Grex Agorage Conference Item 7

0-15

16-40

41-65

66-90

91-115

116-128

Author

Message

cross

The Temporary Cross Root Incident Item

Sep 23 14:03 UTC 2006

This item is for discussion the incident where I was granted temporary root
access by spooked for the purposes of making some modifications to grex's
software.

128 responses total.

cross

response 1 of 128:

Sep 23 14:53 UTC 2006

Continuing the discussion that started in item #362, I have some comments.
As you may or may not know, spooked granted me access to the wheel group for
purposes of installing changes to the way in which grex does password
authentication.  Those changes had been open for discussion in the garage
conference for more than a week with uniformly positive reaction, and it was
in the garage conference that Mic said he'd put me in the wheel group, a
side effect of which is root access via the use of the sudo command).  That
said, I was not prepared to install them as I wanted to hear from more staff
members before going ahead (a question to that affect was posted by me in
garage), but it was nice to have the access to snoop around and see how
hard it would be.

Evidently, however, he didn't alert the rest of staff that he was putting me
in wheel.  I was unaware of that.  I used that access and added myself to
the staff conference ulist so that I could post a notice once I was finished
making the aforementioned changes.

Sometime very shortly thereafter, Steve noticed this change and (a) removed
me from the staff ulist, (b) changed the /etc/group file to remove me from
the wheel group (thus, in effect, revoking root access), and (c) evidently
removed spooked from the staff ulist and from the wheel group, effectively
removing him from staff.

I was happily compiling software while Steve was doing this.  When I noticed
that sudo no longer worked, and I couldn't get into the staff conference, I
did a "w" and saw that Steve was the only staff member logged in and active.
I asked him, via write, if he had removed me from wheel.  He said he had; I
will post the trascript of our conversation later.  I found it personally
offensive and rude.

Remmers posted the official grex policy for root access.  To quote:

Staff Membership - November 16, 1994
------------------------------------
Staff with permanent root access may at its discretion grant specific
resources to qualified individuals for the purpose of performing work that
is beneficial to Grex. Examples of such resources would be write access to
selected directories in order to modify data files or to install software.
In the the event of an emergency, temporary root access may be granted by
any permanent root.
Permanent root access, access to the staff conference, and access to the
"baff" mailing list shall be with the advice and consent of the Board.
-----------------------------------------------------------------------
See http://cyberspace.org/local/grex/policy.html for this and other
policies adopted by the Board.

Remmers then stated:
"This policy allows temporary root access to non-staff in an emergency,
 which this was not.  It requires board approval for access to the staff
 conference, which was not obtained."

To which I have the following comments: The staff conference thing is my
mistake, as I acknowleged in item #362.  All I can say is that I'd forgotten
about the policy, and should have checked.  I'm guilty.  Line up the firing
squad and let's get it over with.

However, I submit that Mic's actions are in keeping with the above quoted
policy.  In particular: Mic did not give me the root password; he put me in
the wheel group.  This is not unrestricted access, it is a specific mode of
access.  The difference is subtle, to be sure, but still there.  Also,
granting access to that group is granting access to specific resources for
the purpose of performing work that is beneficial to Grex.

What's more, that level of access for "write access ... to install software"
is necessary for the changes I have made.  In particular, writing to
newuser, the passwd program, the login_grexpass program, and wnu all require
access to the root account to set permissions appropriately.  What's more,
these all live in directories where it is not reasonable to grant my account
(or any other non-privileged account) write access.  How could *anyone*
reasonably be expected to install such things without such access?  It could
be argued that such access should not have been granted until I was actually
ready to install these programs, I suppose.

Then, there's the matter of Steve's reaction.  Steve has removed spooked
from the staff conference ulist, as well as the wheel group, and I wouldn't
be surprised if he has also changed the root password.  This is a gross
over-reaction and wholly inappropriate.  It is not at all clear that spooked
violated grex policy, as I have outlined above.  He didn't add me to the
staff conference, I did, which was clearly a mistake on my part; he
shouldn't have to pay any sort of consequences for that, nor did he hand out
the root password to anyone.  He gave an appropriate level of access to a
specific resource in accordance with the stated policy.  If he's guilty of
anything, it's of doing so prematurely.

And what gives Steve the right to remove people from staff?  Shouldn't that
be a board decision?  I can see that, in the case where a staff member goes
crazy and damages the system another staffer might have to take emergency
action to prevent major damage, but that was clearly not what was happening
last night; I really doubt that spooked was going to try and add me to
anything again after Steve expressed such clear displeasure with it.  Fine:
me with root access is a contensious issue, let it be discussed by the board
and staff and whomever else; perhaps Mic made a mistake.  Perhaps he
interpreted the policy as I have.  But could Steve have seriously thought
that Mic was going to damage the system?  Surely not.  And why remove
spooked from the staff conference, not even allowing him a forum to defend
his actions to other staff members?

And then there was the way Steve treated me, which I am quite upset about.
His beef is arguably with Mic, and yet his tone and statements to me were
condescending and rude.  Now personally, I don't think he *should* have a
beef with Mic, but if he does, he certainly shouldn't be taking it out on
someone *else* who was volunteering to improve grex.  He should go discuss
it with Mic like a rational adult.

But maybe I'm just being overly sensitive; I welcome other opinions on the
matter.  Here is the transcript of my online conversation with Steve online
last night, slightly edited for formating and to make clear who was saying
what: you be the judge.

Personally, I think this whole thing is a series of unfortunate
misunderstandings.  It clearly highlights some changes that need to be made
to grex policies: in particular, staff needs to actually read garage and
read coop, and the root access policy should be clarified with what exactly
it means to grant specific resources to non-staff members for specific
things, and under what circumstances a permanent staff members privileges
may be revoked without board approval.

----
: grex 1793; write steve
Writing to steve on ttypl...
DAN:
I take it you just removed me from wheel?

Telegram from steve (root) on ttypl at 22:58 EDT ...
STEVE:
yes?                     
EOF (steve)

Message from steve (root) on ttypl at 22:58 EDT ...

: grex 1794; write steve
Writing to steve on ttypl...
DAN:
May I ask why?                                           
o

STEVE:
Why?
You have to ask?
jesus

DAN:
Uh, yes?
o

STEVE:
I don't know hw you snookered kic into doing that, but underhanded
methods of getting root aren't appreciated here.

DAN:
Pardon me??
o

STEVE:
mic put you in wheel in /etc/group and readded you to the ulist
on staff.
o

DAN:
Mic put me into the wheel group as per the contents of item 27 in garage.
I put myself into the ulist on staff so I could announce when the conetnts
of said item had been carried out.  I'm sorry, I must be missing something
here. What is underhanded about any of that? o

STEVE:
that is tantamount to handing out root dan. you know that.
o

DAN:
And why is that a problem, Steve?
o

STEVE:
Dan if you don't understand that, I don't think I can explain it to you.
o

DAN:
I think you should try.  Have you read item 27 in garage?
Besides, as you know, I have had root access to grex before.  I think I can
be trusted not to damage the system.
o

STEVE:
That is not the issue.
I don't think you'd screw up the system
but for a staff person to give ANYONE the root password without
at LEAST telling everyone on baff, is really a gigantic problem.
and, no I have not read item 27.  I guess I will.  is it a 
major problem?

DAN:
o?

STEVE:
sorrry - staff cf or garage?
o

DAN:
(garage)
o

DAN (again):

No, it is not a major problem.  It is a proposal to move to the system standard
password hashing scheme.  However.
(a) I submit to you that whatever Mic does is really beyond my control.
(b) I object to your characterization of my request for root access as
"snookering" someone into anything, and your labeling it as underhanded.
(c) If Mic does something without telling baff, how precisely am I supposed  
to know that?
o

STEVE:
I don't know.  OK, I'll retract the word underhanded.  Instead I will use
the phrase "POORLY thought out" and will not retract that.

DAN:

Are you referring to Mic or myself?

STEVE:
I need to tend to a machine for a new minutes. still at work
that phrase refers to both of you.

DAN:

(Take your time in replying)
May I ask WHY it refers to me?

STEVE:
Mic, for granting root level access to someone, quite regardless of
your past staff status.  You, for accepting it.

DAN:
o?

STEVE:
o

DAN:
I fail to see how accepting something that had been publically requested is
poorly thought out.
I further fail to see how it's snookering anyone into anything.
o

DAN (again):

(And I use such strong language because I still find your initial
characterization uncalled for and rude in the extreme.  Steve, I respect you,
but I do feel somewhat offended.  You see to view me as the enemy, and I don't
understand why, and it ranckles. o

STEVE:
back for just a sec, getting a manual.  Dan, you are in the armed services,
correct?

DAN:
Yes. I am.  Why do you ask?
o

STEVE:
If you did something that was against protocols, others in your organization
would be pissed, right?  Well, isn't that exactly what jhust happened here?

DAN:
o?

STEVE:
The staff and board consult before givig out root acess.  That you were once
staff does  not matter, I do not think.  THAT is what I am pissed about.
does that at least make some sense to you, the violation of protocol.
o

DAN:
a
Well, who do you think violated protocol?  How am I to know that Mic hadn't
consulted the board and staff?
In the military, if one were to give access to a protected resource without
proper authorization, it would be that person that would be punished, not the
person who was granted access.
Do you understand this?
o

STEVE:
you know dan, I honestly think you could be a laywer.  But I will say that
you should have heard something in coop, or email, or SOMETHING somewhere
about your being on staff.  And you didn't.  Mic did that all on his own
and I think you do know that, way down.   Sigh.  Back to the macnhine; I
will come bback once a raid array is formatting.
o

DAN:
Pardon me, Steve, but I did hear something: in Garage.  Naturally, I thought
Mic *had* talked to others.  However, it's becoming clear that at least you
don't read that conference.
o

DAN (again):
(And for the record, deep down, yes, that's what I believe.)

DAN (again):
: grex 1795; write steve
steve logged on more than once
Writing to ttypl...
(Sorry, clearing the screen.)
o

DAN (again)
Steve, are you there?
o

DAN (again, approximately two hours later):
I'll assume you are too busy to respond currently.  I myself am likely going
to sleep.  I hope you'll get involved with the discussion in garage #27 and 
we can go from there; all of the necessary code has been written and tested,
it's merely a matter of installing it.  If people would like me to do that,
I'm perfectly willing, and will wait for staff and board or whomever to vet
me and make it happen.
oo

cross

response 2 of 128:

Sep 23 14:56 UTC 2006

(And for a little bit of levity, I found the following, from grex's fortune
files, amusing and apropos.  Perhaps you will too....)

Rhode's Law:
        When any principle, law, tenet, probability, happening, circumstance,
        or result can in no way be directly, indirectly, empirically, or
        circuitously proven, derived, implied, inferred, induced, deducted,
        estimated, or scientifically guessed, it will always for the purpose
        of convenience, expediency, political advantage, material gain, or
        personal comfort, or any combination of the above, or none of the
        above, be unilaterally and unequivocally assumed, proclaimed, and
        adhered to as absolute truth to be undeniably, universally, immutably,
        and infinitely so, until such time as it becomes advantageous to
        assume otherwise, maybe.

nharmon

response 3 of 128:

Sep 23 15:38 UTC 2006

So, let us say I'm sitting at work and I find out that one of my
co-workers either gave a user the domain administrator password or made
them a member of the domain administrator group (both would effectively
give the user full access to every file and resource on every PC and
server). Doing so would be a gross security issue, sure. But if I
reacted to that by changing the administrator password and removing both
the user's and my co-worker's administrative access, I would consider
that overstepping my authority. Basically it would be a clear case of
insubordination, and I would expect a disciplinary reaction from my
supervisor.

I'm not sure if what Steve did was right or wrong. I wouldn't have done
it. I sure as hell wouldn't have removed spooked's access.

I dunno, BoD really needs to step in here.

cross

response 4 of 128:

Sep 23 15:47 UTC 2006

I think it's all relative; hypotheticals only get you so far.  I think you're
mostly right that it would be over stepping your bounds to remove your
colleagues access.  It might not be a problem to remove the user's access.
I find it different to draw a general conclusion.  For example, what if the
user in question was a former member of the sysadmin group, who'd moved on
to another part of the company?  That's vastly different than giving that
access to the office supply clerk or front-office receptionist (both of whom
I'm presuming haven't been in the sysadmin group, may be temporary employees,
etc).

If it were me, I think I might have suspended the user's access, but then
*asked* the guy who gave the user access what was up.  If there was an issue
of policy, I'd point out the policy and see if the guy's actions conformed
to it or not.  I *do* think that grex's policy is sufficiently ambiguous to
be interpreted multiple ways, so I'd try and find out if the action was in
accordance with the policy before acting unilaterally.  I certainly wouldn't
remove my colleague's access.

nharmon

response 5 of 128:

Sep 23 16:01 UTC 2006

Actually, it isn't so hypothetical. We have a few former IT admins who
have left to work in different departments. Occasionally they ask for
administrative permissions so they can install software onto their PCs.
 They don't get them from me, because they're not mine to give out. We
have clear policies saying who is allowed to give them, and that is who
they need to talk to.

In my hypothetical situation, I would not have taken away anybody's
access (including the user's) because even then it isn't mine to take
away.........I digress.

Do you know what I'm leading to here? Sometimes system administrators
get this feeling of personal ownership of the systems they manage, and
this results in problems when other administrators do things they don't
like.

trig

response 6 of 128:

Sep 23 16:03 UTC 2006

i don't see how cross did anything wrong, he asked for access to do 
something useful, a staff member gave it to him. how steve can sit there and
belittle cross over that and call him wrong is just silly.

cross

response 7 of 128:

Sep 23 16:22 UTC 2006

Regarding #5; Ah, okay, I thought you were talking about true generalities,
not your actual work place.

nharmon

response 8 of 128:

Sep 23 16:31 UTC 2006

The parallel between my workplace and Grex may not be so good. Grex has
provisions for staff members to give access to users who need it. My
workplace doesn't.

cross

response 9 of 128:

Sep 23 16:41 UTC 2006

Fair enough.  I'd like to get more opinions about this matter.

vivekm1234

response 10 of 128:

Sep 23 17:30 UTC 2006

Regarding #362 #363:

1. The Grex policy is ambiguous - Re #362-#9 (remmers post). The policy
clearly states that permanent root access needs board approval, but it does
not clearly state that temporary root access is only in a emergency! The
keyword missing here is "only". Furthermore, it misleads by saying that "Staff
with permanent root access may at its discretion grant specific resources to 
qualified individuals"; "root" may be interpreted as a "specific resource".

I think the policy needs to be ammended suitably.

2. "steve" barring "spooked" from the staff conference was wrong, but then
steve does say very clearly in #362-#5 that he has re-added it and had
mistakenly deleted it. Certainly spooked has every right to demand a apology
, but not from "steve". The way i look at it - Steve was appointed by the
staff of Grex to sys-admin Grex. If he blunders then it's the board who should
apologise to the offended party and punish "steve". In this particular case,
absolutely no punishment or a reprimand should be handed out to "steve" simply
because in the heat of the moment, with a possible security breach in
progress, he is well within his right to throw the book and sort out matters
at a later date. Certainly, barring someone from staff temporarily isn't a
serious offence especially when "steve" claims it to be a mistake. It would
be nice if he personally apologised to "spooked", but i doubt anyone can
demand it off him since he's only doing his job and acting forcefully even
if in haste is understandable given that this is a possible security breach.

3. Re: 3362-#6 spooked: "I did not see your (or anyone else's) objection to
the said proposal in the garage conference."

Not seeing anyone's objection does not imply consent!

4. I hate saying this, but i think "steve" acted correctly! Look, one staff
member can revoke another staff members priveleges if he feels the situtaion
demands it! It's well within his right! He does not have to apologise to the
offended staff member - all apologies should be tendered to the board and
vice-versa! The board is well within it's right to demand a explanation from
all staff members - that's their right! 

5. In this case i think "steve" acted correctly in revoking both "spooked"
and "cross"'s priveleges. Given the ambiguity in the Grex-policy, "steve"
choose to act in a way he thought was right! "spooked" was rightly offended
because he felt his rights and discretionary powers were being trampled upon.
"cross" get's caught in the cross-fire! Neither "steve" nor "spooked" nor
"cross" is at fault here! Each one acted correctly. The culprit is the board
for drafting a flawed policy!

6. It does not help that "spooked/cross" and "steve" don't get along! I
suspect impatience to be the culprit. "spooked/cross" wan't things done
quickly. However, again i think "steve" is right :(! *sigh* Legal
implications! Grex can get sued and shutdown! How do you think it would look
in court - allowing a non staff member to access the entire grex file system
without board approval, with board members clueless, on the say so off one
staff member." It's not just Grex that is affected here. If cross had
installed a password logger and some idjit used the same grex passwd on his
super-duper-top-secret-million-dollar gizmo..Staff would be in shit!

spooked may be right about losing a valuable member in cross :( but the
solution is to make him staff if you think he is competent and trustworthy.
It's absolutely no use blaming steve for doing his job! Well it's a long
post..and i'm phew! so..hope it makes some sense..Getting impatient and
err..bitching(just a figure of speech - no offense!) is no bloody use!

There's a reason why we have "staff" and a "board" - it's to keep things
legal!

spooked

response 11 of 128:

Sep 23 17:40 UTC 2006

I was, as I have stipulated in the staff conference, giving cross 
only temporary root access.

I was well awares of the bylaw.  If staff is not regularly reading 
garage, then that's not my problem - I would have thought it should 
alongwith coop and staff be on their list of conferences (they are the 
only three conferences I read, for example).

Getting back to temporary root access only (via sudo), this is why I added 
cross to group wheel only, and not to group staff. 

As an aside, I find it amusing  that Marcus has finally come out of 
the woodwork to participate again.  If nothing else has been achieved, 
I feel pleased in triggering that event.

vivekm1234

response 12 of 128:

Sep 23 17:45 UTC 2006

Oh! And i forgot - I certainly feel it's unfair of steve to expect cross to
divine that he is not to access wheel, however he does say "OK, I'll retract
the word underhanded.  Instead I will use the phrase "POORLY thought out" 
and will not retract that."


The way i look at it - he can tell a user that he thinks his decision is
"idiotic" (that's just his opinion), calling him a cheat is "rude" (he hasn't
done that or he wouldn't have retracted underhand) - rudeness is to be dealt
by the board! In this case, again, nothing to be done..since 
1. underhand/snookering was retracted.
2. merely stating a opinion.

Steve's been quite correct about the whole thing, imho!

cross

response 13 of 128:

Sep 23 18:32 UTC 2006

Regarding #10; I respectfully disagree with the bulk of your argument.  If
Steve slights Mic, then Mic has every right to expect an apology from Steve.
But I don't think that's what anybody is looking for here.  You are correct,
in my opinion, that the policy is ambiguous.  I think one can make an
argument on one hand that Mic's actions violated the spirit of the policy,
and one can make an equally strong argument on the other hand that they did
not.

I do not feel that Steve's actions with revoking Mic's access were in any
way justified.  If he felt that there was some threat to the system at the
time, then perhaps, but I find it utterly perplexing that Steve could think
such a thing.  Surely he didn't think anything malicious was going on; by
his own admission he was not worried about me messing up the system.

Further, with respect to the proposed changes to the system, if one reads
the garage group, one will notice that I requested concensus *after* Mic put
me in wheel and *before* making any permanent changes to the system.

Regarding #12; It had more to do with tone and demeanor and some specific
comments than the main theme of Steve's lecture to me.

But let's not get sidetracked by definitions of what it means to be rude.  I
do not think it will be profitible to engage in arguments over what the
meaning of "is" is.  Suffice it to say that I found Steve's behavior toward
me rude and condescending, and yes, I am upset about that.

But more important than that, this incident has clearly highlighted the need
for a revised policy that spells out *exactly* when root access can be
granted to non-permanent-staff (be they former permanent-staff or not, what
*exactly* does it mean to give them permissions to write to some directory
and install something *if* that demands that they be root to do so?), as
well as when staff members can revoke the privileges of other staff members.
Currently, no policy addressing the former exists at all, even though one
should have been created *immediately* in the aftermath of the Valerie
incident.

And for the record, I'm not sure that I would say that people don't get
along.  I'm sure, if Steve and I met face to face and had a talk, we'd get
along just fine, and I know I'd like access to some of his wife's recipes.
That I feel he was rude to me in this situation doesn't change my opinion of
him as a fine parent, technically savvy individual, and generous human being
who gives freely of his time and expertise.  But here, I'm more concerned
with issues of policy.

spooked

response 14 of 128:

Sep 23 18:51 UTC 2006

hehe Dan: after reading that I'm not sure if you would prefer having 
STeve's or Glenda's babies :)

It does not faze me if I am given an apology, though I do believe it 
would be decent and proper.  I think this whole episode accentuates my 
belief that Grex staff is highly autocratic, and plagued by both 
inefficiencies and factors discouraging participation.  

As I have said somewhere (probably in the staff conference), I don't have 
an issue with STeve's technical capabilities, but his judgement I find - 
at the very least - a little annoying.

cross

response 15 of 128:

Sep 23 19:49 UTC 2006

(I think it's medically impossible for me to have anybody's babies... :-))

I do think that grex staff's present atmosphere (at least, the way it was when
I left staff) discourages new participation and ideas.  As it stands, there
are, implicitly, certain staff members who you have to get approval from in
order to make changes to the system.  I'm talking about concensus and
discussion, but actually approval.

0-15

16-40

41-65

66-90

91-115

116-128

Response Not Possible: You are Not Logged In