This item is for discussion the incident where I was granted temporary root
access by spooked for the purposes of making some modifications to grex's
software.

128 responses total.

Continuing the discussion that started in item #362, I have some comments.
As you may or may not know, spooked granted me access to the wheel group for
purposes of installing changes to the way in which grex does password
authentication.  Those changes had been open for discussion in the garage
conference for more than a week with uniformly positive reaction, and it was
in the garage conference that Mic said he'd put me in the wheel group, a
side effect of which is root access via the use of the sudo command).  That
said, I was not prepared to install them as I wanted to hear from more staff
members before going ahead (a question to that affect was posted by me in
garage), but it was nice to have the access to snoop around and see how
hard it would be.

Evidently, however, he didn't alert the rest of staff that he was putting me
in wheel.  I was unaware of that.  I used that access and added myself to
the staff conference ulist so that I could post a notice once I was finished
making the aforementioned changes.

Sometime very shortly thereafter, Steve noticed this change and (a) removed
me from the staff ulist, (b) changed the /etc/group file to remove me from
the wheel group (thus, in effect, revoking root access), and (c) evidently
removed spooked from the staff ulist and from the wheel group, effectively
removing him from staff.

I was happily compiling software while Steve was doing this.  When I noticed
that sudo no longer worked, and I couldn't get into the staff conference, I
did a "w" and saw that Steve was the only staff member logged in and active.
I asked him, via write, if he had removed me from wheel.  He said he had; I
will post the trascript of our conversation later.  I found it personally
offensive and rude.

Remmers posted the official grex policy for root access.  To quote:

Staff Membership - November 16, 1994
------------------------------------
Staff with permanent root access may at its discretion grant specific
resources to qualified individuals for the purpose of performing work that
is beneficial to Grex. Examples of such resources would be write access to
selected directories in order to modify data files or to install software.
In the the event of an emergency, temporary root access may be granted by
any permanent root.
Permanent root access, access to the staff conference, and access to the
"baff" mailing list shall be with the advice and consent of the Board.
-----------------------------------------------------------------------
See http://cyberspace.org/local/grex/policy.html for this and other
policies adopted by the Board.

Remmers then stated:
"This policy allows temporary root access to non-staff in an emergency,
 which this was not.  It requires board approval for access to the staff
 conference, which was not obtained."

To which I have the following comments: The staff conference thing is my
mistake, as I acknowleged in item #362.  All I can say is that I'd forgotten
about the policy, and should have checked.  I'm guilty.  Line up the firing
squad and let's get it over with.

However, I submit that Mic's actions are in keeping with the above quoted
policy.  In particular: Mic did not give me the root password; he put me in
the wheel group.  This is not unrestricted access, it is a specific mode of
access.  The difference is subtle, to be sure, but still there.  Also,
granting access to that group is granting access to specific resources for
the purpose of performing work that is beneficial to Grex.

What's more, that level of access for "write access ... to install software"
is necessary for the changes I have made.  In particular, writing to
newuser, the passwd program, the login_grexpass program, and wnu all require
access to the root account to set permissions appropriately.  What's more,
these all live in directories where it is not reasonable to grant my account
(or any other non-privileged account) write access.  How could *anyone*
reasonably be expected to install such things without such access?  It could
be argued that such access should not have been granted until I was actually
ready to install these programs, I suppose.

Then, there's the matter of Steve's reaction.  Steve has removed spooked
from the staff conference ulist, as well as the wheel group, and I wouldn't
be surprised if he has also changed the root password.  This is a gross
over-reaction and wholly inappropriate.  It is not at all clear that spooked
violated grex policy, as I have outlined above.  He didn't add me to the
staff conference, I did, which was clearly a mistake on my part; he
shouldn't have to pay any sort of consequences for that, nor did he hand out
the root password to anyone.  He gave an appropriate level of access to a
specific resource in accordance with the stated policy.  If he's guilty of
anything, it's of doing so prematurely.

And what gives Steve the right to remove people from staff?  Shouldn't that
be a board decision?  I can see that, in the case where a staff member goes
crazy and damages the system another staffer might have to take emergency
action to prevent major damage, but that was clearly not what was happening
last night; I really doubt that spooked was going to try and add me to
anything again after Steve expressed such clear displeasure with it.  Fine:
me with root access is a contensious issue, let it be discussed by the board
and staff and whomever else; perhaps Mic made a mistake.  Perhaps he
interpreted the policy as I have.  But could Steve have seriously thought
that Mic was going to damage the system?  Surely not.  And why remove
spooked from the staff conference, not even allowing him a forum to defend
his actions to other staff members?

And then there was the way Steve treated me, which I am quite upset about.
His beef is arguably with Mic, and yet his tone and statements to me were
condescending and rude.  Now personally, I don't think he *should* have a
beef with Mic, but if he does, he certainly shouldn't be taking it out on
someone *else* who was volunteering to improve grex.  He should go discuss
it with Mic like a rational adult.

But maybe I'm just being overly sensitive; I welcome other opinions on the
matter.  Here is the transcript of my online conversation with Steve online
last night, slightly edited for formating and to make clear who was saying
what: you be the judge.

Personally, I think this whole thing is a series of unfortunate
misunderstandings.  It clearly highlights some changes that need to be made
to grex policies: in particular, staff needs to actually read garage and
read coop, and the root access policy should be clarified with what exactly
it means to grant specific resources to non-staff members for specific
things, and under what circumstances a permanent staff members privileges
may be revoked without board approval.

----
: grex 1793; write steve
Writing to steve on ttypl...
DAN:
I take it you just removed me from wheel?

Telegram from steve (root) on ttypl at 22:58 EDT ...
STEVE:
yes?                     
EOF (steve)

Message from steve (root) on ttypl at 22:58 EDT ...

: grex 1794; write steve
Writing to steve on ttypl...
DAN:
May I ask why?                                           
o

STEVE:
Why?
You have to ask?
jesus

DAN:
Uh, yes?
o

STEVE:
I don't know hw you snookered kic into doing that, but underhanded
methods of getting root aren't appreciated here.

DAN:
Pardon me??
o

STEVE:
mic put you in wheel in /etc/group and readded you to the ulist
on staff.
o

DAN:
Mic put me into the wheel group as per the contents of item 27 in garage.
I put myself into the ulist on staff so I could announce when the conetnts
of said item had been carried out.  I'm sorry, I must be missing something
here. What is underhanded about any of that? o

STEVE:
that is tantamount to handing out root dan. you know that.
o

DAN:
And why is that a problem, Steve?
o

STEVE:
Dan if you don't understand that, I don't think I can explain it to you.
o

DAN:
I think you should try.  Have you read item 27 in garage?
Besides, as you know, I have had root access to grex before.  I think I can
be trusted not to damage the system.
o

STEVE:
That is not the issue.
I don't think you'd screw up the system
but for a staff person to give ANYONE the root password without
at LEAST telling everyone on baff, is really a gigantic problem.
and, no I have not read item 27.  I guess I will.  is it a 
major problem?

DAN:
o?

STEVE:
sorrry - staff cf or garage?
o

DAN:
(garage)
o

DAN (again):

No, it is not a major problem.  It is a proposal to move to the system standard
password hashing scheme.  However.
(a) I submit to you that whatever Mic does is really beyond my control.
(b) I object to your characterization of my request for root access as
"snookering" someone into anything, and your labeling it as underhanded.
(c) If Mic does something without telling baff, how precisely am I supposed  
to know that?
o

STEVE:
I don't know.  OK, I'll retract the word underhanded.  Instead I will use
the phrase "POORLY thought out" and will not retract that.

DAN:

Are you referring to Mic or myself?

STEVE:
I need to tend to a machine for a new minutes. still at work
that phrase refers to both of you.

DAN:

(Take your time in replying)
May I ask WHY it refers to me?

STEVE:
Mic, for granting root level access to someone, quite regardless of
your past staff status.  You, for accepting it.

DAN:
o?

STEVE:
o

DAN:
I fail to see how accepting something that had been publically requested is
poorly thought out.
I further fail to see how it's snookering anyone into anything.
o

DAN (again):

(And I use such strong language because I still find your initial
characterization uncalled for and rude in the extreme.  Steve, I respect you,
but I do feel somewhat offended.  You see to view me as the enemy, and I don't
understand why, and it ranckles. o

STEVE:
back for just a sec, getting a manual.  Dan, you are in the armed services,
correct?

DAN:
Yes. I am.  Why do you ask?
o

STEVE:
If you did something that was against protocols, others in your organization
would be pissed, right?  Well, isn't that exactly what jhust happened here?

DAN:
o?

STEVE:
The staff and board consult before givig out root acess.  That you were once
staff does  not matter, I do not think.  THAT is what I am pissed about.
does that at least make some sense to you, the violation of protocol.
o

DAN:
a
Well, who do you think violated protocol?  How am I to know that Mic hadn't
consulted the board and staff?
In the military, if one were to give access to a protected resource without
proper authorization, it would be that person that would be punished, not the
person who was granted access.
Do you understand this?
o

STEVE:
you know dan, I honestly think you could be a laywer.  But I will say that
you should have heard something in coop, or email, or SOMETHING somewhere
about your being on staff.  And you didn't.  Mic did that all on his own
and I think you do know that, way down.   Sigh.  Back to the macnhine; I
will come bback once a raid array is formatting.
o

DAN:
Pardon me, Steve, but I did hear something: in Garage.  Naturally, I thought
Mic *had* talked to others.  However, it's becoming clear that at least you
don't read that conference.
o

DAN (again):
(And for the record, deep down, yes, that's what I believe.)

DAN (again):
: grex 1795; write steve
steve logged on more than once
Writing to ttypl...
(Sorry, clearing the screen.)
o

DAN (again)
Steve, are you there?
o

DAN (again, approximately two hours later):
I'll assume you are too busy to respond currently.  I myself am likely going
to sleep.  I hope you'll get involved with the discussion in garage #27 and 
we can go from there; all of the necessary code has been written and tested,
it's merely a matter of installing it.  If people would like me to do that,
I'm perfectly willing, and will wait for staff and board or whomever to vet
me and make it happen.
oo

(And for a little bit of levity, I found the following, from grex's fortune
files, amusing and apropos.  Perhaps you will too....)

Rhode's Law:
        When any principle, law, tenet, probability, happening, circumstance,
        or result can in no way be directly, indirectly, empirically, or
        circuitously proven, derived, implied, inferred, induced, deducted,
        estimated, or scientifically guessed, it will always for the purpose
        of convenience, expediency, political advantage, material gain, or
        personal comfort, or any combination of the above, or none of the
        above, be unilaterally and unequivocally assumed, proclaimed, and
        adhered to as absolute truth to be undeniably, universally, immutably,
        and infinitely so, until such time as it becomes advantageous to
        assume otherwise, maybe.

So, let us say I'm sitting at work and I find out that one of my
co-workers either gave a user the domain administrator password or made
them a member of the domain administrator group (both would effectively
give the user full access to every file and resource on every PC and
server). Doing so would be a gross security issue, sure. But if I
reacted to that by changing the administrator password and removing both
the user's and my co-worker's administrative access, I would consider
that overstepping my authority. Basically it would be a clear case of
insubordination, and I would expect a disciplinary reaction from my
supervisor.

I'm not sure if what Steve did was right or wrong. I wouldn't have done
it. I sure as hell wouldn't have removed spooked's access.

I dunno, BoD really needs to step in here.

I think it's all relative; hypotheticals only get you so far.  I think you're
mostly right that it would be over stepping your bounds to remove your
colleagues access.  It might not be a problem to remove the user's access.
I find it different to draw a general conclusion.  For example, what if the
user in question was a former member of the sysadmin group, who'd moved on
to another part of the company?  That's vastly different than giving that
access to the office supply clerk or front-office receptionist (both of whom
I'm presuming haven't been in the sysadmin group, may be temporary employees,
etc).

If it were me, I think I might have suspended the user's access, but then
*asked* the guy who gave the user access what was up.  If there was an issue
of policy, I'd point out the policy and see if the guy's actions conformed
to it or not.  I *do* think that grex's policy is sufficiently ambiguous to
be interpreted multiple ways, so I'd try and find out if the action was in
accordance with the policy before acting unilaterally.  I certainly wouldn't
remove my colleague's access.

Actually, it isn't so hypothetical. We have a few former IT admins who
have left to work in different departments. Occasionally they ask for
administrative permissions so they can install software onto their PCs.
 They don't get them from me, because they're not mine to give out. We
have clear policies saying who is allowed to give them, and that is who
they need to talk to.

In my hypothetical situation, I would not have taken away anybody's
access (including the user's) because even then it isn't mine to take
away.........I digress.

Do you know what I'm leading to here? Sometimes system administrators
get this feeling of personal ownership of the systems they manage, and
this results in problems when other administrators do things they don't
like.

i don't see how cross did anything wrong, he asked for access to do 
something useful, a staff member gave it to him. how steve can sit there and
belittle cross over that and call him wrong is just silly.

Regarding #5; Ah, okay, I thought you were talking about true generalities,
not your actual work place.

The parallel between my workplace and Grex may not be so good. Grex has
provisions for staff members to give access to users who need it. My
workplace doesn't.

Fair enough.  I'd like to get more opinions about this matter.

Regarding #362 #363:

1. The Grex policy is ambiguous - Re #362-#9 (remmers post). The policy
clearly states that permanent root access needs board approval, but it does
not clearly state that temporary root access is only in a emergency! The
keyword missing here is "only". Furthermore, it misleads by saying that "Staff
with permanent root access may at its discretion grant specific resources to 
qualified individuals"; "root" may be interpreted as a "specific resource".

I think the policy needs to be ammended suitably.

2. "steve" barring "spooked" from the staff conference was wrong, but then
steve does say very clearly in #362-#5 that he has re-added it and had
mistakenly deleted it. Certainly spooked has every right to demand a apology
, but not from "steve". The way i look at it - Steve was appointed by the
staff of Grex to sys-admin Grex. If he blunders then it's the board who should
apologise to the offended party and punish "steve". In this particular case,
absolutely no punishment or a reprimand should be handed out to "steve" simply
because in the heat of the moment, with a possible security breach in
progress, he is well within his right to throw the book and sort out matters
at a later date. Certainly, barring someone from staff temporarily isn't a
serious offence especially when "steve" claims it to be a mistake. It would
be nice if he personally apologised to "spooked", but i doubt anyone can
demand it off him since he's only doing his job and acting forcefully even
if in haste is understandable given that this is a possible security breach.

3. Re: 3362-#6 spooked: "I did not see your (or anyone else's) objection to
the said proposal in the garage conference."

Not seeing anyone's objection does not imply consent!

4. I hate saying this, but i think "steve" acted correctly! Look, one staff
member can revoke another staff members priveleges if he feels the situtaion
demands it! It's well within his right! He does not have to apologise to the
offended staff member - all apologies should be tendered to the board and
vice-versa! The board is well within it's right to demand a explanation from
all staff members - that's their right! 

5. In this case i think "steve" acted correctly in revoking both "spooked"
and "cross"'s priveleges. Given the ambiguity in the Grex-policy, "steve"
choose to act in a way he thought was right! "spooked" was rightly offended
because he felt his rights and discretionary powers were being trampled upon.
"cross" get's caught in the cross-fire! Neither "steve" nor "spooked" nor
"cross" is at fault here! Each one acted correctly. The culprit is the board
for drafting a flawed policy!

6. It does not help that "spooked/cross" and "steve" don't get along! I
suspect impatience to be the culprit. "spooked/cross" wan't things done
quickly. However, again i think "steve" is right :(! *sigh* Legal
implications! Grex can get sued and shutdown! How do you think it would look
in court - allowing a non staff member to access the entire grex file system
without board approval, with board members clueless, on the say so off one
staff member." It's not just Grex that is affected here. If cross had
installed a password logger and some idjit used the same grex passwd on his
super-duper-top-secret-million-dollar gizmo..Staff would be in shit!

spooked may be right about losing a valuable member in cross :( but the
solution is to make him staff if you think he is competent and trustworthy.
It's absolutely no use blaming steve for doing his job! Well it's a long
post..and i'm phew! so..hope it makes some sense..Getting impatient and
err..bitching(just a figure of speech - no offense!) is no bloody use!

There's a reason why we have "staff" and a "board" - it's to keep things
legal!

I was, as I have stipulated in the staff conference, giving cross 
only temporary root access.

I was well awares of the bylaw.  If staff is not regularly reading 
garage, then that's not my problem - I would have thought it should 
alongwith coop and staff be on their list of conferences (they are the 
only three conferences I read, for example).

Getting back to temporary root access only (via sudo), this is why I added 
cross to group wheel only, and not to group staff. 

As an aside, I find it amusing  that Marcus has finally come out of 
the woodwork to participate again.  If nothing else has been achieved, 
I feel pleased in triggering that event.

Oh! And i forgot - I certainly feel it's unfair of steve to expect cross to
divine that he is not to access wheel, however he does say "OK, I'll retract
the word underhanded.  Instead I will use the phrase "POORLY thought out" 
and will not retract that."


The way i look at it - he can tell a user that he thinks his decision is
"idiotic" (that's just his opinion), calling him a cheat is "rude" (he hasn't
done that or he wouldn't have retracted underhand) - rudeness is to be dealt
by the board! In this case, again, nothing to be done..since 
1. underhand/snookering was retracted.
2. merely stating a opinion.

Steve's been quite correct about the whole thing, imho!

Regarding #10; I respectfully disagree with the bulk of your argument.  If
Steve slights Mic, then Mic has every right to expect an apology from Steve.
But I don't think that's what anybody is looking for here.  You are correct,
in my opinion, that the policy is ambiguous.  I think one can make an
argument on one hand that Mic's actions violated the spirit of the policy,
and one can make an equally strong argument on the other hand that they did
not.

I do not feel that Steve's actions with revoking Mic's access were in any
way justified.  If he felt that there was some threat to the system at the
time, then perhaps, but I find it utterly perplexing that Steve could think
such a thing.  Surely he didn't think anything malicious was going on; by
his own admission he was not worried about me messing up the system.

Further, with respect to the proposed changes to the system, if one reads
the garage group, one will notice that I requested concensus *after* Mic put
me in wheel and *before* making any permanent changes to the system.

Regarding #12; It had more to do with tone and demeanor and some specific
comments than the main theme of Steve's lecture to me.

But let's not get sidetracked by definitions of what it means to be rude.  I
do not think it will be profitible to engage in arguments over what the
meaning of "is" is.  Suffice it to say that I found Steve's behavior toward
me rude and condescending, and yes, I am upset about that.

But more important than that, this incident has clearly highlighted the need
for a revised policy that spells out *exactly* when root access can be
granted to non-permanent-staff (be they former permanent-staff or not, what
*exactly* does it mean to give them permissions to write to some directory
and install something *if* that demands that they be root to do so?), as
well as when staff members can revoke the privileges of other staff members.
Currently, no policy addressing the former exists at all, even though one
should have been created *immediately* in the aftermath of the Valerie
incident.

And for the record, I'm not sure that I would say that people don't get
along.  I'm sure, if Steve and I met face to face and had a talk, we'd get
along just fine, and I know I'd like access to some of his wife's recipes.
That I feel he was rude to me in this situation doesn't change my opinion of
him as a fine parent, technically savvy individual, and generous human being
who gives freely of his time and expertise.  But here, I'm more concerned
with issues of policy.

hehe Dan: after reading that I'm not sure if you would prefer having 
STeve's or Glenda's babies :)

It does not faze me if I am given an apology, though I do believe it 
would be decent and proper.  I think this whole episode accentuates my 
belief that Grex staff is highly autocratic, and plagued by both 
inefficiencies and factors discouraging participation.  

As I have said somewhere (probably in the staff conference), I don't have 
an issue with STeve's technical capabilities, but his judgement I find - 
at the very least - a little annoying.

(I think it's medically impossible for me to have anybody's babies... :-))

I do think that grex staff's present atmosphere (at least, the way it was when
I left staff) discourages new participation and ideas.  As it stands, there
are, implicitly, certain staff members who you have to get approval from in
order to make changes to the system.  I'm talking about concensus and
discussion, but actually approval.

I want to know when it became a requirement for staff to read garage.  I was
under the impression that this was the conference to be used to discuss and
decide system policy.  I know that I don't go to garage for Grex specific
stuff, I read it for technical stuff in general.  When I am looking for
proposed changes to Grex, I go to coop.  When did this change?  And when has
Grex ever decided anything in a week or less?

Haha!  With respect to your last sentence, probably never.

However, garage is the "grex configuration and what not" conference.  Coop
is for policy decisions, not technical decisions.  At least, that's how I've
always understood things.

Glenda, I'd be interested in your input in item 27 in garage.

I don't see what the problem is.  cross and spooked should know by now that
this is STeve's baby.  We dont' get logic here and if you offer to help then
prepared to be chastised without running your intentions in triplicate past
the man on the throne.
("Underhanded"? I would have just killed the !talk session and never offered
to help again.  How insulting.)

I guess I'm a sucker.  I'm the kind of guy that adopts stray cats.  Yes, I
was offended, but I just can't help trying to do something if I think it's
the right thing to do.

The "wheel" group, by its very nature, is NOT, and cannot be, a "specific
resource;" it is a *general* resource in that it allows, through sudo, access
to anything and everything on the system.  (In fact, that was part of Dan's
argument for sudo over individual root accounts.  Sometimes, having a good
memory really sucks.)

The methods for granting access to specific directories are "chown" and
"chgrp."  The latter is probably preferable, even though it requires more
work.  (Personally, I'd prefer it exactly for that reason:  More work means
more thought, if only into writing the script to make the changes.)

I wonder what would be the response had valerie, another former staff member,
been given root access with such little discussion.  (That's not fair to
valerie, but sometimes other specifications are useful for clarifying
generalities.  Every once in a while, I'm reminded that Einstein published
his "Special Theory of Relativity" before his "General Theory.")

NB:  I've not read garage:27.  However, I *do* remember other discussions of
changing the grex password hash.  IIRC, Dan's suggestions were rejected at
that time.

This really is a case of steVE's knee-jerk reactions.  The fact that he
admitted to not keeping up with garage and yet was pretty snappy with removing
cross' and spooked's staff priviledges shows that steVE doesn't care nearly
as much about the technical aspects of how GreX is run as to how he wants it
to be run.  Here, we had cross and spooked taking their own initiative
(something which should be considered a virtue among staff members) to improve
GreX, and what do they get ? A summary eviction from someone who has half
their technical competence.

The fact that cross and spooked took the time to explain themselves very
clearly in this item, instead of telling steVE to go screw himself, further
puts forward their merits as good hard-working staff members who are valuable
to the system.

The sad thing is that steVE would probably had done nothing had he seen
valerie with root privileges last night.  It's really a matter of his personal
ego, which has been more and more apparent since scholar came out with a bunch
of new member proposals.

slup

wow; gelinas and i think alike, sort of.

Regarding #20; But root access, granted within set parameters to a known
trustable individual, can be considered a specific resource.  That is my
argument.  In this case, chown and chgrp were not sufficient, since every
program under consideration needed to be installed setuid to root.  What's
more, changes would need to be made to grexdoc (at least temporarily. 
Actually, in the long term, as well, since the customizations to the password
code in grexdoc would need to be undone).

My earlier proposal for NOT changing the hash was to afford MDW the
opportunity to play with Kerberos and his hash algorithm.  However, he has
been largely inactive.  This morning at around 0600 was the first time he'd
logged in in nearly a year.  It does not make sense to continue expending
staff resources for a project that Marcus may or may nor pursue, particularly
when there are other options for implementing that project.

Regarding #23, last paragraph; Rather, my earlier proposal for changing
the hash was NOT implemented to afford MDW that opportunity.

Re #13: "I do not feel that Steve's actions with revoking Mic's access were
in any way justified.  If he felt that there was some threat to the system at
the time, then perhaps, but I find it utterly perplexing that Steve could think
such a thing."

Steve's personal feelings towards you or spooked are irrelevant. Let's say that
spooked, you and steve were the best off pals and long time associates and
steve knew for a fact that there was no way his friend of many years would hack
Grex, but you did not have staff approval for root access. The situtaion would
still  demand that he kick both of you out. Why? Because if he didn't it would
reek  of cronyism! Steve the individual does not matter and his friendships,
opinions  etc on two individuals are ir-relevant! He should be a robot with no
feelings  what so ever on the matter! Possible security breach, lockdown the
box,  kick out all concerned, report to staff and let them settle the matter.
Try to understand what i'm saying Dan - Steve may respect you a lot, but
without a unequivocal YES from staff the only thing he can and should do is to
kick you out and spooked and shove the matter to staff for resolution!

He certainly should have sent email immediately to staff and to cross and
spooked!  Some thing like: "Hello, cross isn't a part off staff and spooked has
given him root access. I feel this is a violation of Grex policy, therefore
i've locked them both out. Sorry guys, it's unlikely that the both of you were
upto mischief but given the circumstances it's best that staff sorts this out."

Has he done that?

Since cross feels Steve was rude to him, a quick post from Steve ought to
settle the  matter. "Hey Dan, didn't mean to appear rude. Your help is
appreciated but i got to follow protocol or we will get hunted down by hungry
lawyers!"

Re #18 #21: Don't muddy the waters with opinions minus validating data. Don't
try to  mind read: "steVE would probably had done nothing had he seen valerie
with root  privileges last night."

Steve's competence wrt cross is not under discussion, offering that as a
argument is illogical. The question under debate here is whether Steve was
right in disabling spooked/cross's access when they did not have staff
approval. Frankly i think cross should be on staff!! But that's not the point!
I think a lot of people are allowing personal prejudices to cloud judgement!
You don't like steve and like cross and you find staff difficult to deal with
etc etc, ergo Yay cross! Boo Steve! Plus the under dog factor is at work -
cross isn't authority, does cool stuff, young, wants to change things and that
has appeal but i suspect that he MAY not be as level headed as say remmers!
(mind you that's off the cuff..).

I feel that heaving cross into staff should solve the problem! He gets to do
cool stuff under a watchful eye <g>

Well, at least someone still thinks I'm young.

The issue at hand is that the policy is not clear.  Mic (and I) clearly
interpreted it one way, Steve the other.  Are you suggesting that anytime
someone does something where someone else interprets the relevant policy
differently, they should be locked out of the system?  Even less will get done
than ordinarily around here....

Dan, "root access, granted within set parameters" is neither limited nor
limitable, *EXCEPT* by trust.  There is no other way to enforce the 'set
parameters.'

That trust requires Board consent.  *That's* what the policy says.

Yeah, setting up setuid requires root access.  So someone *else* should have
installed your changes, were they to be installed.

Re #26 I totally agree with you that the blasted policy is unclear and needs
to be updated immediately! I also don't fault you or Mic in this matter! Both
of you are the unfortunate victims here! I can't think of anything more
unpleasent than being barged off, especially after contributin stuff the way
you have! I also feel that "staff" and possibly "steve" should make it clear,
in no un-certain terms, that your help is appreciated and valued! Certainly
a apology from "staff" is in order - after all they have caused the ambiguity!

"Are you suggesting that anytime
 someone does something where someone else interprets the relevant policy
 differently, they should be locked out of the system?"
It's not a question of "someone else interprets the relevant policy
differently"! Steve isn't a random someone! He is in-charge of the day to day
running of Grex. In tod's words "Grex IS his baby", from the day-to-day running
point of view. If he feels that he should kick out someone that's his
prerogative! He is only responsible to the board! He can kick out remmers,
mdw,spooked,janc or just about anyone if he sees it fit to do so, but he'd
better have logic backing him up or the board will chew him up. 

What i'm saying in no uncertan terms is this: Steve has the right to do
anything! The board/staff decides what is right or wrong. Staff/Board is only
superseded by the US government! 

In this particular case, because of the ambiguity in legal interpretation,
staff  can't criticize steve or spooked. But i'm willing to bet that they won't
allow temporary access to root without board approval and rightly so i might
add - which does vindicate steve :(. But, they had better offer a rattling good
 apology to both spooked and you.

I suspect an apology is beyond them, but anyhow that's just a reflection 
on them - and people can form their own opinion of it.

A couple of things.  Somewhere about 8 responses back, someone (naftee I 
think) said STeve has half the technical capabilities than cross or 
myself.  I'm not about to speak for cross, but I can admit through 
experience STeve has more experience and technical competency than myself 
-- I don't doubt, and never have, his technical competence.  However, it 
is his attitude and rash reaction which do not sit kindly with me.  

Another thing... all this talk about Grex being sued over such a thing is 
Hollywood.....  please don't add to the over-dramatisation of this very 
innocent event.  The Bylaw in question here is very open for 
interpretation - the fact that at least a few educated individuals have 
interpreted it in different ways highlights this.  Furthermore, it is 
clear that neither cross nor myself were acting maliciously.  

I have said enough now on this issue.  Let them continue on as they 
please.  It is sad that initiative and active participation is not cheered 
(but rather criticised), but we don't live in a perfect world.  There is 
more important things in the world than needless drama.  

Re #25:  Yes, STeve sent email to the BAFF immediately.  He also called me
immediately to have me log into my email to make sure it went through.

Re #29: No one is saying that either off you "were acting maliciously"! 
Anyone saying that needs to get his head checked! All i am saying is 
that proper procedure was not followed and that the reason we
have procedure is to cover ass in court. Assuming Grex gets cracked some time
in the future, a clever lawyer would go through the bbs looking to see if
Grex was mis-managed. All these issues would be brought up - look, the truth
is not what "actually happened" it's what "can be proven". Oh! It's all very
unlikely, but why have a policy, board and charter if it's just so much bull?

As for it being Hollywoodesqe: Bleah! I read in the paper, in India - some time
 back, that a burglar had sued a home owner for his getting stuck in a chimney
during a burglery attempt <grin>. Also check out:  http://www.overlawyered.
com/archives/00nov3.html and search for "Burglar". If that can happen, i'll
argue that anything can happen! <grin>

Anyway, no more posts from my side on this matter. I'm going to spend my
valuable time checking out the cute chicks on
http://www.seedbiology.de/people.asp <g>

Even if Grex gets cracked, we are not liable.  

We have enough disclaimers, and are restricted in the extent to which we 
can protect people's privacy...  which we have said numerous times/places, 
Grex is not the place to come knocking if you want any.

We have policies because we are a group of people who have agreed to associate
under certain terms and conditions.  Our policies are mutally agreed upon
"rules" that we believe make this social system stable.  We change these
policies by concensus and by democratic votes.  

It is not lawyers that drive our social compact.  It is our mutual design of
a culture we want to be members of.  

My thoughts:

Since group wheel membership effectively gives root access, there was a 
violation of Grex policy.  As Gelinas pointed out earlier, there were 
other ways this could have been handled from a technical standpoint.  
Hopefully this won't happen again.

My understanding is the same as Glenda's regarding the Garage 
conference, and probably the same as most other staff members:  It's a 
place to discuss ideas and provide input on Grex technical issues, not 
an official place to make decisions.  I think an appropriate and 
courteous step to follow before making system changes of this sort is to 
alert staff via email or the staff conference, where staff normally 
expects these kinds of things to be brought up, allow a few days for 
feedback, and then proceed if there's either no feedback or there's a 
concensus that it's ok.  That's how I proceeded when the issue of 
turning off the idle daemon came up a few months ago and I took the 
initiative to go ahead with it.

That's my ideal about the way staff should work together.  I won't claim 
that there isn't more than one person who's violated it in one instance 
or another, of course.

re #20
 I wonder what would be the response had valerie, another former staff member,
 been given root access with such little discussion.
I seem to recall folks blowing off Valerie's ad-hoc mods in /etc way back when
but heaven forbid spooked implements something with a lil backup from cross.
I dunno..its really water under the bridge and I think staff is freaking out
when they cut spooked from being able to help.  Its very silly to read about.

Regarding #27, #34; Thanks for the comments, Joe and John.  I still feel that
the policy is a bit vague and open to interpretation.  However, we can turn
this into a positive by taking it as an opportunity to update the policy to
avoid such disconnects.  Further, it would also be a good time to put into
place a policy over when and why a staff member can pull another staff
member's staff access.  This really should have been done after the valerie
incident.

Regarding #28; There's one thing I think you need to understand.  Steve is
*not* in charge of grex's staff.  There is no one "in charge" so to speak of
it; ideally, they make decisions democratically like the rest of grex. 
Remmers has just as much "right" to yank Steve's access as Steve has to yank
his (though the mind boggles thinking of a situation in which either would
happen).

And finally, as I've stated many times before, I wasn't going to install
anything on Friday night.  I just wanted to poke around and make sure that
*I* understood how much work had to be done.

For the record, I think it should be said the STeve's pulling of mic's staff privileges without discussion even just with mic is an equal violation to mic's provision of staff privileges to cross without discussion.

Obviously neither of these actions occurred with ill intent, and I don't think any punitive response is warranted or desireable. Certainly, cross is exhibiting the ideal attitude by trying to focus this discussion on modification of the existing policy to prevent similar occurrences in the future, and I think that is the angle from which we should all be approaching this discussion.

To that end, I think the verbage dealing with provision of staff privileges and system resources should specifically deal with root privileges both directly and through sudo and wheel group membership.

Thank you, Eric, that nicely summarizes my intent.  To puy my earlier response
to Joe and John another way, since Friday, it has become rather clear that
many of grex staff members feel the intent of the present policy bars even
temporary access to root.  However, both Mic and I interpreted it differently.
I would like to see the policy reworded to more clearly express the intent
with respect to root access, that's all.

Yeps... exactly my sentiment Eric.  And, I am still without root or staff 
privileges -- with no apology, or hint of an apology from STeve or staff.

This type of slap in your face is one aspect (alongwith general 
closemindness and contemporary thinking) that discourages newcomers from 
joining Grex staff.  

I don't think I'm being unreasonable one bit here.

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss