[Theforum] root access

Martin martin at members.evolt.org
Thu Apr 25 15:35:55 CDT 2002


On Thursday, April 25, 2002, at 08:33  am, Peter-Paul Koch wrote:

> But it's not about tasks, it's about power. If someone else has the
> power to
> turn you off you can't take any decisions you want. Compare it to a
> civilian
> government that constantly has to look over its shoulder to see if the
> army
> agrees with it, or face a coup.
>
> In my opinion the Admins/Steering Committee/whoever's-on-top *must* have
> root access (and maybe: must be the *only* body to have root access),
> even
> if it doesn't need it for day-to-day work.

I don't think so - there are few organisations (commercial or otherwise)
where the sysadmin is the top executive (ignoring for a moment
BOfH-ery such as 'bow before me for I am root').

What would evolt.org do if one or more of its members with root
access ran amok with it and shut everyone else out? Same as
we'd do now - call the feds. The kit and access to it belong to
evolt.org. The organisation's authority would be held in trust
and exercised on behalf of the organisation by the Steering
Committee.

It's just like a commercial organisation - they're owned by
their members (the stockholders. Actually, we still have
one or two very large mutual financial orgs which really
are owned by the members, the people who are also the
customers eg http://www.standardlife.com). But the members
don't *run* the organisation, the board does. But the board
members don't have root access to their kit (and remember
that in banking, continuity of systems is what the entire
enterprise is based on). If one of the staff starts breaking
their permitted bounds, the police get called - look at
Nick Leeson.

The Steering Committee controls root access, but needn't actually
have it. It decides (acting on advice in part from the server admin
group) who should have access, and what they're permitted to
do with it, both autonymously (without referring upwards) and
only with specific permission.

Thus the server admin group probably wouldn't have the authority
to change weo from a CF/Oracle backend to a PHP/MySQL without
specific authorisation. But could it replace a failed hard-drive and
restart the boxes? Damned right it could. Could it upgrade the RAM
on the machine? Only if it made the case to spend the money on
a plannable upgrade (which would involve input and support of the
finance group on a 'can we afford this?' basis). And so on.

In a similar way, the SteeringGroup wouldn't be the one *handling*
the money on a day-to-day basis. If the finance group embezzles
cash, we call the police. But you'd have levels of expenditure requiring
different levels of signoff - maybe up to $100 (and within budget) could
be spent without it going outside the group in question. $101>$250
(within budget) say needs signoff from the Finance group (which they
can delegate to the Treasurer if they like), and anything >$250 or
outside budget needs Steering Committee signoff.

But it's all evolt.org's money. The organisation delegates the authority
to spend it to the management structure, as held by the Steering
Committee.
The SC delegates it appropriately to separate groups via budgeting.

This is 100% standard representative democracy - authority is delegated
down to the lowest appropriate level, so you don't need referenda on
minutiae.

Cheers
Martin

_______________________________________________
email: martin at easyweb.co.uk             PGP ID:	0xA835CCCB
	martin at members.evolt.org      snailmail:	30 Shandon Place
   tel:	+44 (0)774 063 9985				Edinburgh,
   url:	http://www.easyweb.co.uk			Scotland




More information about the theforum mailing list