LinuxQuestions.org - Find who modified the permission to a file

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Find who modified the permission to a file (https://www.linuxquestions.org/questions/linux-newbie-8/find-who-modified-the-permission-to-a-file-759990/)

Find who modified the permission to a file

Hi,

There is a file in our system and I am trying to find which user changed the permission of that file from XXX to something YYY , I tried googling which ended up in results that was no close to a answer for my question.

Even if there is no way to find who modified the permission to a file , is it possible to find at what time the permission was modified .

Thanks,

Quote:

Originally Posted by ++nick++ (Post 3709243)

The only reliable way I can think of to do this is to monitor the file with a frequently executed cron task and, when the file changes, find out who is logged on at that moment.

Another approach is to make the file modifiable only by root. Such a file can be make readable by anyone, but only modifiable by a select few.

Its hard to find out who changed the file permissions. You can use access lists to control who can change what, also you can find certain file permissions types, like if you are looking for any permissions that are 777. Also you can look ether manually or through scripting on users history's . As far as checking when the file was changed you can use the ctime (ls -clt). The only catch with ctime is it also takes into account if the file has been changed.

Thanks for your quick responses,

ls -clt and ls -lt shows only the date on which the file's content is modified , I consulted my friends in here and no one seems to know about a way to find who/when last changed the file permissions . But my hope still lays on a few who said that they have previously had some exposure to something exactly what am looking for , so i thought someone from LQ would have came across the same situation like me , I am still positive that I will get some responses here.

Thanks all,

Quote:

(!560)->nano test

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:49 AM)
(!561)->ls -clt
total 198296
-rw-r--r-- 1 michael users 16 Oct 6 04:49 test
-rwxr-xr-x 1 michael users 101861 Oct 6 02:41 winetricks
-rw-r--r-- 1 michael users 202942242 Oct 6 02:34 fp9_archive.zip

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:49 AM)
(!562)->chmod +x test

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:50 AM)
(!563)->ls -clt
total 198296
-rwxr-xr-x 1 michael users 16 Oct 6 04:50 test
-rwxr-xr-x 1 michael users 101861 Oct 6 02:41 winetricks
-rw-r--r-- 1 michael users 202942242 Oct 6 02:34 fp9_archive.zip

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:50 AM)
(!564)->ls -alt
total 198304
drwxr-xr-x 2 michael users 4096 Oct 6 04:49 .
-rwxr-xr-x 1 michael users 16 Oct 6 04:49 test
drwx--x--x 53 michael users 4096 Oct 6 02:41 ..
-rwxr-xr-x 1 michael users 101861 Sep 13 06:42 winetricks
-rw-r--r-- 1 michael users 202942242 Jul 28 11:21 fp9_archive.zip

The ctime is different then the mtime. ctime show when the file was changed in anyway(including the permissions), the meta data in ext dose not keep track of who changed it. So your best luck is to check to see when ctime and mtime are difference then cross reference that with which users where logged in(which you should find log in times from your logs). What I dont get is why you need to know this ?

Only the owner of the file and the root user can change a files permissions.
The ctime is updated when the attributes of a file is changed.

if you use Process Accounting on Linux you might find out who executed the chmod command against that file..it is not a direct solution..but it might help

mbostwick,

I am at work right now , I will reply with a detailed snapshot from my home computer coz I dont want to post a snapshot of a shell from a protected environment , I am looking to find this out as one of the major tool failed in accessing(or failed to write into) a log file and there are many reasons for the same and one of which is possibly someone might have changed the permissions to the log file,

ddaemonunics,

I will checkout process accounting

Thanks all,

inotify can be used to inform you of filesystem changes, as well as attribute modifications (i.e. permissions).
Try a google for "linux inotify".

Hi,

Code:

[test@ramkarthik ~]$ date

Tue Oct  6 18:29:41 IST 2009

[test@localhost ~]$ ls -clt

-rw-r-xr-- 1 test test 0 2009-10-06 18:27 file

[test@localhost ~]$ vi file 

[test@localhost ~]$ ls -clt file

-rwxrw-r-- 1 test test 3 2009-10-06 18:31 file

[test@localhost ~]$ date

Tue Oct  6 18:31:47 IST 2009

[test@localhost ~]$ date

Tue Oct  6 18:32:47 IST 2009

[test@localhost ~]$ chmod 455 file 

[test@localhost ~]$ ls -clt file 

-r--r-xr-x 1 test test 3 2009-10-06 18:32 file

1.I did edit the contents to the file and the change(timestamp) reflected in ls -clt
2.I did change the permission of the file and the change(timestamp) reflected in ls -clt

But how do I find for which one among the above changes caused the change in the timestamp

I did check process accounting concept but the server in which i am trying to find the timestamp of chmod execution has process accounting disabled .

Any suggestions are welcome,

Thanks all.

This is a good explanation
http://www.unixtutorial.org/2008/04/...x-filesystems/
Note that ctime records file owner/perms & content changes, mtime is only content change.

If you suspect a user changed the file, you'll have to look through their cmd history (if they haven't cleared it).

As mentioned above, if you want to track those changes, you'll need accounting or inotify.

NB: Only the owner or root can change permissions.

Hi,

Thanks chrism01 , stat command illustrated in the tutorial was really useful , thanks all for your support.