Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Jul 2012 08:52:45 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
Cc:        questions@freebsd.org
Subject:   Re: Help solving the sysadm's nightmare
Message-ID:  <5007BCCD.3030403@infracaninophile.co.uk>
In-Reply-To: <5007AF61.4090207@locolomo.org>
References:  <5007AF61.4090207@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On 19/07/2012 07:55, Erik Nørgaard wrote:
> So, how can I
> 
> - determine if files are actually unix executables or just plain files
> (or windows executables)?

file(1) should help.

> - determine which users actually need read or write access to these files?

This is in most cases entirely a local policy matter.  As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.

You'll need to present things with rational justifications: something
along the lines of:

    Only the web-dev team and root (sys-admins) need write access to
       the doc-root
    www-data pseudo user (the UID apache runs as) needs read access to
       doc-root

> the second is what I think is the most difficult, I need some lsof
> daemon to log access...

If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user.  Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.

See lastcomm(1), sa(8), accton(8), acct(5)

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAHvNUACgkQ8Mjk52CukIwUSACdHboinXsBxLtGLpkLvszubRad
shYAn3MNGGaFD5QBogOnvVtChZAbEAc4
=ymt9
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5007BCCD.3030403>