[sf-lug] Documenting(?): Re: SF-LUG zones now using dynamic DNS

Rick Moen rick at linuxmafia.com
Wed Mar 11 22:45:38 PDT 2020


Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Good points.  :-)
> 
> And where might you suggest documenting such?
> 
> For (perhaps?) lack of better, I might think on BALUG's
> wiki:
> https://www.balug.org/wiki/doku.php?do=index
> Perhaps under the "system" namespace,

You can do that provided that you omit (from there) all sensitive information.
And there's the rub....

SVLUG's situation was different in that it has never had a wiki.
(Suxors.  Point to BALUG.)  So, instead, /usr/local/site-docs got
created on each of the two servers (www.svlug.org and lists.svlug.org)
and gradually populated with process-documentation files.  And, it turns
out, a _lot_ of what you want to cover there for a sysadmin team ends up 
being at least a little security-sensitive.

Like, one of the site-docs files on www.svlug.org details why the
installed software is constrained to a minimum (with packages specified
by name), how the sysadmins should act to keep it that way, and how/why 
we overrode the software architect's bad decision to leave an svn daemon 
running 24x7 under inetd.  The details are matters you really would
prefer to not have fully public on a wiki page.  (Yes, I know that page
spaces on DokuWiki can be locked down to particular logged-in users, but 
frankly it's more reassuring to control that access with the same system
sshd access controls that let the sysadmins in.)

So, it ended up that there's a _small_ amount of process documentation
on the public www.svlug.org Web pages, somewhat painfully hand-tagged.
I think it's just this one page:
http://www.svlug.org/teams/web-team.php

It ended up that, between the pain-in-the-assical nature of cobbling
together more Web pages (wikis obviously help) and the fact that process
documentation tends to be marbled with _somewhat_ security-sensitive
information, everything else (but for one or two things) ended up in
site-docs.  The one-or-two-things were _very_ sensitive credentials,
which went into high-security site-docs ASCII files in /root/sensitive/* 
that (obviously) are root-only.  Those get cross-referenced from the
system site-docs dir.

So, I don't know what to tell you.  Your inclination _obviously_ is to 
build wiki pages.  I predict that, if you do, you'll come to realise 
you're either avoiding covering sensitive subjects or taking risks with 
public access (even to a degree with DokuWiki page ACLs) that ought not
to be taken.

Personally, I'd once again go for a group-readable site-docs directory
on the local system.




More information about the sf-lug mailing list