Linux – How to detect what is changing file ownership on Linux

diagnosticfile-permissionslinux

I have inherited a bunch of Linux (Ubuntu Precise) servers and am currently having problems with the ownership of a folder changing to "root" fairly often. We run puppet, which changes the ownership to the user it should be, but something else changes it back a bit later.

I'm currently logging the permissions on the file every 30 seconds to try and narrow down a time to see if there's anything in logs, etc. It's a large busy server, so without more information it's not easy to find anything in logs.

Is there a way in Linux to catch when a file/folder ownership changes and detect the process responsible?

Best Answer

I think you can use audit for specific file/directory or you can write custom rule based on your requirement

        auditctl -w <path to the file you need to monitor> -p war -k test

        Where -w is for specifying file path
        -p is for permission access (read,write,execute and attribute change)
        -k key name,you can give name you can use to filter audit rule

Then you can search it using

        ausearch -ts today -k test

For eg I used this,create this file /tmp/test and then write some random data

       auditctl -w /tmp/test -p warx -k test

and then execute this command

       ausearch -ts today -k test

      --ts for start date
      -k is for key string

So the output of this

  type=SYSCALL msg=audit(1407949301.821:63216): arch=c000003e syscall=191 success=no
  exit=-61 a0=eacca0 a1=3600005db7 a2=7fff15265180 a3=84 items=1 ppid=2384 pid=16921
  auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=10096
  comm="vim" exe="/usr/bin/vim" key="test"

So if you check the last line of output it will show command executed is vim and with uid=0 which is root

If you want to make these changes persistent across reboot,inside /etc/audit/audit.rules add the entry like this

  -w /tmp/test -p warx -k test

and make sure auditd service is up and running

  service auditd status

For more info you can refer http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

Related Solutions

Linux Email – How to Receive Email Alerts from Linux File Server

I use esmtp, which is a send-only MTA, for that purpose. It is very simple to set up. It has sendmail-compatible command-line options (some ignored). It's in the repositories.

Here is a simple example:

echo -e "To: Recipient Name <person@example.com>\n\
    From: Me Myself and I <me@gmail.com>\n\
    Subject: Here is the example I promised\n\n\
    $(<somefile)" | /usr/bin/esmtp -t

This sends the contents of the file named "somefile".

There is a very simple configuration file, /etc/esmtprc, that contains the hostname, username and password for your upstream email provider (I'm assuming yours is gmail).

Instructions for setting it up for Gmail are here.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux Email – How to Receive Email Alerts from Linux File Server

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic