LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-06-2009, 04:03 AM   #1
++nick++
Member
 
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Rep: Reputation: 18
Find who modified the permission to a file


Hi,

There is a file in our system and I am trying to find which user changed the permission of that file from XXX to something YYY , I tried googling which ended up in results that was no close to a answer for my question.

Even if there is no way to find who modified the permission to a file , is it possible to find at what time the permission was modified .

Thanks,
 
Old 10-06-2009, 04:19 AM   #2
lutusp
Member
 
Registered: Sep 2009
Distribution: Fedora
Posts: 835

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by ++nick++ View Post
Hi,

There is a file in our system and I am trying to find which user changed the permission of that file from XXX to something YYY , I tried googling which ended up in results that was no close to a answer for my question.

Even if there is no way to find who modified the permission to a file , is it possible to find at what time the permission was modified .

Thanks,
The only reliable way I can think of to do this is to monitor the file with a frequently executed cron task and, when the file changes, find out who is logged on at that moment.

Another approach is to make the file modifiable only by root. Such a file can be make readable by anyone, but only modifiable by a select few.
 
Old 10-06-2009, 04:47 AM   #3
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Rep: Reputation: 18
Its hard to find out who changed the file permissions. You can use access lists to control who can change what, also you can find certain file permissions types, like if you are looking for any permissions that are 777. Also you can look ether manually or through scripting on users history's . As far as checking when the file was changed you can use the ctime (ls -clt). The only catch with ctime is it also takes into account if the file has been changed.
 
Old 10-06-2009, 05:39 AM   #4
++nick++
Member
 
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Original Poster
Rep: Reputation: 18
Smile

Thanks for your quick responses,

ls -clt and ls -lt shows only the date on which the file's content is modified , I consulted my friends in here and no one seems to know about a way to find who/when last changed the file permissions . But my hope still lays on a few who said that they have previously had some exposure to something exactly what am looking for , so i thought someone from LQ would have came across the same situation like me , I am still positive that I will get some responses here.

Thanks all,
 
Old 10-06-2009, 05:48 AM   #5
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Rep: Reputation: 18
Quote:
(!560)->nano test

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:49 AM)
(!561)->ls -clt
total 198296
-rw-r--r-- 1 michael users 16 Oct 6 04:49 test
-rwxr-xr-x 1 michael users 101861 Oct 6 02:41 winetricks
-rw-r--r-- 1 michael users 202942242 Oct 6 02:34 fp9_archive.zip

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:49 AM)
(!562)->chmod +x test

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:50 AM)
(!563)->ls -clt
total 198296
-rwxr-xr-x 1 michael users 16 Oct 6 04:50 test
-rwxr-xr-x 1 michael users 101861 Oct 6 02:41 winetricks
-rw-r--r-- 1 michael users 202942242 Oct 6 02:34 fp9_archive.zip

(michael, total users:4)-(jobs:0: processes: 45)-(~/workspace)-(04:50 AM)
(!564)->ls -alt
total 198304
drwxr-xr-x 2 michael users 4096 Oct 6 04:49 .
-rwxr-xr-x 1 michael users 16 Oct 6 04:49 test
drwx--x--x 53 michael users 4096 Oct 6 02:41 ..
-rwxr-xr-x 1 michael users 101861 Sep 13 06:42 winetricks
-rw-r--r-- 1 michael users 202942242 Jul 28 11:21 fp9_archive.zip
The ctime is different then the mtime. ctime show when the file was changed in anyway(including the permissions), the meta data in ext dose not keep track of who changed it. So your best luck is to check to see when ctime and mtime are difference then cross reference that with which users where logged in(which you should find log in times from your logs). What I dont get is why you need to know this ?

Last edited by mbostwick; 10-06-2009 at 06:08 AM.
 
Old 10-06-2009, 06:01 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Only the owner of the file and the root user can change a files permissions.
The ctime is updated when the attributes of a file is changed.
 
Old 10-06-2009, 06:07 AM   #7
ddaemonunics
Member
 
Registered: May 2008
Location: Romania
Distribution: Debian
Posts: 242

Rep: Reputation: 41
if you use Process Accounting on Linux you might find out who executed the chmod command against that file..it is not a direct solution..but it might help
 
Old 10-06-2009, 06:28 AM   #8
++nick++
Member
 
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Original Poster
Rep: Reputation: 18
mbostwick,

I am at work right now , I will reply with a detailed snapshot from my home computer coz I dont want to post a snapshot of a shell from a protected environment , I am looking to find this out as one of the major tool failed in accessing(or failed to write into) a log file and there are many reasons for the same and one of which is possibly someone might have changed the permissions to the log file,

ddaemonunics,

I will checkout process accounting

Thanks all,
 
Old 10-06-2009, 08:03 AM   #9
tsandholm
LQ Newbie
 
Registered: Oct 2009
Location: New Hampshire
Distribution: debian/opensuse
Posts: 10

Rep: Reputation: 3
linux inotify

inotify can be used to inform you of filesystem changes, as well as attribute modifications (i.e. permissions).
Try a google for "linux inotify".
 
Old 10-06-2009, 10:37 AM   #10
++nick++
Member
 
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Original Poster
Rep: Reputation: 18
Hi,

Code:
[test@ramkarthik ~]$ date
Tue Oct  6 18:29:41 IST 2009
[test@localhost ~]$ ls -clt
-rw-r-xr-- 1 test test 0 2009-10-06 18:27 file
[test@localhost ~]$ vi file 
[test@localhost ~]$ ls -clt file
-rwxrw-r-- 1 test test 3 2009-10-06 18:31 file
[test@localhost ~]$ date
Tue Oct  6 18:31:47 IST 2009
[test@localhost ~]$ date
Tue Oct  6 18:32:47 IST 2009
[test@localhost ~]$ chmod 455 file 
[test@localhost ~]$ ls -clt file 
-r--r-xr-x 1 test test 3 2009-10-06 18:32 file
1.I did edit the contents to the file and the change(timestamp) reflected in ls -clt
2.I did change the permission of the file and the change(timestamp) reflected in ls -clt

But how do I find for which one among the above changes caused the change in the timestamp

I did check process accounting concept but the server in which i am trying to find the timestamp of chmod execution has process accounting disabled .

Any suggestions are welcome,

Thanks all.
 
Old 10-06-2009, 07:55 PM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
This is a good explanation
http://www.unixtutorial.org/2008/04/...x-filesystems/
Note that ctime records file owner/perms & content changes, mtime is only content change.

If you suspect a user changed the file, you'll have to look through their cmd history (if they haven't cleared it).

As mentioned above, if you want to track those changes, you'll need accounting or inotify.

NB: Only the owner or root can change permissions.
 
Old 10-07-2009, 01:50 AM   #12
++nick++
Member
 
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Original Poster
Rep: Reputation: 18
Hi,

Thanks chrism01 , stat command illustrated in the tutorial was really useful , thanks all for your support.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
find command to search file modified b-RAM Linux - General 3 05-27-2009 12:39 AM
how to find out the user who modified a file in Linux venkat_k Programming 2 01-06-2009 03:51 AM
shell script to find modified date and last accessed date of any file. parasdua Linux - Newbie 6 04-22-2008 10:59 AM
find today's modified files cranium2004 Linux - General 2 03-08-2006 10:24 PM
Find out if a file was modified in the last 2 minutes.... cricos Programming 5 04-06-2005 03:57 PM


All times are GMT -5. The time now is 07:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration