Date: Thu, 19 Jul 2012 16:23:25 +0200 From: Polytropon <freebsd@edvax.de> To: Erik =?ISO-8859-1?Q?N=F8rgaard?= <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: Re: Help solving the sysadm's nightmare Message-ID: <20120719162325.10e71a8f.freebsd@edvax.de> In-Reply-To: <5007AF61.4090207@locolomo.org> References: <5007AF61.4090207@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 19 Jul 2012 08:55:29 +0200, Erik N=F8rgaard wrote: > Now, I have no idea which processes actually require access to those=20 > files, what privileges these processes run with and which files are=20 > actually executable or just plain files. For differentiating "files' nature", use "file <file(s)>" to identify if it's an executable, a script (which _may_ or _may not_ need +x attributes), or just some random text or binary file. Regarding access to files: You could first determine which programs are installed on that server and create a "testing bed" for them, e. g. using jails on a separate system. Then you can use tools like "lsof" to see what files are accessed, and in which matter (read, read/write). At this occassion, you can also examine what files have been installed to the system by this program's installer process, and what attributes they do _properly_ have. You can find information about _what_ is installed _where_ and _how_ in the package lists of each port. You can use them to compare currently installed stuff with how it should be. Regarding the OS, there's another helpful mechanism to investigate: Check out the files /etc/mtree which can be used to automatically compare the definitions with their current (probably malformed) real counterparts. Also see "man mtree" for details. > At this moment my project is to migrate servers with these permissions=20 > to new servers, but those who prepared the OS have maintained the=20 > permissions from the older version because it's easier than actually=20 > investigating or understanding what's going on and find a solution. *sigh* I think the most safe method would be if you install a new server from scratch, install the PROGRAMS as needed, and then first copy the DATA with _default_ permissions and check if everything works. If you see that the new system works properly, you can easily switch over from the old system. If you have successfully done it, take the box to the "admin" who was "responsible" for it and drop it onto his head, so he can recover from "professionality". :-) > So, how can I >=20 > - determine if files are actually unix executables or just plain files=20 > (or windows executables)? As I said, file, mtree, pkg-plist. > - determine which users actually need read or write access to these files? Talk to the users (or better to their superiors, or anyone who is partially able to talk about what they're doing). User access should be separated and kept inside /home. There are very few cases where this method is not sufficient. Maybe you can find such a case and prepare a _proper_ solution to deal with it. If it's about what _programs_ need to access, check their documentation and configuration files. > the second is what I think is the most difficult, I need some lsof=20 > daemon to log access... I think it's quite hard to determine requirements "in vivo". The more restricted your testing bed is, the more precise are your findings and therefor your answers. Have as few variables as possible. On a server actually running, using a malformed configuration and many altered settings (where you can't even properly tell _what_ has been altered!), testing will be quite hard. --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120719162325.10e71a8f.freebsd>