed to change all channel modes ... + . + The mode parameters can become quite complex, especially when dealing + with channel modes that require additional arguments: + . + {+|-} -- set or unset one or more modes. + + - -- set some modes and unset others. + + -- set (at least) two modes with arguments. + . + Some examples: + . + MODE nick +i -- set user to "invisible". + MODE #chan +tn -- set "topic lock" and "no external messages". + MODE #chan -t +l 50 -- remove "topic lock", set "user limit" to 50. + MODE #chan +ov nick1 nick2 -- set "channel op" and "voice" mode + to nick1 and nick2 in channel #chan. + . + A complete list of all modes supported by ngIRCd can be found online + here: . + + References: + - RFC 2811, 4. "Channel Modes" + - RFC 2812, 3.1.5 "User mode message" + - RFC 2812, 3.2.3 "Channel mode message" + - + - doc/Modes.txt - NOTICE - NOTICE + NOTICE [,[,...]] . - Send to (nick or channel). + Send a to a given , which can be a user or a + channel, but DON'T report any error. . - This command works similarly to PRIVMSG, except automatic replies must - never be sent in reply to NOTICE messages. + The "NOTICE" command exactly behaves like the "PRIVMSG" command, but + doesn't report any errors it encounters (like an unknown ). + Please see the help text of the "PRIVMSG" command for a detailed + description of the parameters! + + References: + - RFC 2812, 2.3.1 "Message format in Augmented BNF" + - RFC 2812, 3.3 "Sending messages" + - RFC 2812, 3.3.2 "Notice" - PRIVMSG - PRIVMSG + PRIVMSG [,[,...]] + . + Send a to a given , which can be a user or a + channel, and report all errors. + . + The must follow one of these syntax variants: + . + - + - + - [%]@ + - % + - !@ + . + If the is a user, a private message is sent directly to this + user; if it resolves to a channel name, a public message is sent + to all the members of that channel. + . + In addition, IRC Ops can use these two forms to specify the : + . + - # + - # + . + The can contain the wildcard characters "*" and "?", but must + contain at least one dot (".") and no wildcard after the last one. + Then, the is sent to all users matching this . . - Send to (nick or channel). + All warnings and errors are reported back to the initiator using + numeric status codes, which is the only difference to the "NOTICE" + command, which doesn't report back any errors or warnings at all. . - Common IRC clients use MSG as PRIVMSG alias. - (Some clients use "QUERY []" to open a private chat.) + Please note that clients often use "MSG" as an alias to PRIVMSG, and + a command "QUERY []" to initiate private chats. Both + are command extensions of the client and never sent to the server. + References: + - RFC 2812, 2.3.1 "Message format in Augmented BNF" + - RFC 2812, 3.3 "Sending messages" + - RFC 2812, 3.3.1 "Private messages" Status and Informational Commands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -308,17 +451,21 @@ Status and Informational Commands Show statistics and other information of type of a particular IRC server in the network. . - The following types are supported (case-insensitive): + The following types are supported (case-insensitive where + applicable): . - g Network-wide bans ("G-Lines"). - k Server-local bans ("K-Lines"). - - l Link status (parent server and own link only). + - L Link status (servers and user links). + - l Link status (servers and own link). - m Command usage count. - u Server uptime. . can be a server name, the nickname of a client connected to a specific server, or a mask matching a server name in the network. The server of the current connection is used when is omitted. + . + To use "STATS L" the user must be an IRC Operator. References: - RFC 2812, 3.4.4 "Stats message" @@ -336,10 +483,19 @@ Status and Informational Commands - RFC 2812, 3.4.6 "Time message" - TRACE - TRACE [] + TRACE [] + . + Find the route to a specific server and send information about its + peers. Each server that processes this command reports back to the + sender about it: the replies from pass-through servers form a chain + which shows the route to the destination. . - Trace a path across the IRC network of the current server, or if given - of a specific , in a similar method to traceroute. + can be a server name, the nickname of a client connected to + a specific server, or a mask matching a server name in the network. + The server of the current connection is used when is omitted. + + References: + - RFC 2812, 3.4.8 "Trace message" - USERHOST USERHOST [ [...]] @@ -419,129 +575,244 @@ Channel Commands ~~~~~~~~~~~~~~~~ - INVITE - INVITE + INVITE . - Invites to . - does not have to exist, but if it does, only members of the - channel are allowed to invite other clients. + Invite to join channel . . - If the mode "+i" is set, only operators may invite - other clients. + does not have to exist, but if it does, only members of the + channel are allowed to invite other users. If the channel mode "+i" + is set, only channel "half-ops" (and above) may invite other clients, + and if channel mode "+V" is set, nobody can invite other users. + + References: + - RFC 2812, 3.2.7 "Invite message" - JOIN - JOIN [] + JOIN {[,[,...]] [[,[,...]]] | 0} . - Makes the client join the (comma-separated list), specifying - the passwords, if needed, in the comma-separated list. - A is only needed, if the mode "+k" is set. + Makes the client join the (comma-separated list), specifying + the channel keys ("passwords"). A is only needed if the + has the mode "+k" set. . If the channel(s) do not exist, then they will be created. + . + Using "JOIN 0" parts all channels at once. + + References: + - RFC 2812, 3.2.1 "Join message" (client protocol) + - RFC 2813, 4.2.1 "Join message" (server protocol) - KICK - KICK [] + KICK [,[,...]] [,[,...]] [] . - Remove from , optional with a . + Remove users(s) with (s) from (s). . - Only operators are able to KICK. + There must be either exactly one parameter and multiple + parameters, or as many parameters as there are + parameters. The is shown to the users being + kicked, and the nickname of the current user is used when + is omitted. + + References: + - RFC 2812, 3.2.8 "Kick command" - LIST - LIST [ []] + LIST [[,[,...]] []] + . + List all visible (comma-separated list). . - List all visible (comma-seperated list) on the current - server. If is given, the command will be forwarded to for evaluation. + References: + - RFC 2812, 3.2.6 "List message" + - PART - PART [] + PART [,[,...]] [] . - Leave (comma-separated list), optional with a - . + Leave (comma-separated list), optionally with sending a + to all the other channel members. + + References: + - RFC 2812, 3.2.2 "Part message" - TOPIC - TOPIC + TOPIC [] . - Set a for . + Change or view the topic of a channel. . - Only operators are able to set a . + The topic for channel is returned if there is no + given. If the parameter is present, the topic for that + channel will be changed, if this action is allowed for the user + requesting it. If the parameter is an empty string, the + topic for that channel will be removed. + + References: + - RFC 2812, 3.2.4 "Topic message" Administrative Commands ~~~~~~~~~~~~~~~~~~~~~~~ - CONNECT - CONNECT [ [ [ ]]] + CONNECT [ [ [ ]]] + . + Instructs the current server, or if specified, + to connect to the server named , which must be configured + in the server configuration file. . - Instructs the current server, or if specified, - to connect to . + To use this command, the user must be an IRC Operator. To establish + a connection on a , you must have remote IRC operator + privileges. . - To connect you need to have remote oper status. - If is omitted, it uses the server port of the configuration. - If and is given, it uses those passwords instead - of the ones in the configuration. + If , and are given, these values override + the ones specified in the server configuration file. + + References: + - RFC 2812, 3.4.7 "Connect message" - DIE - DIE + DIE [] . Instructs the server to shut down. + . + The optional (and non-standard) text is sent to each client + connected to this server before all connections are closed. + . + To use this command, the user must be an IRC Operator. + + References: + - RFC 2812, 4.3 "Die message" - DISCONNECT - DISCONNECT [] + DISCONNECT + . + Disconnect and disable a locally linked server. . - Disconnects the current server, or if specified. - To disconnect a you need to have remote oper status. + To use this command, the user must be an IRC Operator. + + References: + - This command is not specified in the IRC RFCs, it is an extension + of ngIRCd. - GLINE - GLINE : + GLINE [ :] + . + This command provides timed G-Lines (network-wide bans). . - This command provides timed G-Lines (Network-wide bans). If a client matches a G-Line, it cannot connect to any server on - the IRC network. If you put 0 as , it makes the G-Line - permanent. + the IRC network for seconds. When is 0, it make + the G-Line permanent. + . + If no and no is given, the G-Line is removed. . - To remove a G-Line, type "GLINE ". - To list the G-Lines, type "STATS g". + To use this command, the user must be an IRC Operator. + . + "STATS g" can be used to list all currently active G-Lines. + + References: + - This command is not specified in the IRC RFCs, it is an extension + of ngIRCd. - KILL - KILL + KILL + . + Forcibly remove all users with a given from the IRC + network and display the given to them. + . + This command is used internally between servers, too, for example + to disconnect duplicate 's after a "net split". . - Forcibly removes from the IRC network with a . + To use this command, the user must be an IRC Operator. + + References: + - RFC 2812, 3.7.1 "Kill message" - KLINE - KLINE : + KLINE [ :] + . + This command provides timed K-Lines (server-local bans). + . + If a client matches a K-Line, it cannot connect to this server for + seconds. When is 0, it makes the K-Line permanent. . - This command provides timed K-Lines (Server-local bans). - If a client matches a K-Line, it cannot connect to the issued server. - If you put 0 as , it makes the K-Line permanent. + If no and no is given, the K-Line is removed. . - To remove a K-Line, type "KLINE ". - To list the K-Lines, type "STATS k". + To use this command, the user must be an IRC Operator. + . + "STATS k" can be used to list all currently active K-Lines. + + References: + - This command is not specified in the IRC RFCs, it is an extension + of ngIRCd. - OPER - OPER + OPER + . + Authenticates a user named as an IRC operator on the current + server/network. + . + This operator must be configured in the server configuration. . - Authenticates as an IRC operator on the current server/network. + Please note that is NOT related to a nickname at all! + + References: + - RFC 2812, 3.1.4 "Oper message" - REHASH REHASH . Causes the server to re-read and re-process its configuration file(s). + . + While rehashing, no new connections are accepted, but all already + established connections stay connected. + . + To use this command, the user must be an IRC Operator. + + References: + - RFC 2812, 4.2 "Rehash message" - RESTART RESTART . Restart the server. + . + While restarting, all connections are reset and no new connections + are accepted. + . + To use this command, the user must be an IRC Operator. + + References: + - RFC 2812, 4.4 "Restart message" - WALLOPS WALLOPS . Sends to all users with user mode "+w". + . + To use this command, the user must be an IRC Operator. + References: + - RFC 2812, 4.7 "Operwall message" IRC Service Commands ~~~~~~~~~~~~~~~~~~~~ - SERVICE + SERVICE + SERVICE {|+} + . + Register a new service in the network. + . + The first form is used by directly linked services and isn't supported + by ngIRCd at the moment. The second form announces services connected + to remote "pseudo-servers" ("services hubs"). + . + The and parameters are ignored by ngIRCd. + + References: + - RFC 2812, 3.1.6 "Service message" + - RFC 2813, 4.1.4 "Service message" - SERVLIST SERVLIST [ []] @@ -558,8 +829,39 @@ IRC Service Commands - RFC 2812, 3.5.1 "Servlist message" - SQUERY + SQUERY [,[,...]] + . + Send a to a given IRC service, and report all + errors. + . + The "SQUERY" command exactly behaves like the "PRIVMSG" command, but + enforces that the of the is an IRC service. + Please see the help text of the "PRIVMSG" command for a detailed + description of the parameters! + . + If a user wants to interact with IRC services, he should use "SQUERY" + instead of "PRIVMSG" or "NOTICE": only "SQUERY makes sure that no + regular user, which uses the nickname of an IRC service, receives + the command in error, for example during a "net split"! + + References: + - RFC 2812, 2.3.1 "Message format in Augmented BNF" + - RFC 2812, 3.3 "Sending messages" + - RFC 2812, 3.3.2 "Notice" - SVSNICK + SVSNICK + . + Forcefully change foreign user nicknames. This command is allowed + for servers only. + . + The "SVSNICK" command is forwarded to the server to which the user + with nickname is connected to, which in turn generates a + regular "NICK" command that then is sent to the client, so no special + support in the client software is required. + + References: + - ngIRCd GIT commit e3f300d3231f Server Protocol Commands @@ -571,16 +873,27 @@ Server Protocol Commands CHANINFO is used by servers to inform each other about a channel: its modes, channel key, user limits and its topic. . - See doc/Protocol.txt for more information. + The CHANINFO command is allowed on server-links only. + + References: + - IRC+, + - IRC+, doc/Protocol.txt - ERROR ERROR [ [<> [...]]] . - Return an error message to the server. The first parameter, if given, - will be logged by the server, all further parameters are silently - ignored. + Inform a client or a server about an error condition. The first + parameter, if given, is logged by the server receiving the message, + all other parameters are silently ignored. + . + This command is silently ignored on non-server and non-service links + and shouldn't be used by regular IRC clients. . - This command is silently ignored on non-server and non-service links. + The ERROR message is also sent before terminating a regular client + connection. + + References: + - RFC 2812, 3.7.4 "Error message" - METADATA METADATA @@ -589,17 +902,49 @@ Server Protocol Commands information of clients, like the hostname, the info text ("real name"), or the user name. . - See doc/Protocol.txt for more information. + The METADATA command is allowed on server-links only. + + References: + - IRC+, + - IRC+, doc/Protocol.txt - NJOIN + NJOIN [][,[][,...]] + . + The NJOIN command is used on server-links to add users with + and to a while peering. + . + The NJOIN command is allowed on server-links only. + + References: + - RFC 2813, 4.2.2 "Njoin message" - SERVER + SERVER + SERVER + SERVER + . + The first form registers the local connection as a new server in the + network, the second (RFC 1459) and third (RFC 2812) form announce a + new remote server in the network. + . + The SERVER command is allowed on unregistered or server-links only. + + References: + - RFC 1459, 4.1.4 "Server message" + - RFC 2813, 4.1.2 "Server message" - SQUIT - SQUIT + SQUIT . Disconnects an IRC Server from the network. + . + This command is used on server-links, but can be used by IRC Operators + to forcefully disconnect servers from the network, too. + References: + - RFC 2812, 3.1.8 "Squit" + - RFC 2813, 4.1.6 "Server quit message" Dummy Commands ~~~~~~~~~~~~~~ @@ -628,5 +973,19 @@ Dummy Commands - RFC 2812, 4.6 "Users" - GET + GET [...] + . + Fake HTTP GET command. When received, the connection is shut down + immediately again to protect against crazy web browsers ... + + References: + - ngIRCd GIT commit 33e8c2480649 - POST + POST [...] + . + Fake HTTP POST command. When received, the connection is shut down + immediately again to protect against crazy web browsers ... + + References: + - ngIRCd GIT commit 33e8c2480649 diff --git a/doc/INSTALL b/doc/INSTALL index de60feb..eec2b37 100644 --- a/doc/INSTALL +++ b/doc/INSTALL @@ -12,11 +12,18 @@ I. Upgrade Information ~~~~~~~~~~~~~~~~~~~~~~ +Differences to previous version + +- Starting with ngIRCd 21, the ciphers used by SSL are configurable and + default to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). + Previous version were using the OpenSSL or GnuTLS defaults, DEFAULT + and NORMAL respectively. + Differences to version 19.x - Starting with ngIRCd 20, users can "cloak" their hostname only when the configuration variable "CloakHostModeX" (introduced in 19.2) is set. - Otherwise, only IRC opertators, other servers, and services are allowed to + Otherwise, only IRC operators, other servers, and services are allowed to set mode +x. This prevents regular users from changing their hostmask to the name of the IRC server itself, which confused quite a few people ;-) diff --git a/doc/NEWS b/doc/NEWS index 38f6029..e8f898a 100644 --- a/doc/NEWS +++ b/doc/NEWS @@ -9,11 +9,95 @@ -- NEWS -- +ngIRCd 21~rc1 (2013-10-05) + + - Actually KILL clients on GLINE/KLINE. (Closes bug #156) + - Add support to show all user links using the "STATS L" (uppercase) + command (restricted to IRC Operators). + - Implement configurable SSL cipher list selection for GnuTLS and OpenSSL + using the new configuration option "CipherList". In addition, this + changes the defaults to more secure values: "HIGH:!aNULL:@STRENGTH" for + OpenSSL, and "SECURE128" for GnuTLS. + - Show connection flag "s" (SSL) in RPL_TRACE{LINK|SERVER} messages: now + you can check if a server-to-server link is SSL-encrypted or not using + the IRC "TRACE" command. + - Implement the new configuration option "DefaultUserModes" which lists + user modes that become automatically set on new local clients right + after login. Please note that only modes can be set that the client + could set on itself, so you can't set "a" (away) or "o" (IRC Op), + for example! User modes "i" (invisible) or "x" (cloaked) etc. are + "interesting", though. (Closes bug #160) + - Add support for the new METADATA "account" property, which allows + services to automatically identify users after netsplits and across + service restarts. + - Implement a new configuration option "AllowedChannelTypes" that lists + all allowed channel types (channel prefixes) for newly created channels + on the local server. By default, all supported channel types are allowed. + If set to the empty string, local clients can't create new channels at + all, which equals the old "PredefChannelsOnly = yes" setting. + This change deprecates the "PredefChannelsOnly" variable, too, but it is + still supported and translated to the apropriate "AllowedChannelTypes" + setting. When the old "PredefChannelsOnly" variable is processed, a + warning message is logged. (Closes bug #152) + - Add support for "client certificate fingerprinting". When a client + passes an SSL certificate to the server, the "fingerprint" will be + forwarded in the network which enables IRC services to identify the + user using this certificate and not using passwords. + - Implement a new configuration option "IncludeDir" in the "[Options]" + section that can be used to specify a directory which can contain + further configuration files and configuration file snippets matching + the pattern "*.conf". These files are read in after the main server + configuration file ("ngircd.conf" by default) has been read in and + parsed. The default is "$SYSCONFDIR/ngircd.conf.d", so that it is + possible to adjust the configuration only by placing additional files + into this directory. (Closes bug #157) + - Add Travis-CI configuration file (".travis.yml") to project. + - ngIRCd now accepts user names including "@" characters, saves the + unmodified name for authentication but stores only the part in front + of the "@" character as "IRC user name". And the latter is how + ircd2.11, Bahamut, and irc-seven behave as well. (Closes bug #155) + - Lots of IRC "information functions" like ADMIN, INFO, ... now accept + server masks and names of connected users (in addition to server names) + for specifying the target server of the command. (Closes bug #153) + - Implement a new configuration option "IdleTimeout" in the "[Limits]" + section of the configuration file which can be used to set a timeout + in seconds after which the whole daemon will shutdown when no more + connections are left active after handling at least one client. + The default is 0, "never". + This can be useful for testing or when ngIRCd is started using "socket + activation" with systemd(8), for example. + - Implement support for systemd(8) "socket activation". + - Enable WHOIS to display information about IRC Services using the new + numeric 310(RPL_WHOISSERVICE) This numeric is used for this purpose by + InspIRCd, for example -- but as usual, other numerics are in use, too, + like 613 in UltimateIRCd ... + Please note that neither the Operator (+o) not the "bot status" (+B) + of an IRC service id displayed in the output. + - Update systemd(8) example configuration files in ./contrib/ directory: + the "ngircd.service" file now uses the "forking" service type which + enhances the log messages shown by "systemctl status ngircd.service", + and the new "ngircd.socket" file configures a systemd socket that + configures a socket for ngIRCd and launches the daemon on demand. + - Enhance help system and the HELP command: now a "help text file" can be + set using the new configuration option "HelpFile" ("global" section), + which is read in and parsed on server startup and configuration reload, + and then is used to output individual help texts to specific topics. + Please see the file ./doc/Commands.txt for details. + +ngIRCd 20.3 (2013-08-23) + + - This release is a bugfix release only, without new features. + - Security: Fix a denial of service bug (server crash) which could happen + when the configuration option "NoticeAuth" is enabled (which is NOT the + default) and ngIRCd failed to send the "notice auth" messages to new + clients connecting to the server (CVE-2013-5580). + ngIRCd 20.2 (2013-02-15) - This release is a bugfix release only, without new features. - Security: Fix a denial of service bug in the function handling KICK - commands that could be used by arbitrary users to to crash the daemon. + commands that could be used by arbitrary users to to crash the daemon + (CVE-2013-1747). ngIRCd 20.1 (2013-01-02) @@ -23,7 +107,7 @@ ngIRCd 20 (2012-12-17) - Allow user names ("INDENT") up to 20 characters when ngIRCd has not been configured for "strict RFC mode". This is useful if you are using - external (PAM) authenticaion mechanisms that require longer user names. + external (PAM) authentication mechanisms that require longer user names. Patch suggested by Brett Smith , see . diff --git a/doc/PAM.txt b/doc/PAM.txt index 64bbc7b..671f071 100644 --- a/doc/PAM.txt +++ b/doc/PAM.txt @@ -1,9 +1,8 @@ ngIRCd - Next Generation IRC Server + http://ngircd.barton.de/ - (c)2001-2010 Alexander Barton, - alex@barton.de, http://www.barton.de/ - + (c)2001-2013 Alexander Barton and Contributors. ngIRCd is free software and published under the terms of the GNU General Public License. @@ -34,3 +33,13 @@ is running as. Therefore a lot of PAM modules aren't working as expected, because they need root privileges ("pam_unix", for example)! Only PAM modules not(!) requiring root privileges (such as "pam_pgsql", "pam_mysql", "pam_opendirectory" ...) can be used in conjunction with ngIRCd. + +More Examples: + + * Use an own "password file" for ngIRCd: + + Note: you can use the htpasswd(1) utility of Apache to manage password + files used by pam_pwdfile, see "man htpasswd"! + + /etc/pam.d/ngircd: + auth required pam_pwdfile.so pwdfile=/etc/ngircd/ngircd.passwd diff --git a/doc/Platforms.txt b/doc/Platforms.txt index 9ff3b6c..e9c19a4 100644 --- a/doc/Platforms.txt +++ b/doc/Platforms.txt @@ -2,7 +2,7 @@ ngIRCd - Next Generation IRC Server http://ngircd.barton.de/ - (c)2001-2012 Alexander Barton and Contributors. + (c)2001-2013 Alexander Barton and Contributors. ngIRCd is free software and published under the terms of the GNU General Public License. @@ -26,7 +26,7 @@ list can be updated. Thanks for your help! Platform Compiler ngIRCd Date Tester C M T R See --------------------------- ------------ ---------- -------- ------ - - - - --- alpha/unknown/netbsd3.0 gcc 3.3.3 CVSHEAD 06-05-07 fw Y Y Y Y (3) -armv6l/unkn./linux-gnueabi gcc 4.4.5 19.1 12-06-04 goetz Y Y Y Y (5) +armv6l/unkn./linux-gnueabi gcc 4.7.2 20.2 13-03-08 goetz Y Y Y Y (5) armv7l/unkn./linux-gnueabi gcc 4.4.3 19.1 12-04-29 goetz Y Y Y Y (5) hppa/unknown/openbsd3.5 gcc 2.95.3 CVSHEAD 04-05-25 alex Y Y Y Y hppa1.1/unknown/linux-gnu gcc 3.3.3 0.8.0 04-05-30 alex Y Y Y Y @@ -73,10 +73,10 @@ powerpc/unknown/openbsd3.6 gcc 2.95.3 0.10.0 06-10-08 alex Y Y N Y sparc/sun/solaris2.6 gcc 2.95.3 0.7.x-CVS 03-04-22 alex Y Y Y Y sparc/sun/solaris2.7 gcc 3.3 0.8.0 04-05-30 alex Y Y Y Y sparc/unkn./netbsdelf1.6.1 gcc 2.95.3 0.8.0 04-05-30 alex Y Y Y Y -x86_64/apple/darwin12.2.0 gcc 4.2.1 20~rc1 12-11-13 alex Y Y Y Y (3) +x86_64/apple/darwin12.3.0 gcc 4.2.1 20.2 13-04-01 alex Y Y Y Y (3) x86_64/unknown/freebsd8.1 gcc 4.2.1 20~rc1 12-11-13 alex Y Y Y Y (3) x86_64/unkn./freebsd8.1-gnu gcc 4.4.5 19 12-02-26 alex Y Y Y Y (3) -x86_64/unknown/linux-gnu gcc 4.4.5 20~rc1 12-02-26 alex Y Y Y Y (1) +x86_64/unknown/linux-gnu gcc 4.4.5 20.2 13-04-01 alex Y Y Y Y (1) x86_64/unknown/openbsd4.7 gcc 3.3.5 20~rc1 12-02-26 alex Y Y Y Y (3) x86_64/unknown/openbsd4.8 gcc 4.2.1 20~rc1 12-11-13 alex Y Y Y Y (3) diff --git a/doc/Protocol.txt b/doc/Protocol.txt index 39c5730..6b3cfbc 100644 --- a/doc/Protocol.txt +++ b/doc/Protocol.txt @@ -224,8 +224,10 @@ new server link", "M"), even if it doesn't support the given The following names are defined: - - "host": the hostname of a client (can't be empty) + - "accountname": the account name of a client (can't be empty) + - "certfp": the certificate fingerprint of a client (can't be empty) - "cloakhost": the cloaked hostname of a client + - "host": the hostname of a client (can't be empty) - "info": info text ("real name") of a client - "user": the user name of a client (can't be empty) diff --git a/doc/Services.txt b/doc/Services.txt index f51bd48..2704f02 100644 --- a/doc/Services.txt +++ b/doc/Services.txt @@ -14,7 +14,7 @@ acting as a "regular servers" ("pseudo servers") are supported, either using the IRC protocol as defined in RFC 1459 or RFC 2812. Support for Services has been tested using - - Anope 1.9.8 or later (; unreleased!) + - Anope 1.9.8 or later () - Atheme 7.0.2 or later () - "IRC Services" 5.1.x by Andrew Church () @@ -44,10 +44,8 @@ Example: Setting up Anope 1.9.x ~~~~~~~~~~~~~~~~~~~~~~ -Anope 1.9.8 or later (; unreleased as of 2012-11-10) -may be used with ngIRCd using the "ngircd" protocol module. -Until Anope 1.9.8 is released, you have to use the sources from the Anope -development GIT tree, see ! +Anope 1.9.8 or later () can be used with ngIRCd using +the "ngircd" protocol module. At least the following settings have to be tweaked, in addition to all the settings marked as required by Anope: diff --git a/doc/sample-ngircd.conf b/doc/sample-ngircd.conf index 3cf53a6..4eb3c92 100644 --- a/doc/sample-ngircd.conf +++ b/doc/sample-ngircd.conf @@ -33,6 +33,10 @@ ;AdminInfo2 = Location ;AdminEMail = admin@irc.server + # Text file which contains the ngIRCd help text. This file is required + # to display help texts when using the "HELP " command. + ;HelpFile = /usr/local/share/doc/ngircd/Commands.txt + # Info text of the server. This will be shown by WHOIS and # LINKS requests for example. Info = Server Info Text @@ -45,7 +49,7 @@ # Text file with the "message of the day" (MOTD). This message will # be shown to all users connecting to the server: - ;MotdFile = /opt/ngircd/alex.git/etc/ngircd.motd + ;MotdFile = /usr/local/etc/ngircd.motd # A simple Phrase (<256 chars) if you don't want to use a motd file. ;MotdPhrase = "Hello world!" @@ -84,6 +88,13 @@ # to not yet (or no longer) connected servers. ;ConnectRetry = 60 + # Number of seconds after which the whole daemon should shutdown when + # no connections are left active after handling at least one client + # (0: never, which is the default). + # This can be useful for testing or when ngIRCd is started using + # "socket activation" with systemd(8), for example. + ;IdleTimeout = 0 + # Maximum number of simultaneous in- and outbound connections the # server is allowed to accept (0: unlimited): ;MaxConnections = 0 @@ -117,6 +128,12 @@ # behavior of ngIRCd. If you want to get started quickly, you most # probably don't have to make changes here -- they are all optional. + # List of allowed channel types (channel prefixes) for newly created + # channels on the local server. By default, all supported channel + # types are allowed. Set this variable to the empty string to disallow + # creation of new channels by local clients at all. + ;AllowedChannelTypes = #&+ + # Are remote IRC operators allowed to control this server, e.g. # use commands like CONNECT, SQUIT, DIE, ...? ;AllowRemoteOper = no @@ -148,7 +165,12 @@ ;ConnectIPv6 = yes ;ConnectIPv4 = yes - # Do any DNS lookups when a client connects to the server. + # Default user mode(s) to set on new local clients. Please note that + # only modes can be set that the client could set on itself, you can't + # set "a" (away) or "o" (IRC Op), for example! Default: none. + ;DefaultUserModes = i + + # Do DNS lookups when a client connects to the server. ;DNS = yes # Do IDENT lookups if ngIRCd has been compiled with support for it. @@ -156,6 +178,10 @@ # prepended to their user name. ;Ident = yes + # Directory containing configuration snippets (*.conf), that should + # be read in after parsing this configuration file. + ;IncludeDir = /usr/local/etc/conf.d + # Enhance user privacy slightly (useful for IRC server on TOR or I2P) # by censoring some information like idle time, logon time, etc. ;MorePrivacy = no @@ -194,9 +220,6 @@ # character prepended to their respective user names! ;PAMIsOptional = no - # Allow Pre-Defined Channels only (see Section [Channels]) - ;PredefChannelsOnly = no - # Let ngIRCd send an "authentication PING" when a new client connects, # and register this client only after receiving the corresponding # "PONG" reply. @@ -223,13 +246,22 @@ # So don't forget to remove the ";" above if this is the case ... # SSL Server Key Certificate - ;CertFile = /opt/ngircd/alex.git/etc/ssl/server-cert.pem + ;CertFile = /usr/local/etc/ssl/server-cert.pem + + # Select cipher suites allowed for SSL/TLS connections. This defaults + # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). + # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' + # (GnuTLS) for details. + # For OpenSSL: + ;CipherList = HIGH:!aNULL:@STRENGTH + # For GnuTLS: + ;CipherList = SECURE128 # Diffie-Hellman parameters - ;DHFile = /opt/ngircd/alex.git/etc/ssl/dhparams.pem + ;DHFile = /usr/local/etc/ssl/dhparams.pem # SSL Server Key - ;KeyFile = /opt/ngircd/alex.git/etc/ssl/server-key.pem + ;KeyFile = /usr/local/etc/ssl/server-key.pem # password to decrypt SSLKeyFile (OpenSSL only) ;KeyFilePassword = secret @@ -340,7 +372,7 @@ # Key file, syntax for each line: "::". # Default: none. - ;KeyFile = /opt/ngircd/alex.git/etc/#chan.key + ;KeyFile = /usr/local/etc/#chan.key # maximum users per channel (mode l) ;MaxUsers = 23 diff --git a/news.php.de b/news.php.de index 3b85815..d4356fd 100644 --- a/news.php.de +++ b/news.php.de @@ -14,6 +14,7 @@

Die aktuelle stabile Version ist Release 20.3 vom 23. August 2013, + im Test befindet sich Version 21~rc1 vom 5. Oktober 2013, siehe auch die Download-Möglichkeiten.

diff --git a/news.php.en b/news.php.en index 50d83ec..c950d5b 100644 --- a/news.php.en +++ b/news.php.en @@ -14,7 +14,8 @@

The current stable version is Release 20.3 of August 23 2013, - please also refer to the Download + and Release 21~rc1 of Oktober 5 2013 is for testing, + please refer to the Download options.

-- 2.39.2