On 19/07/2012 07:55, Erik Nørgaard wrote: > So, how can I > > - determine if files are actually unix executables or just plain files > (or windows executables)?
file(1) should help.
> - determine which users actually need read or write access to these files?
This is in most cases entirely a local policy matter. As in: you write
up a proposal for how access control policy should be implemented and
get it signed off by your managers before applying it.
You'll need to present things with rational justifications: something
along the lines of:
Only the web-dev team and root (sys-admins) need write access to
the doc-root
www-data pseudo user (the UID apache runs as) needs read access to
doc-root
> the second is what I think is the most difficult, I need some lsof
> daemon to log access...
If you enable system accounting, I believe the detailed logs should show
you all of the fileio broken down by user. Note that on a busy server,
system accounting can generate a *large* amount of data, and it is
likely to affect performance, so use with care.
See lastcomm(1), sa(8), accton(8), acct(5)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: [email protected] Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
