Help solving the sysadm's nightmare
Matthew Seaman
m.seaman at infracaninophile.co.uk
Thu Jul 19 07:52:59 UTC 2012
On 19/07/2012 07:55, Erik Nørgaard wrote:
> So, how can I
>
> - determine if files are actually unix executables or just plain files
> (or windows executables)?
file(1) should help.
> - determine which users actually need read or write access to these files?
This is in most cases entirely a local policy matter. As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.
You'll need to present things with rational justifications: something
along the lines of:
Only the web-dev team and root (sys-admins) need write access to
the doc-root
www-data pseudo user (the UID apache runs as) needs read access to
doc-root
> the second is what I think is the most difficult, I need some lsof
> daemon to log access...
If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user. Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.
See lastcomm(1), sa(8), accton(8), acct(5)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120719/a4baf6a0/signature.pgp
More information about the freebsd-questions
mailing list