Geek Answers Handbook

Identify the UID that last modified the file on Linux?

I am writing a program that will track selected files and directories for changes. Some of the files are writable in the world, some owners, some groups.

What I need to do is find out who the latter can change (and not just access) to the file. Somehow I thought it would be easy, given that we know the index of the file. However, I cannot find a way to get this. I thought there was a practical way to map any given inode to the last access to it.

I think I hit google so that all this gives me a theme.

Any help is appreciated. I am writing a program in C.

Edit:

I need to be able to do this after the PID of any program has changed the file.

+4
source share
4 answers

If you are on a 2.6 kernel, you can use the kernel auditd daemons. Check out this url . This may give you some hint on how to accomplish what you are trying to do. I am sure there is an API that you can use in C.

+5
source

As far as I know, this information is not stored in any of the usual file systems, but you should connect to inotify and monitor what processes are related to the files.

+2
source

Well, using direct old standard Linux with regular file systems, you cannot do this. This information is not stored anywhere (see man lstat for what is stored.)

As @pablo shows, you can do this by enabling security auditing. The link he notes is a good start, but the bottom line is this:

  • you enable the audit daemon, which allows you to check the shape of the kernel
  • you set up a rule file to capture what you want.
  • You are viewing audit files for the events you want.

The difficulty here is that if you start checking all file operations for all files, the audit will be great.

So what is the actual need you want to write down?

+2
source

very simple, but it works: you can easily write a small c-program that does what you want in this example, the UID of the file or directory or link is retrieved, just try to find the properties you need.

compile with:

 gcc -xc my-prog.c -o my-prog

then

 ./my-prog /etc

you can get a lot of other information, for example,

he is not stable. but whatever I know, I know how to use it, and do a check in the bash shell :-)

 [ -x /etc ] && my-prog /etc

source:

 # retrieve the uid of a file # source code: my-prog.c # #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> int main(int argc, char **argv) { struct stat buffer; int status; char *fname; fname=argv[1]; status = stat(fname, &buffer); printf("%i",buffer.st_uid); return 0; }
-4
source

More articles:


All Articles