Help solving the sysadm's nightmare

Matthew Seaman m.seaman at
Thu Jul 19 07:52:59 UTC 2012

On 19/07/2012 07:55, Erik Nørgaard wrote:
> So, how can I
> - determine if files are actually unix executables or just plain files
> (or windows executables)?

file(1) should help.

> - determine which users actually need read or write access to these files?

This is in most cases entirely a local policy matter.  As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.

You'll need to present things with rational justifications: something
along the lines of:

    Only the web-dev team and root (sys-admins) need write access to
       the doc-root
    www-data pseudo user (the UID apache runs as) needs read access to

> the second is what I think is the most difficult, I need some lsof
> daemon to log access...

If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user.  Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.

See lastcomm(1), sa(8), accton(8), acct(5)



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list