Reputation:
Determine UID that last modified a file in Linux?
I'm writing a program that will be monitoring select files and directories for changes. Some of the files are world writeable, some owner, some group.
What I need to do is be able to figure out the last person to modify (not just access) a file. Somehow I thought this would be simple, given that we know the inode of the file .. however I can not seem to find any way of obtaining this. I thought there was a practical way of correlating any given inode to the uid last accessing it.
I think I've squeezed google for all its going to give me on the topic.
Any help is appreciated. I'm writing the program in C.
Edit:
I need to be able to do this after the PID of whatever program modified the file is long gone.
Upvotes: 3
Views: 13012
Answers (4)
Reputation: 1
very basic , but it works: you can easily write a little c-program that does what you want this example retrieves the UID of file or directory or link, just try to find the properties that you want.
compile with:
gcc -x c my-prog.c -o my-prog
then:
./my-prog /etc
a lot of other information can be obtained like this
it's not robust. but whatever, i know how to use it, and do the checking in a bash shell :-)
[ -x /etc ] && my-prog /etc
source code:
# retrieve the uid of a file
# source code: my-prog.c
#
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc, char **argv) {
struct stat buffer;
int status;
char *fname;
fname=argv[1];
status = stat(fname, &buffer);
printf("%i",buffer.st_uid);
return 0;
}
Upvotes: -4
Reputation: 112366
Okay, using straight old standard Linux with normal file systems, you're not going to be able to do it. That information isn't stored anywhere (see man lstat for what is stored.)
As @pablo suggests, you can do this with security auditing turned on. The link he notes is a good start, but the gist of it is this:
- you turn on the audit daemon, which enables auditing form the kernel
- you configure the rules file to capture what you want
- you search the audit files for the events you want.
The difficulty here is that if you start auditing all file operations for all files, the audit is going to get big.
So what is the actual need you want to fil?
Upvotes: 2
Reputation: 64919
To my knowledge, this information is not stored by any of the common filesystems, but you should by able to hook into inotify and keep an audit trail of which processes touch which files.
Upvotes: 2
Reputation: 181280
If you are on a 2.6 kernel, you can take advantage of kernel's auditd daemon. Check this URL out. It might give you some hint on how to accomplish what you are trying to. I'm sure there is an API you could use in C.
Upvotes: 5
Related Questions
- printing uid of a file on linux system
- inotify - how to find out which user has modified file?
- How to find the owner process of an opened inode in Linux kernel?
- find inode number of a file using C code
- Getting open file's reference count (inode->i_count) from user space
- Get last modified time of file in linux
- find the modification time and modifed user name of a file linux
- Getting the last created (modified) file
- How to determine the uniqueness of a file in linux?
- Get file details by inode