[OpenAFS] Monitoring bad ACLs of webpages: best practices? faster search?

Thomas Kula kula@tproa.net
Fri, 7 May 2010 14:21:25 -0400

On Fri, May 07, 2010 at 02:14:36PM -0400, Kevin Walsh wrote:
> Hello,
> I'm working on problems caused by users mistakenly leaving excessive
> write permissions on the directories of their webpages.  Does anyone
> know if there is a best practices or other guidance document
> somewhere?   I realize the problem might not be so different from
> webpages hosted on non-AFS filesystems.
> One solution we're considering is regularly scanning our webspace
> for excessively naive ACLs, but this is quite time consuming. Is
> there a faster way to search for specific ACLs than various
> incantations of gfind to fs-listacl, perhaps something that dumps
> all the ACLs of a volume, assuming they are kept on one spot?

We're not doing this, but we've considered using the dumpscan
tools to churn through each night's backup volume dumps to look
for stuff like this. We dump nearly every volume each night,
and the machines that do the dumps are sitting there doing
nothing for a good chunk of the day anyways....

Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/