who gets root on widearea nodes, inside and outside of jail. Kinda
brute force; might need to make this more flexible at some point,
perhaps with a node/user mapping table for widearearoot (root outside
the jail), and a widearea_trust slot to the group_membership table
(root inside a jail), but this will do for now since its handled
entirely inside of tmcd.

I was originally using local_root to determine root access inside the
jail, but we need to more finely control who gets root on widearea
nodes. Outside the jail, only tbadmin got jail, and thats definitely
too restrictive!