                                                                      2008-03-15
                                                              amended 2008-08-05
Policy on the Use of scripts.mit.edu Administrative Rights

Users of scripts.mit.edu have a reasonable expectation that the data
and code they store on our servers, and in sections of their locker
accessible only by our servers, will not be improperly accessed or
modified by anyone else, including by scripts.mit.edu maintainers.  To
fulfill this expectation, we define a policy governing the
maintainers’ use of special permissions and credentials held by our
servers.  This includes any administrative access to the scripts
servers, any use of private keys stored on the servers, and any use of
scripts-specific permissions granted on locker directories.

Such use of administrative rights shall only be permitted under any of
the following circumstances.

* Maintenance of the scripts.mit.edu service itself that is unrelated
  to private user data.

* Any access that is explicitly authorized by the owners of the data
  in question.

* Handling a user support request that cannot be satisfactorily answered
  without resorting to using administrative rights. This access should
  be restricted to only those files and resources that are strictly
  necessary to fully answer the request.

* Performing upgrades to autoinstalled software, using permissions
  granted to the system:scripts-security-upd group.  This group is
  normally empty, but the root instances of scripts maintainers will
  be added when needed to perform upgrades, at the discretion of the
  architect.

* Modifications that are necessary for server security or reliability.
  In this case, any modifications should be clearly marked and the
  user should be contacted.

* Ensuring that updates or planned updates to the scripts.mit.edu
  service do not break existing user deployments.  In this case, any
  modifications should be clearly marked and the user should be
  contacted.

[The third clause formerly read
* Handling a user support request that can reasonably be considered an
  implicit authorization for that use.  In this case, whenever
  possible, any modifications should be reverted and the user should
  be told how to make these modifications themselves.
and was changed in August 2008.]
