|
Grex > Agorage > #7: The Temporary Cross Root Incident Item | |
|
| Author |
Message |
| 25 new of 128 responses total. |
cross
|
|
response 15 of 128:
| 
Sep 23 19:49 UTC 2006 |
(I think it's medically impossible for me to have anybody's babies... :-))
I do think that grex staff's present atmosphere (at least, the way it was when
I left staff) discourages new participation and ideas. As it stands, there
are, implicitly, certain staff members who you have to get approval from in
order to make changes to the system. I'm talking about concensus and
discussion, but actually approval.
|
glenda
|
|
response 16 of 128:
|
Sep 24 03:02 UTC 2006 |
I want to know when it became a requirement for staff to read garage. I was
under the impression that this was the conference to be used to discuss and
decide system policy. I know that I don't go to garage for Grex specific
stuff, I read it for technical stuff in general. When I am looking for
proposed changes to Grex, I go to coop. When did this change? And when has
Grex ever decided anything in a week or less?
|
cross
|
|
response 17 of 128:
|
Sep 24 03:36 UTC 2006 |
Haha! With respect to your last sentence, probably never.
However, garage is the "grex configuration and what not" conference. Coop
is for policy decisions, not technical decisions. At least, that's how I've
always understood things.
Glenda, I'd be interested in your input in item 27 in garage.
|
tod
|
|
response 18 of 128:
|
Sep 24 04:40 UTC 2006 |
I don't see what the problem is. cross and spooked should know by now that
this is STeve's baby. We dont' get logic here and if you offer to help then
prepared to be chastised without running your intentions in triplicate past
the man on the throne.
("Underhanded"? I would have just killed the !talk session and never offered
to help again. How insulting.)
|
cross
|
|
response 19 of 128:
|
Sep 24 04:57 UTC 2006 |
I guess I'm a sucker. I'm the kind of guy that adopts stray cats. Yes, I
was offended, but I just can't help trying to do something if I think it's
the right thing to do.
|
gelinas
|
|
response 20 of 128:
|
Sep 24 05:09 UTC 2006 |
The "wheel" group, by its very nature, is NOT, and cannot be, a "specific
resource;" it is a *general* resource in that it allows, through sudo, access
to anything and everything on the system. (In fact, that was part of Dan's
argument for sudo over individual root accounts. Sometimes, having a good
memory really sucks.)
The methods for granting access to specific directories are "chown" and
"chgrp." The latter is probably preferable, even though it requires more
work. (Personally, I'd prefer it exactly for that reason: More work means
more thought, if only into writing the script to make the changes.)
I wonder what would be the response had valerie, another former staff member,
been given root access with such little discussion. (That's not fair to
valerie, but sometimes other specifications are useful for clarifying
generalities. Every once in a while, I'm reminded that Einstein published
his "Special Theory of Relativity" before his "General Theory.")
NB: I've not read garage:27. However, I *do* remember other discussions of
changing the grex password hash. IIRC, Dan's suggestions were rejected at
that time.
|
naftee
|
|
response 21 of 128:
|
Sep 24 05:10 UTC 2006 |
This really is a case of steVE's knee-jerk reactions. The fact that he
admitted to not keeping up with garage and yet was pretty snappy with removing
cross' and spooked's staff priviledges shows that steVE doesn't care nearly
as much about the technical aspects of how GreX is run as to how he wants it
to be run. Here, we had cross and spooked taking their own initiative
(something which should be considered a virtue among staff members) to improve
GreX, and what do they get ? A summary eviction from someone who has half
their technical competence.
The fact that cross and spooked took the time to explain themselves very
clearly in this item, instead of telling steVE to go screw himself, further
puts forward their merits as good hard-working staff members who are valuable
to the system.
The sad thing is that steVE would probably had done nothing had he seen
valerie with root privileges last night. It's really a matter of his personal
ego, which has been more and more apparent since scholar came out with a bunch
of new member proposals.
|
naftee
|
|
response 22 of 128:
|
Sep 24 05:10 UTC 2006 |
slup
wow; gelinas and i think alike, sort of.
|
cross
|
|
response 23 of 128:
|
Sep 24 05:23 UTC 2006 |
Regarding #20; But root access, granted within set parameters to a known
trustable individual, can be considered a specific resource. That is my
argument. In this case, chown and chgrp were not sufficient, since every
program under consideration needed to be installed setuid to root. What's
more, changes would need to be made to grexdoc (at least temporarily.
Actually, in the long term, as well, since the customizations to the password
code in grexdoc would need to be undone).
My earlier proposal for NOT changing the hash was to afford MDW the
opportunity to play with Kerberos and his hash algorithm. However, he has
been largely inactive. This morning at around 0600 was the first time he'd
logged in in nearly a year. It does not make sense to continue expending
staff resources for a project that Marcus may or may nor pursue, particularly
when there are other options for implementing that project.
|
cross
|
|
response 24 of 128:
|
Sep 24 05:25 UTC 2006 |
Regarding #23, last paragraph; Rather, my earlier proposal for changing
the hash was NOT implemented to afford MDW that opportunity.
|
vivekm1234
|
|
response 25 of 128:
|
Sep 24 05:55 UTC 2006 |
Re #13: "I do not feel that Steve's actions with revoking Mic's access were
in any way justified. If he felt that there was some threat to the system at
the time, then perhaps, but I find it utterly perplexing that Steve could think
such a thing."
Steve's personal feelings towards you or spooked are irrelevant. Let's say that
spooked, you and steve were the best off pals and long time associates and
steve knew for a fact that there was no way his friend of many years would hack
Grex, but you did not have staff approval for root access. The situtaion would
still demand that he kick both of you out. Why? Because if he didn't it would
reek of cronyism! Steve the individual does not matter and his friendships,
opinions etc on two individuals are ir-relevant! He should be a robot with no
feelings what so ever on the matter! Possible security breach, lockdown the
box, kick out all concerned, report to staff and let them settle the matter.
Try to understand what i'm saying Dan - Steve may respect you a lot, but
without a unequivocal YES from staff the only thing he can and should do is to
kick you out and spooked and shove the matter to staff for resolution!
He certainly should have sent email immediately to staff and to cross and
spooked! Some thing like: "Hello, cross isn't a part off staff and spooked has
given him root access. I feel this is a violation of Grex policy, therefore
i've locked them both out. Sorry guys, it's unlikely that the both of you were
upto mischief but given the circumstances it's best that staff sorts this out."
Has he done that?
Since cross feels Steve was rude to him, a quick post from Steve ought to
settle the matter. "Hey Dan, didn't mean to appear rude. Your help is
appreciated but i got to follow protocol or we will get hunted down by hungry
lawyers!"
Re #18 #21: Don't muddy the waters with opinions minus validating data. Don't
try to mind read: "steVE would probably had done nothing had he seen valerie
with root privileges last night."
Steve's competence wrt cross is not under discussion, offering that as a
argument is illogical. The question under debate here is whether Steve was
right in disabling spooked/cross's access when they did not have staff
approval. Frankly i think cross should be on staff!! But that's not the point!
I think a lot of people are allowing personal prejudices to cloud judgement!
You don't like steve and like cross and you find staff difficult to deal with
etc etc, ergo Yay cross! Boo Steve! Plus the under dog factor is at work -
cross isn't authority, does cool stuff, young, wants to change things and that
has appeal but i suspect that he MAY not be as level headed as say remmers!
(mind you that's off the cuff..).
I feel that heaving cross into staff should solve the problem! He gets to do
cool stuff under a watchful eye <g>
|
cross
|
|
response 26 of 128:
|
Sep 24 06:01 UTC 2006 |
Well, at least someone still thinks I'm young.
The issue at hand is that the policy is not clear. Mic (and I) clearly
interpreted it one way, Steve the other. Are you suggesting that anytime
someone does something where someone else interprets the relevant policy
differently, they should be locked out of the system? Even less will get done
than ordinarily around here....
|
gelinas
|
|
response 27 of 128:
|
Sep 24 06:26 UTC 2006 |
Dan, "root access, granted within set parameters" is neither limited nor
limitable, *EXCEPT* by trust. There is no other way to enforce the 'set
parameters.'
That trust requires Board consent. *That's* what the policy says.
Yeah, setting up setuid requires root access. So someone *else* should have
installed your changes, were they to be installed.
|
vivekm1234
|
|
response 28 of 128:
|
Sep 24 07:49 UTC 2006 |
Re #26 I totally agree with you that the blasted policy is unclear and needs
to be updated immediately! I also don't fault you or Mic in this matter! Both
of you are the unfortunate victims here! I can't think of anything more
unpleasent than being barged off, especially after contributin stuff the way
you have! I also feel that "staff" and possibly "steve" should make it clear,
in no un-certain terms, that your help is appreciated and valued! Certainly
a apology from "staff" is in order - after all they have caused the ambiguity!
"Are you suggesting that anytime
someone does something where someone else interprets the relevant policy
differently, they should be locked out of the system?"
It's not a question of "someone else interprets the relevant policy
differently"! Steve isn't a random someone! He is in-charge of the day to day
running of Grex. In tod's words "Grex IS his baby", from the day-to-day running
point of view. If he feels that he should kick out someone that's his
prerogative! He is only responsible to the board! He can kick out remmers,
mdw,spooked,janc or just about anyone if he sees it fit to do so, but he'd
better have logic backing him up or the board will chew him up.
What i'm saying in no uncertan terms is this: Steve has the right to do
anything! The board/staff decides what is right or wrong. Staff/Board is only
superseded by the US government!
In this particular case, because of the ambiguity in legal interpretation,
staff can't criticize steve or spooked. But i'm willing to bet that they won't
allow temporary access to root without board approval and rightly so i might
add - which does vindicate steve :(. But, they had better offer a rattling good
apology to both spooked and you.
|
spooked
|
|
response 29 of 128:
|
Sep 24 09:09 UTC 2006 |
I suspect an apology is beyond them, but anyhow that's just a reflection
on them - and people can form their own opinion of it.
A couple of things. Somewhere about 8 responses back, someone (naftee I
think) said STeve has half the technical capabilities than cross or
myself. I'm not about to speak for cross, but I can admit through
experience STeve has more experience and technical competency than myself
-- I don't doubt, and never have, his technical competence. However, it
is his attitude and rash reaction which do not sit kindly with me.
Another thing... all this talk about Grex being sued over such a thing is
Hollywood..... please don't add to the over-dramatisation of this very
innocent event. The Bylaw in question here is very open for
interpretation - the fact that at least a few educated individuals have
interpreted it in different ways highlights this. Furthermore, it is
clear that neither cross nor myself were acting maliciously.
I have said enough now on this issue. Let them continue on as they
please. It is sad that initiative and active participation is not cheered
(but rather criticised), but we don't live in a perfect world. There is
more important things in the world than needless drama.
|
glenda
|
|
response 30 of 128:
|
Sep 24 10:11 UTC 2006 |
Re #25: Yes, STeve sent email to the BAFF immediately. He also called me
immediately to have me log into my email to make sure it went through.
|
vivekm1234
|
|
response 31 of 128:
|
Sep 24 11:05 UTC 2006 |
Re #29: No one is saying that either off you "were acting maliciously"!
Anyone saying that needs to get his head checked! All i am saying is
that proper procedure was not followed and that the reason we
have procedure is to cover ass in court. Assuming Grex gets cracked some time
in the future, a clever lawyer would go through the bbs looking to see if
Grex was mis-managed. All these issues would be brought up - look, the truth
is not what "actually happened" it's what "can be proven". Oh! It's all very
unlikely, but why have a policy, board and charter if it's just so much bull?
As for it being Hollywoodesqe: Bleah! I read in the paper, in India - some time
back, that a burglar had sued a home owner for his getting stuck in a chimney
during a burglery attempt <grin>. Also check out: http://www.overlawyered.
com/archives/00nov3.html and search for "Burglar". If that can happen, i'll
argue that anything can happen! <grin>
Anyway, no more posts from my side on this matter. I'm going to spend my
valuable time checking out the cute chicks on
http://www.seedbiology.de/people.asp <g>
|
spooked
|
|
response 32 of 128:
|
Sep 24 11:35 UTC 2006 |
Even if Grex gets cracked, we are not liable.
We have enough disclaimers, and are restricted in the extent to which we
can protect people's privacy... which we have said numerous times/places,
Grex is not the place to come knocking if you want any.
|
cmcgee
|
|
response 33 of 128:
|
Sep 24 13:17 UTC 2006 |
We have policies because we are a group of people who have agreed to associate
under certain terms and conditions. Our policies are mutally agreed upon
"rules" that we believe make this social system stable. We change these
policies by concensus and by democratic votes.
It is not lawyers that drive our social compact. It is our mutual design of
a culture we want to be members of.
|
remmers
|
|
response 34 of 128:
|
Sep 24 15:22 UTC 2006 |
My thoughts:
Since group wheel membership effectively gives root access, there was a
violation of Grex policy. As Gelinas pointed out earlier, there were
other ways this could have been handled from a technical standpoint.
Hopefully this won't happen again.
My understanding is the same as Glenda's regarding the Garage
conference, and probably the same as most other staff members: It's a
place to discuss ideas and provide input on Grex technical issues, not
an official place to make decisions. I think an appropriate and
courteous step to follow before making system changes of this sort is to
alert staff via email or the staff conference, where staff normally
expects these kinds of things to be brought up, allow a few days for
feedback, and then proceed if there's either no feedback or there's a
concensus that it's ok. That's how I proceeded when the issue of
turning off the idle daemon came up a few months ago and I took the
initiative to go ahead with it.
That's my ideal about the way staff should work together. I won't claim
that there isn't more than one person who's violated it in one instance
or another, of course.
|
tod
|
|
response 35 of 128:
|
Sep 24 16:08 UTC 2006 |
re #20
I wonder what would be the response had valerie, another former staff member,
been given root access with such little discussion.
I seem to recall folks blowing off Valerie's ad-hoc mods in /etc way back when
but heaven forbid spooked implements something with a lil backup from cross.
I dunno..its really water under the bridge and I think staff is freaking out
when they cut spooked from being able to help. Its very silly to read about.
|
cross
|
|
response 36 of 128:
|
Sep 24 16:50 UTC 2006 |
Regarding #27, #34; Thanks for the comments, Joe and John. I still feel that
the policy is a bit vague and open to interpretation. However, we can turn
this into a positive by taking it as an opportunity to update the policy to
avoid such disconnects. Further, it would also be a good time to put into
place a policy over when and why a staff member can pull another staff
member's staff access. This really should have been done after the valerie
incident.
Regarding #28; There's one thing I think you need to understand. Steve is
*not* in charge of grex's staff. There is no one "in charge" so to speak of
it; ideally, they make decisions democratically like the rest of grex.
Remmers has just as much "right" to yank Steve's access as Steve has to yank
his (though the mind boggles thinking of a situation in which either would
happen).
And finally, as I've stated many times before, I wasn't going to install
anything on Friday night. I just wanted to poke around and make sure that
*I* understood how much work had to be done.
|
other
|
|
response 37 of 128:
|
Sep 24 19:49 UTC 2006 |
For the record, I think it should be said the STeve's pulling of mic's
staff privileges without discussion even just with mic is an equal
violation to mic's provision of staff privileges to cross without
discussion.
Obviously neither of these actions occurred with ill intent, and I don't
think any punitive response is warranted or desireable. Certainly,
cross is exhibiting the ideal attitude by trying to focus this
discussion on modification of the existing policy to prevent similar
occurrences in the future, and I think that is the angle from which we
should all be approaching this discussion.
To that end, I think the verbage dealing with provision of staff
privileges and system resources should specifically deal with root
privileges both directly and through sudo and wheel group membership.
|
cross
|
|
response 38 of 128:
|
Sep 24 20:14 UTC 2006 |
Thank you, Eric, that nicely summarizes my intent. To puy my earlier response
to Joe and John another way, since Friday, it has become rather clear that
many of grex staff members feel the intent of the present policy bars even
temporary access to root. However, both Mic and I interpreted it differently.
I would like to see the policy reworded to more clearly express the intent
with respect to root access, that's all.
|
spooked
|
|
response 39 of 128:
|
Sep 24 21:48 UTC 2006 |
Yeps... exactly my sentiment Eric. And, I am still without root or staff
privileges -- with no apology, or hint of an apology from STeve or staff.
This type of slap in your face is one aspect (alongwith general
closemindness and contemporary thinking) that discourages newcomers from
joining Grex staff.
I don't think I'm being unreasonable one bit here.
|