tags:

views:

1172

answers:

5

I'm writing a program that will be monitoring select files and directories for changes. Some of the files are world writeable, some owner, some group.

What I need to do is be able to figure out the last person to modify (not just access) a file. Somehow I thought this would be simple, given that we know the inode of the file .. however I can not seem to find any way of obtaining this. I thought there was a practical way of correlating any given inode to the uid last accessing it.

I think I've squeezed google for all its going to give me on the topic.

Any help is appreciated. I'm writing the program in C.

Edit:

I need to be able to do this after the PID of whatever program modified the file is long gone.

+5  A: 

If you are on a 2.6 kernel, you can take advantage of kernel's auditd daemon. Check this URL out. It might give you some hint on how to accomplish what you are trying to. I'm sure there is an API you could use in C.

Pablo Santa Cruz
Thanks, I'm grabbing the source to it now to see how it interfaces with the kernel.
Tim Post
The information you seek isn't stored directly. If you have auditing turned on, however, the audit trail can (if so configured) show the last process (and its AUID, EUID, RUID) to write the file. Whether that actually changed it or not would be unknown, but it *could* have changed it.
mpez0
+1  A: 

To my knowledge, this information is not stored by any of the common filesystems, but you should by able to hook into inotify and keep an audit trail of which processes touch which files.

Chas. Owens
I don't see any way of getting the uid / gid / pid of the modifying process from inotify? I just get the event and path modified.
Tim Post
when the kernel calls your code you can check to see who has the file open and write a message to a log
Chas. Owens
+1  A: 

Okay, using straight old standard Linux with normal file systems, you're not going to be able to do it. That information isn't stored anywhere (see man lstat for what is stored.)

As @pablo suggests, you can do this with security auditing turned on. The link he notes is a good start, but the gist of it is this:

  • you turn on the audit daemon, which enables auditing form the kernel
  • you configure the rules file to capture what you want
  • you search the audit files for the events you want.

The difficulty here is that if you start auditing all file operations for all files, the audit is going to get big.

So what is the actual need you want to fil?

Charlie Martin
Auditd is going to be duplicating what I'm doing to an extent, but in a more expensive way. The program I'm writing offers near realtime notification of possible intrusion. I'm getting the source for auditd to see how it interfaces with the kernel, I should probably be able to re-use that code.
Tim Post
A: 

Re: your edit, what you ask is simply not possible.

Andrew Medico
Yes, I know. I just wanted to check before writing more code to capture the pid as soon as a file is accessed.
Tim Post
A: 

very basic , but it works: you can easily write a little c-program that does what you want this example retrieves the UID of file or directory or link, just try to find the properties that you want.

compile with:

gcc -x c my-prog.c -o my-prog

then:

./my-prog /etc

a lot of other information can be obtained like this

it's not robust. but whatever, i know how to use it, and do the checking in a bash shell :-)

[ -x /etc ] && my-prog /etc

source code:

# retrieve the uid of a file
# source code: my-prog.c
#
#include <stdio.h> 
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc, char **argv) {
  struct stat buffer;
  int status;
  char *fname;
  fname=argv[1];
  status = stat(fname, &buffer);
  printf("%i",buffer.st_uid);
  return 0;
}
Jos de Mooij
The st_uid field of the stat buffer contains the file's owner, not the UID of the last user to modify it.
Michael E