Linux – How to find out who is deleting files on a Linux server

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

What you have actually looks correct. You have the setgid bit set on the directory, so new files created should inherit the staff group. They do still remain owned by the creator, though. I suspect the problem is that the umask for your users is defaulting to 022 or even 077, which means new files they create will not have the group-write permission by default. The user/group ownership is correct, but the group permissions do not permit other members of the group to write (or maybe even read) the files.

Pick a user in the staff group and set the umask to 002 or 007, which means new files will be owner- and group-writable. I suspect this will correct the problem:

bash$ umask
0022
bash$ umask 002
bash$ umask
0002

Also, you noted you don't want anyone outside of the staff group to have any access to the directory at all. You should modify the directory permissions to 2770 to achieve this, otherwise non-staff will be able to read (but not modify) files in the directory.

For the last question about the apache user, the easiest way is probably to add that user to the staff group.