From 5a743878dbe109c98b6b568afe67cd55bc03645c Mon Sep 17 00:00:00 2001
From: Rob Swindell <rob@synchro.net>
Date: Sun, 20 Feb 2022 17:03:23 -0800
Subject: [PATCH] Change the semantics of the "Allow Sysop Logins" setting in
SCFG->System
As Andre pointed out while documenting this setting on the wiki, the option seemed confusing: if a sysop could not login with "system operator access", how could they login at all? Answer: they could not.
This setting used to be called "Allow Remote Sysop Logins", back when there was the concept of a "local login", so setting this option to "No" would mean that user accounts with sysop access could only be used for *local* login. But in Synchronet v3, there's really no such concept as a "local login", so it was changed to just "Allow Sysop Logins" (period) and not a lot of thought given to how/why a sysop would actually set to this "No" or what the implications would be (presumably, nobody ever sets this to "No").
So rather than just get rid if the option altogether, I changed it to mean: an account with sysop access (i.e. level 90+) can still login, but any action that normally requires the system password will not be allowed. This includes the sysop-actions available in the FTP server when authenticating with <user-pass>:<system-pass> as the password. The sysop-user can still authenticate (and login), but none of those sysop-actions will be available to them.
---
src/sbbs3/answer.cpp | 4 ++--
src/sbbs3/ftpsrvr.c | 7 +++++--
src/sbbs3/login.cpp | 2 +-
src/sbbs3/logon.cpp | 4 ----
4 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/src/sbbs3/answer.cpp b/src/sbbs3/answer.cpp
index 9322993c60..b849cd441f 100644
--- a/src/sbbs3/answer.cpp
+++ b/src/sbbs3/answer.cpp
@@ -115,7 +115,7 @@ bool sbbs_t::answer()
console&=~(CON_R_ECHOX|CON_L_ECHOX);
}
else {
- if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN)) {
+ if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN) && (cfg.sys_misc&SM_R_SYSOP)) {
rioctl(IOFI); /* flush input buffer */
if(!chksyspass())
bputs(text[InvalidLogon]);
@@ -216,7 +216,7 @@ bool sbbs_t::answer()
}
else {
SAFECOPY(rlogin_pass, tmp);
- if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN)) {
+ if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN) && (cfg.sys_misc&SM_R_SYSOP)) {
rioctl(IOFI); /* flush input buffer */
if(!chksyspass())
bputs(text[InvalidLogon]);
diff --git a/src/sbbs3/ftpsrvr.c b/src/sbbs3/ftpsrvr.c
index 75232cd267..c22e484ce9 100644
--- a/src/sbbs3/ftpsrvr.c
+++ b/src/sbbs3/ftpsrvr.c
@@ -2470,8 +2470,11 @@ static void ctrl_thread(void* arg)
putuserrec(&scfg,user.number,U_NETMAIL,LEN_NETMAIL,password);
}
else if(user.level>=SYSOP_LEVEL && !stricmp(password,sys_pass)) {
- lprintf(LOG_INFO,"%04d <%s> Sysop access granted", sock, user.alias);
- sysop=TRUE;
+ if(scfg.sys_misc&SM_R_SYSOP) {
+ lprintf(LOG_INFO,"%04d <%s> Sysop access granted", sock, user.alias);
+ sysop=TRUE;
+ } else
+ lprintf(LOG_NOTICE, "%04d <%s> Remote sysop access disabled", sock, user.alias);
}
else if(stricmp(password,user.pass)) {
if(scfg.sys_misc&SM_ECHO_PW)
diff --git a/src/sbbs3/login.cpp b/src/sbbs3/login.cpp
index 4690fdcfc4..38408a09e6 100644
--- a/src/sbbs3/login.cpp
+++ b/src/sbbs3/login.cpp
@@ -138,7 +138,7 @@ int sbbs_t::login(char *username, char *pw_prompt, const char* user_pw, const ch
useron.misc=useron_misc;
return(LOGIC_FALSE);
}
- if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN) && !chksyspass(sys_pw)) {
+ if(REALSYSOP && (cfg.sys_misc&SM_SYSPASSLOGIN) && (cfg.sys_misc&SM_R_SYSOP) && !chksyspass(sys_pw)) {
bputs(text[InvalidLogon]);
useron.number=0;
useron.misc=useron_misc;
diff --git a/src/sbbs3/logon.cpp b/src/sbbs3/logon.cpp
index 5ddc5add8a..626630f029 100644
--- a/src/sbbs3/logon.cpp
+++ b/src/sbbs3/logon.cpp
@@ -57,10 +57,6 @@ bool sbbs_t::logon()
if(useron.rest&FLAG('Q'))
sys_status ^= SS_QWKLOGON;
- if(SYSOP && !(cfg.sys_misc&SM_R_SYSOP)) {
- hangup();
- return(false);
- }
if(useron.rest&FLAG('G')) { /* Guest account */
useron.misc=(cfg.new_misc&(~ASK_NSCAN));
--
GitLab