ACL question; mumble automatically adds a write ACL rule #1675

New issue

Open

opened 2026-02-20 21:10:14 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-20 21:10:14 -05:00

Owner

Originally created by @wjtk4444 on GitHub (Nov 11, 2019).

Originally assigned to: @Kissaki on GitHub.

Sorry if that's the wrong place, but I have no better ideas where to ask this question. Please, correct the issue's title if you believe that this one is wrong/non descriptive enough. I have no idea what causes the actual issue or how to put it into better words.

I am familiar with wiki entries on ACL and groups. The

@group < allow | deny > <permission> [, permission]+

syntax is assumed, I am using the client GUI to manage the ACL rules.

Let's consider the following channel layout and two user groups:
moderators and users.

root/
    child1
    child2
    ...
    childN

Moderators need the Write ACL permission in root channel to be able to edit members of the users group. root is not a voice channel however, so I want to prevent moderators from accidentally entering it. Moderators can create additional temporary channels under root, but I want to prevent them from accidentally not checking the [ ] temporary box and creating a permament channel. I tried the following:

@moderator allow Write ACL
@moderator deny Enter, Move, Make channel

It seems to work, but only for a time. When someone from the moderators group edits the ACL (namely, adds or removes a member from the users group), mumble automatically adds a new ACL rule in the root channel:

@moderatornickname allow Write ACL

which effectively allows him to enter the root channel as well as make non-temporary channels under root.

Is there any permament way of allowing the Write ACL in root channel only, while stripping the user of other permissions? (I am aware that they are able to re-grant those permissions to themselves. It's meant as a quality of life improvement rather than a security feature).

I am assuming that the automatical allow Write ACL rule creation is supposed to prevent users from locking themselves out without permissions. Nevertheless, I think that it's unnecessary as the SuperUser account exists and can be used to fix eventual issues. Is there any way of disabling this mechanism server-side?

Originally created by @wjtk4444 on GitHub (Nov 11, 2019). Originally assigned to: @Kissaki on GitHub. Sorry if that's the wrong place, but I have no better ideas where to ask this question. Please, correct the issue's title if you believe that this one is wrong/non descriptive enough. I have no idea what causes the actual issue or how to put it into better words. I am familiar with wiki entries on ACL and groups. The ``` @group < allow | deny > <permission> [, permission]+ ``` syntax is assumed, I am using the client GUI to manage the ACL rules. Let's consider the following channel layout and two user groups: **moderators** and **users**. ``` root/ child1 child2 ... childN ``` Moderators need the **Write ACL** permission in root channel to be able to edit members of the **users** group. **root** is not a voice channel however, so I want to prevent moderators from accidentally entering it. Moderators can create additional temporary channels under **root**, but I want to prevent them from accidentally not checking the `[ ] temporary` box and creating a permament channel. I tried the following: ``` @moderator allow Write ACL @moderator deny Enter, Move, Make channel ``` It seems to work, but only for a time. When someone from the **moderators** group edits the ACL (namely, adds or removes a member from the **users** group), mumble automatically adds a new ACL rule in the **root** channel: ``` @moderatornickname allow Write ACL ``` which effectively allows him to enter the **root** channel as well as make non-temporary channels under **root**. Is there any permament way of allowing the **Write ACL** in **root** channel only, while stripping the user of other permissions? (I am aware that they are able to re-grant those permissions to themselves. It's meant as a quality of life improvement rather than a security feature). I am assuming that the automatical `allow Write ACL` rule creation is supposed to prevent users from locking themselves out without permissions. Nevertheless, I think that it's unnecessary as the **SuperUser** account exists and can be used to fix eventual issues. Is there any way of disabling this mechanism server-side?