Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Jul 2012 08:52:45 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
Cc:        questions@freebsd.org
Subject:   Re: Help solving the sysadm's nightmare
Message-ID:  <5007BCCD.3030403@infracaninophile.co.uk>
In-Reply-To: <5007AF61.4090207@locolomo.org>
References:  <5007AF61.4090207@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCECD6A6BC4F6F3925DA0EBD5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 19/07/2012 07:55, Erik N=F8rgaard wrote:
> So, how can I
>=20
> - determine if files are actually unix executables or just plain files
> (or windows executables)?

file(1) should help.

> - determine which users actually need read or write access to these fil=
es?

This is in most cases entirely a local policy matter.  As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.

You'll need to present things with rational justifications: something
along the lines of:

    Only the web-dev team and root (sys-admins) need write access to
       the doc-root
    www-data pseudo user (the UID apache runs as) needs read access to
       doc-root

> the second is what I think is the most difficult, I need some lsof
> daemon to log access...

If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user.  Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.

See lastcomm(1), sa(8), accton(8), acct(5)

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigCECD6A6BC4F6F3925DA0EBD5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAHvNUACgkQ8Mjk52CukIwUSACdHboinXsBxLtGLpkLvszubRad
shYAn3MNGGaFD5QBogOnvVtChZAbEAc4
=ymt9
-----END PGP SIGNATURE-----

--------------enigCECD6A6BC4F6F3925DA0EBD5--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5007BCCD.3030403>