Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 9 of 9
  1. #1
    Join Date
    October 2014
    Posts
    6

    ClientDB Needed and Delete Power

    Hey!

    Note: I reference clientdb often, which is how it is listed in permissions, but in the client, it can be access by "Permissions" > "List All Clients".

    I'll get straight to the point; this is my scenario:

    I host several TeamSpeak 3 servers for friends and their communities (free of charge of course ), and to make administration easier, my TeamSpeak 3 identity is a member of a server query group with additional permissions. I choose to use a server query group as they are unmanageable from within the TeamSpeak 3 clients and thus cannot be modified, members added or removed (giving the owner full control with their virtualserver groups).

    However, we decided to test if (virtualserver) "Server Admins" were able to delete clients (specifically clients that are member of server query groups) from the client database which currently stores all clients who have connected to the virtual server. The test however was a success and virtual server administrators, could in-fact remove clients that were potentially higher rank (server query groups including). If one of the clients are deleted, then so is their relationship with the server (which I guess is intended behaviour); which in turn strips the deleted client of all groups and permissions. However I personally do not think it is a good idea to allow virtual server administrators to delete higher ranked administrators, or server query administrators. So I think this could possibly qualify as a security hole within the permissions system should you wish to allow some administrators/groups to delete clients.

    Therefore, I request that additional permissions are added to the client/groups permissions system:

    b_virtualserver_clientdb_delete_power
    b_virtualserver_needed_clientdb_delete_power

    Which will enable the prevention of some administration groups being unable to delete clients from the client database.

    Or if there is something that I may have missed to actually fix this issue I am having in this scenario, then it would be great if you could point it out to me

    Regards
    Last edited by Jerotire; October 19th, 2014 at 12:05 PM.

  2. #2
    Join Date
    January 2010
    Location
    Secret Base in Arctic Region
    Posts
    1,671
    Its not supported nor necessary to put regular users into query groups.
    Thats what template groups are for. Create one, assign necessary permissions (so they cant be edited by SA) and you can use them on every server you create for management purposes.

  3. #3
    Join Date
    October 2014
    Posts
    6
    Quote Originally Posted by Alcazar View Post
    Its not supported nor necessary to put regular users into query groups.
    Thats what template groups are for. Create one, assign necessary permissions (so they cant be edited by SA) and you can use them on every server you create for management purposes.
    Thanks Alcazar for your response. So am I to assume that a user can be assigned to a template group? Or would I have to create a "network admin" group on each virtual server based on that template (and if so, would I be able to hide it from lower server administrators) ? That was my main reason for using server query groups as they were global, could be assigned to users/identities and could not be seen in group managers or managed from the virtual server instances. In addition, I think my main point would still apply where administrators could still delete my identity from the clients (I still want the virtual server administrators to have control over their clientdb for their virtual servers, just not to be able to delete my identity) . Which is why I request those permissions be introduced.

  4. #4
    Join Date
    June 2008
    Posts
    18,513
    No, we do not support adding users into any non regular Group.

    Alcazar tried to tell you, that you can create template groups, that can not be edited from others.
    These template groups are used to create a regular group on virtual server creation or on a permreset.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  5. #5
    Join Date
    October 2014
    Posts
    6
    Thanks for replying guys. But I think you are missing the point. But I'll try to explain..

    The point is, regardless of what type of group I use whether it be regular, template or server query; the fact remains that a Server Admin can effectivly remove/strip a Head Server Admin's group/rank via the Client DB (Permissions -> List All Clients), if they share the permission "b_client_delete_dbproperties" there are NO power levels to prevent a lesser admin from deleting a higher admin (this was also tested with two "regular" groups, one of the groups (Head Admin) I set the following values to 100:

    i_group_modify_power
    i_group_needed_modify_power
    i_group_member_add_power
    i_group_needed_member_add_power
    i_group_member_remove_power
    i_group_needed_member_remove_power
    i_permission_modify_power
    i_client_permission_modify_power
    i_client_needed_permission_modify_power


    Now, maybe I may have missed something or another permission I needed to edit (but a keyword search for a permission containing the word "delete", "remove", "dbproperties" and "db" did not yeild a result relating to the deleting of clients in the client database (except b_client_delete_dbproperties which is a boolean).

    Both groups (Admin and Head Admin) had the following permissions set to YES:

    b_client_modify_dbproperties
    b_client_delete_dbproperties
    <-- Aka this allows the clients in the group to DELETE entries/identities/users from the "List All Clients" and is what I think requires additional parameters or integer power levels:

    i_virtualserver_clientdb_delete_power
    i_virtualserver_needed_clientdb_delete_power


    OR

    i_client_dbproperties_delete_power
    i_client_dbproperties_needed_delete_power


    To prevent Admins from deleting higher Admins; or at least something along those lines, whilst still allowing both to effectively delete users from the "List All Clients" dialog (client database).

    And I am unsure about the "do not support adding users to a regular groups" then the immediate rejected, without reading the core question/suggestion of the topic or at least attempting to understand what the suggestion was. In regards to the non-regular groups, I am lead to the fact that they share the same permissions tree anyway, it is just based on access/visibility levels or scope from within the client, and am confused to why they are not supported (although that is besides the point).
    Last edited by Jerotire; October 20th, 2014 at 06:22 PM.

  6. #6
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    Quote Originally Posted by Jerotire View Post
    Thanks for replying guys. But I think you are missing the point. But I'll try to explain..

    The point is, regardless of what type of group I use wether it be regular, template or server query; the fact remains that a Server Admin can effectivly remove/strip a Head Server Admin's group/rank via the Client DB (Permissions -> List All Clients), if they share the permission "b_client_delete_dbproperties" there are NO power levels to prevent a lesser admin from deleting a higher admin
    Much bla.
    Very mimimi.
    So cry.
    Wow.
    Then don't give lesser admins the permissions to delete people at all. There is no reason why people would give very mighty permissions to random people they don't trust 100%.

  7. #7
    Join Date
    October 2014
    Posts
    6
    Comon numma_cway let us here something constructive, I mean the same can be said for moving, kicking, banning for instance.. "Don't let anyone kick unless you trust them 100%".. Whilsts being a server host, you have to allow your SA's of that Virtual Server access to the Clients List and if they want delete them. I suppose I can be limited to using Telnet, desktop application or a PHP web based control panel for administration of the virtual servers and the main instance, but I do not want to be depending on a third party solution.
    Last edited by Jerotire; October 23rd, 2014 at 10:23 PM.

  8. #8
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    Mature is a good keyword. Your suggestion suggests that admins on your server are not mature at all and do or will do bad things with their permissions.

  9. #9
    Join Date
    October 2014
    Posts
    6
    Well, I wouldn't say not mature, but I trust no one 100% (but that's just me and unrelated I think ).

    Basically my current hosting structure goes like this:

    VM-VoIP
    TS3
    - Virtual Server 1
    - Virtual Server 2
    - Virtual Server 3
    - Virtual Server 4

    Those virtual servers I see it are basically administered by my respected friends for their communities. However, at the moment, I assign my client/identity to a server query group "Network Administrator" (which is basically a group at the TS3 level), and assign myself to that group across virtual servers so I can manage the server if needs be in my TeamSpeak client.

    I understand that adding users to server query groups are not "officially" supported. But I do that so the group becomes unmanageable and unseen within the virtual servers (so the SAs of their respected virtual server have freedom of groups, configs, settings in their dialogs etc.. from within their virtual server). It should be said that although this is my active configuration, I tested my theories in my OP and other posts in this thread with regular server groups.

    But, you want to allow SA's of their own virtual servers to delete their own clients from their own Client Database/List right? Only thing is, I appear in their client DB on each virtual server, and deleting my identity, also deletes the group assignment of "Network Administrator" for administrating that virtual server from my TeamSpeak client, meaning I have to log into a PHP Control Panel or use Telnet to administer the server. The SA's proberly won't even do that, but that is besides the point.. Point is, it can happen, it is a risk, and it is something I think that should be fixed or needs to be resolved another way, or introduce a Global Group perhaps that spans across the TeamSpeak Executable/Instance? (which is what I assume how Server Query groups behave at this moment or at least similar) Any suggestions?

    As this is where my suggestion of a Client Database - Client Delete Power comes into play..
    Last edited by Jerotire; October 24th, 2014 at 04:31 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 6
    Last Post: February 24th, 2014, 05:13 PM
  2. [No Bug] Channel Create "needed channel delete power" is not 0
    By Animor in forum Bug Reports [EN/DE]
    Replies: 12
    Last Post: June 14th, 2012, 09:04 AM
  3. [Resolved] Auto Setting Channel 'Needed Delete Power'
    By MarkA2049 in forum Permission System
    Replies: 9
    Last Post: March 25th, 2012, 10:15 AM
  4. Bug(?): "needed channel delete power" is not default 0
    By Animor in forum Permission System
    Replies: 3
    Last Post: July 27th, 2011, 07:15 AM
  5. Needed File Delete Power
    By Outcasst in forum Permission System
    Replies: 0
    Last Post: November 12th, 2010, 04:19 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •