Date: Thu, 19 Jul 2012 08:52:45 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: Re: Help solving the sysadm's nightmare Message-ID: <5007BCCD.3030403@infracaninophile.co.uk> In-Reply-To: <5007AF61.4090207@locolomo.org> References: <5007AF61.4090207@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCECD6A6BC4F6F3925DA0EBD5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 19/07/2012 07:55, Erik N=F8rgaard wrote: > So, how can I >=20 > - determine if files are actually unix executables or just plain files > (or windows executables)? file(1) should help. > - determine which users actually need read or write access to these fil= es? This is in most cases entirely a local policy matter. As in: you write up a proposal for how access control policy should be implemented and get it signed off by your managers before applying it. You'll need to present things with rational justifications: something along the lines of: Only the web-dev team and root (sys-admins) need write access to the doc-root www-data pseudo user (the UID apache runs as) needs read access to doc-root > the second is what I think is the most difficult, I need some lsof > daemon to log access... If you enable system accounting, I believe the detailed logs should show you all of the fileio broken down by user. Note that on a busy server, system accounting can generate a *large* amount of data, and it is likely to affect performance, so use with care. See lastcomm(1), sa(8), accton(8), acct(5) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigCECD6A6BC4F6F3925DA0EBD5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAHvNUACgkQ8Mjk52CukIwUSACdHboinXsBxLtGLpkLvszubRad shYAn3MNGGaFD5QBogOnvVtChZAbEAc4 =ymt9 -----END PGP SIGNATURE----- --------------enigCECD6A6BC4F6F3925DA0EBD5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5007BCCD.3030403>