Anyone know a way to track who is changing permissions of a specific directory?

Require everyone to use their user account and sudo rather than root. Cross check your logs vs who was logged in and the history files if applicable.

I would think you would want to set up a system so that normal users can only change files and directories where they are the owner. If it is set up that way, then why would you care how a user changed something?

If you're talking about a mounted directory, it can change permissions based on WHO mounted it. Having a more explicit /etc/fstab entry might tame that beast. Otherwise your system might be a bit hosed.

Otherwise fam or gam_server might help ID something. Or just change chmod / chgrp / chown to include some sort of logging. You might also check ~/.bash_history to see who's being naughty for each user. moot if they can log in as root. But there might be some /var/log/ stuff to indicate who's been doing that as well. Depending on how your system is setup.

If it's a device (/dev/), udev might be handling those perms at creation time. Any changes made to the /dev/ after boot are likely lost at the next boot.

OK, I maybe didn't explain myself very well. I do not have root. I was trying to help someone find out who changed permissions on an entire dir tree. I didn't set it up, nor can I change the set up. I DO NOT have root. I don't have a uid either. So, we have someone or a script which is what I think it is that is changing a dir tree from 777 to 755 which screws up the night scripts. I was wondering if anyone knew besides something like tripwire ( something free ) that would tell me who or what did that.

Thanks folks for trying

Shadow7, you mentioned gemin server. Can you explain real quick how that works AND more importantly do I need to be root to run it?

If it happens regularly I would check the cron files to find your culprit.

FAM - file alter(something or other) monitor.

gam_server is the next gen of that. Whatever that is. If you don't have root, even if you ID what's causing it, you probably can't change it. What file system is this tree on? Some file systems can have alternate perms. Cron is probably a good place to check. It could also be the selinux stuff. If it's not a custom thing, then you might not be the only one with the problem. If it goes with some other action (reboot) / cron job or something. There might be a timestamp on the tree to hint at when it happens, if it's consistent (every day +/- 5 minutes) then it's probably automated, i.e. cron (or any number of other alternatives). I don't know of any humans that consistent.

1 members found this post helpful.