Merge branches 'main' and 'main' of github.com:allthingslinux/tux

Author: kzndotsh

config/settings.yml.example

@@ -34,12 +34,29 @@ BOT_INFO:
       {"type": "streaming", "name": "SuperTuxKart", "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}
     ]
 
+# This allows sysadmins to use the eval and jsk commands which can execute arbitrary code.
+# Do enable if:
+# - Tux is dockerized 
+# - You trust your sysadmins with anything that the docker container can do (e.g if they already can access the host system)
+# - You are a small server
+# DO NOT ENABLE IF:
+# - Tux is not dockerized and you do not trust your sysadmins with the host system
+# - You are a large server and Tux has full permissions 
+# - You do not trust your sysadmins with anything that the docker container can do
+# - IF YOU ARE A MULTIPLE SERVER INSTANCE, DO NOT ENABLE IT FOR THE LOVE OF GOD
+# If you are not sure, do not enable this.
+ALLOW_SYSADMINS_EVAL: false
 
 USER_IDS:
-  SYSADMINS: # WARNING! This grants dangerous permissions such as eval and jsk which can be used to execute arbitrary code.
+  # These have access to all permissions in all servers, except for $eval and $jsk commands (unless set to true).
+  # Only give these to people you trust with the bot and who are able to handle the responsibilities that come with it.
+  SYSADMINS:
     - 123456789012345679
     - 123456789012345679
-  BOT_OWNER: 123456789012345679 # This is the user who has the highest level of control over the bot. Only one user can be the bot owner.
+
+  # This should be the person who owns the bot and nobody else unless you ABSOLUTELY know what you are doing.
+  # This person has access to all permissions in all servers, including $eval and $jsk commands.
+  BOT_OWNER: 123456789012345679
 
 # This adds a temporary voice channel feature to the bot, you can join the channel to create a channel called /tmp/<username> and move to it.
 # Channels are deleted when the last person leaves them.

tux/app.py

@@ -105,12 +105,24 @@ async def start(self) -> None:
         if not self.validate_config():
             return
 
+        owner_ids = {CONFIG.BOT_OWNER_ID}
+        if CONFIG.ALLOW_SYSADMINS_EVAL:
+            logger.warning(
+                "Sysadmins are allowed to use eval commands. This can be potentially dangerous if you have not fully read the comments about this in settings.yml.",
+            )
+            owner_ids.update(CONFIG.SYSADMIN_IDS)
+        else:
+            logger.warning(
+                "Sysadmins are not allowed to use eval commands. Read settings.yml for more info on this. You can safely ignore this warning if you are not a sysadmin.",
+            )
+
         self.bot = Tux(
             command_prefix=get_prefix,
             strip_after_prefix=True,
             case_insensitive=True,
             intents=discord.Intents.all(),
-            owner_ids={CONFIG.BOT_OWNER_ID, *CONFIG.SYSADMIN_IDS},
+            # owner_ids={CONFIG.BOT_OWNER_ID, *CONFIG.SYSADMIN_IDS},
+            owner_ids=owner_ids,
             allowed_mentions=discord.AllowedMentions(everyone=False),
             help_command=TuxHelp(),
             activity=None,

tux/cogs/admin/eval.py

@@ -7,6 +7,7 @@
 from tux.bot import Tux
 from tux.ui.embeds import EmbedCreator
 from tux.utils import checks
+from tux.utils.config import CONFIG
 from tux.utils.functions import generate_usage
 
 
@@ -70,10 +71,23 @@ async def eval(self, ctx: commands.Context[Tux], *, expression: str) -> None:
             return
 
         if ctx.author.id not in self.bot.owner_ids:
+            if not CONFIG.ALLOW_SYSADMINS_EVAL and ctx.author.id in CONFIG.SYSADMIN_IDS:
+                logger.warning(
+                    f"{ctx.author} tried to run eval but is not the bot owner. (User ID: {ctx.author.id})",
+                )
+                await ctx.send(
+                    "You are not the bot owner and sysadmins are not allowed to use eval. Please contact your bot owner if you need assistance.",
+                    delete_after=30,
+                )
+                return
+
             logger.warning(
-                f"{ctx.author} tried to run eval but is not the bot owner. (User ID: {ctx.author.id})",
+                f"{ctx.author} tried to run eval but is not the bot owner or sysadmin. (User ID: {ctx.author.id})",
+            )
+            await ctx.send(
+                "You are not the bot owner. Better luck next time! (hint: if you are looking for the regular run command its $run)",
+                delete_after=30,
             )
-            await ctx.send("You are not the bot owner. Better luck next time!", ephemeral=True, delete_after=30)
             return
 
         try:

tux/utils/config.py

@@ -40,6 +40,7 @@ class Config:
     # Permissions
     BOT_OWNER_ID: Final[int] = config["USER_IDS"]["BOT_OWNER"]
     SYSADMIN_IDS: Final[list[int]] = config["USER_IDS"]["SYSADMINS"]
+    ALLOW_SYSADMINS_EVAL: Final[bool] = config["ALLOW_SYSADMINS_EVAL"]
 
     # Production env
     DEFAULT_PROD_PREFIX: Final[str] = config["BOT_INFO"]["PROD_PREFIX"]