admin: admins can usurp owners

[HumorBaby]

I believe admin and owner are meant to be two separate permission levels for the bot. There are @require_admin and @require_owner for commands, implying that there are certain functions for an owner that should not be available to admins.

That being said, if the admin plugin is enabled, an admin can simply:

Not a spoiler 😅

.set core.owner I-Am-gRoot

bypassing the @require_owner, and potentially locking them out of their own bot.

[dgw]

Good ol' privilege escalation vulnerabilities… Where would we be without them?

The obvious, easy solution is to hard-code into admin.py a block on changing this specific setting if the user isn't owner. I'd like not to do that, though. I already don't like the hard-coded logic around preventing the output of passwords when getting existing setting values.

Buuuuuut, fixing it another way would involve API-breaking. That is, settings would somehow need a way to reject being changed by lowly admins (or at all) at runtime, and that would require changing the object model (I think). Fine for Sopel 8—as I try to avoid adding anything more to the overstuffed Sopel 7 milestone 😆—but not something we can shove into a 6.6.x patch release.

Don't really want to leave this backdoor open until 8.x happens, though. That's over a year off.

How about fixing it the easy way for 6.6.x (as now milestoned)? We can open a follow-up issue to design a settings API change after that's done and released.