[sf-lug] insecure temporary file vunerability, race conditions, good vs. perfect, etc.

Rick Moen rick at linuxmafia.com
Tue Nov 17 12:47:44 PST 2009

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> So, ... a much more secure quick and dirty:
> {
> dig -t soa linuxmafia.com @NS.PRIMATE.NET +short | awk {'print $3'}
> dig -t soa linuxmafia.com @NS.TX.PRIMATE.NET +short | awk {'print $3'}
> dig -t soa linuxmafia.com @NS2.LINUXMAFIA.COM +short | awk {'print $3'}
> dig -t soa linuxmafia.com @NS1.THECOOP.NET +short | awk {'print $3'}
> dig -t soa linuxmafia.com @NS1.LINUXMAFIA.COM +short | awk {'print $3'}
> } |
> /usr/bin/mail -s "Domain linuxmafia.com SOA check" rick at linuxmafia.com

Yeah, that's more like what I had in mind.  Thanks.  (I did say it was
really, really quick and dirty.)

Of course, it's not necessary to run this sort of job with any kind of
elevated privilege, either.  Can run as anyone.

> I'd also make all those domains fully qualified - end in . - for the
> root domain - that way there's no ambiguity or room for
> misinterpretation by dig, resolver libraries, etc.

Yeah, I should, but I made sure it works.  Semantics of the resolver
lib don't change, and dig is consistent.  The only tool I know of that
does peculiar things if you omit the root is nslookup for MS-Windows.

> If we wanted to bother (would be handy when we have hundreds of
> domains), could use a loop to process them, rather than have other
> redundant content on each line - that would aid maintenance a bit (if
> one ever wanted to change "those lines", there'd be only one line to
> change)

Personally, when I want to make a change across a number of lines, I
whip out sed.  You didn't think I _wrote_ all that, did you?  ;->

More information about the sf-lug mailing list