[sf-lug] user on sf-lug.com
Michael.Paoli at cal.berkeley.edu
Thu Jun 7 23:04:36 PDT 2007
A few random items I'll note, ...
First of all, there are actually *two* quite independent DNS servers
running on the sf-lug.com. box.
There's the stuff running primarily for SF-LUG, the default on the host,
and there's also the stuff of BALUG interest, running only on:
Though I'd guess on the SF-LUG side of things the objectives are likely
similar, on the BALUG side of things there's quite an interest in keeping
the BALUG DNS server as secure as feasible (notwithstanding any higher
priority conflicting objectives).
Would I be correct in presuming your login name there is akleider?
Let me know, ... and perhaps check back later to see what sudo offers
you (e.g. sudo -l). Also, for many/most of the more significant BALUG
files, I've got them under RCS ... so the RCS files may be more interesting
and informative - giving pretty good information on how they've
changed/evolved ... and also generally *why*. In any case, I'd still
need to review what's in those files first ... may have fair bits of
not-so-public information (e.g. lots of personal contact details for
adminitrators of slave system(s), etc.)
Some/much of the log stuff may also be at least fairly informative.
Giving sudo access to less or more or something like that would generally
be highly insecure - as those commands typically allow shell escapes.
Something like sudo access to cat - with tightly controlled and secured
arguments - would likely be, at least comparatively, much more secure.
I believe the BALUG DNS configurations will also allow you to do zone
transfers - at least to a few select IPs (including 127.0.0.1, 126.96.36.199,
188.8.131.52) ... might also be *temporarily* much more wide open (as
BALUG is in the process of picking up additional slave servers), but will
likely continue to work to at least including those IPs mentioned.
Quoting Alex Kleider <a_kleider at yahoo.com>:
> Jim Stockford has been very kind to serve as a sounding board with
> regard to some of the networking things I've been trying to do and has
> set me up with a user account on the sf-lug.com machine with the idea
> that I could poke around and learn how things are done. It's proven
> quite interesting.
> What follows is in no way meant to be a criticism but just an fyi to
> those in charge in case you might be willing to enhance the experience.
> Perhaps not all but certainly some of the configuration files are NOT
> readable. I've been setting up my own DNS server and wanted to have a
> look at the named.conf file to see how it compared with my own.
> Undoubtedly this is done for security reasons. Perhaps a readable
> version with sensitive stuff replaced by token words could be made
> available. This would take work, I realize, and would be willing to
> volunteer if you are willing to trust me with the info and could
> provide guidance as to what would have to be hidden.
> Also, a simple thing to remedy would be to provide less and/or pager
> instead of only more.
> Thank you, Jim, and thanks to all others that are running this machine
> and whom I don't even know.
More information about the sf-lug