ansaurus

Question

Determine UID that last modified a file in Linux?

Answer 1

+5 A:

If you are on a 2.6 kernel, you can take advantage of kernel's auditd daemon. Check this URL out. It might give you some hint on how to accomplish what you are trying to. I'm sure there is an API you could use in C.

Pablo Santa Cruz 2009-03-18 03:34:31

Thanks, I'm grabbing the source to it now to see how it interfaces with the kernel.

Tim Post 2009-03-18 04:10:55

The information you seek isn't stored directly. If you have auditing turned on, however, the audit trail can (if so configured) show the last process (and its AUID, EUID, RUID) to write the file. Whether that actually changed it or not would be unknown, but it *could* have changed it.

mpez0 2010-05-19 13:03:28

Answer 2

+1 A:

To my knowledge, this information is not stored by any of the common filesystems, but you should by able to hook into inotify and keep an audit trail of which processes touch which files.

Chas. Owens 2009-03-18 03:37:40

I don't see any way of getting the uid / gid / pid of the modifying process from inotify? I just get the event and path modified.

Tim Post 2009-03-18 04:04:03

when the kernel calls your code you can check to see who has the file open and write a message to a log

Chas. Owens 2009-03-18 06:37:25

Answer 3

+1 A:

Okay, using straight old standard Linux with normal file systems, you're not going to be able to do it. That information isn't stored anywhere (see man lstat for what is stored.)

As @pablo suggests, you can do this with security auditing turned on. The link he notes is a good start, but the gist of it is this:

you turn on the audit daemon, which enables auditing form the kernel
you configure the rules file to capture what you want
you search the audit files for the events you want.

The difficulty here is that if you start auditing all file operations for all files, the audit is going to get big.

So what is the actual need you want to fil?

Charlie Martin 2009-03-18 03:44:03

Auditd is going to be duplicating what I'm doing to an extent, but in a more expensive way. The program I'm writing offers near realtime notification of possible intrusion. I'm getting the source for auditd to see how it interfaces with the kernel, I should probably be able to re-use that code.

Tim Post 2009-03-18 04:10:01

Answer 4

A:

Re: your edit, what you ask is simply not possible.

Andrew Medico 2009-03-18 03:58:57

Yes, I know. I just wanted to check before writing more code to capture the pid as soon as a file is accessed.

Tim Post 2009-03-18 04:20:49

Answer 5

A:

very basic , but it works: you can easily write a little c-program that does what you want this example retrieves the UID of file or directory or link, just try to find the properties that you want.

compile with:

gcc -x c my-prog.c -o my-prog

then:

./my-prog /etc

a lot of other information can be obtained like this

it's not robust. but whatever, i know how to use it, and do the checking in a bash shell :-)

[ -x /etc ] && my-prog /etc

source code:

# retrieve the uid of a file
# source code: my-prog.c
#
#include <stdio.h> 
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc, char **argv) {
  struct stat buffer;
  int status;
  char *fname;
  fname=argv[1];
  status = stat(fname, &buffer);
  printf("%i",buffer.st_uid);
  return 0;
}

Jos de Mooij 2010-05-19 11:59:57

The st_uid field of the stat buffer contains the file's owner, not the UID of the last user to modify it.

Michael E 2010-05-19 12:13:12

ansaurus

tags:

views:

answers:

Determine UID that last modified a file in Linux?

related questions