Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Jul 2012 16:23:25 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Erik =?ISO-8859-1?Q?N=F8rgaard?= <norgaard@locolomo.org>
Cc:        questions@freebsd.org
Subject:   Re: Help solving the sysadm's nightmare
Message-ID:  <20120719162325.10e71a8f.freebsd@edvax.de>
In-Reply-To: <5007AF61.4090207@locolomo.org>
References:  <5007AF61.4090207@locolomo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 19 Jul 2012 08:55:29 +0200, Erik N=F8rgaard wrote:
> Now, I have no idea which processes actually require access to those=20
> files, what privileges these processes run with and which files are=20
> actually executable or just plain files.

For differentiating "files' nature", use "file <file(s)>"
to identify if it's an executable, a script (which _may_ or
_may not_ need +x attributes), or just some random text or
binary file.

Regarding access to files: You could first determine which
programs are installed on that server and create a "testing
bed" for them, e. g. using jails on a separate system. Then
you can use tools like "lsof" to see what files are accessed,
and in which matter (read, read/write). At this occassion,
you can also examine what files have been installed to the
system by this program's installer process, and what attributes
they do _properly_ have.

You can find information about _what_ is installed _where_
and _how_ in the package lists of each port. You can use them
to compare currently installed stuff with how it should be.

Regarding the OS, there's another helpful mechanism to
investigate: Check out the files /etc/mtree which can be
used to automatically compare the definitions with their
current (probably malformed) real counterparts. Also see
"man mtree" for details.



> At this moment my project is to migrate servers with these permissions=20
> to new servers, but those who prepared the OS have maintained the=20
> permissions from the older version because it's easier than actually=20
> investigating or understanding what's going on and find a solution. *sigh*

I think the most safe method would be if you install a new
server from scratch, install the PROGRAMS as needed, and
then first copy the DATA with _default_ permissions and
check if everything works. If you see that the new system
works properly, you can easily switch over from the old
system. If you have successfully done it, take the box to
the "admin" who was "responsible" for it and drop it onto
his head, so he can recover from "professionality". :-)



> So, how can I
>=20
> - determine if files are actually unix executables or just plain files=20
> (or windows executables)?

As I said, file, mtree, pkg-plist.



> - determine which users actually need read or write access to these files?

Talk to the users (or better to their superiors, or anyone who
is partially able to talk about what they're doing). User access
should be separated and kept inside /home. There are very few
cases where this method is not sufficient. Maybe you can find
such a case and prepare a _proper_ solution to deal with it.

If it's about what _programs_ need to access, check their
documentation and configuration files.



> the second is what I think is the most difficult, I need some lsof=20
> daemon to log access...

I think it's quite hard to determine requirements "in vivo".
The more restricted your testing bed is, the more precise
are your findings and therefor your answers. Have as few
variables as possible. On a server actually running, using
a malformed configuration and many altered settings (where
you can't even properly tell _what_ has been altered!),
testing will be quite hard.



--=20
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120719162325.10e71a8f.freebsd>