Determine UID that last modified a file in Linux?

c linux inode
11,898

Solution 1

If you are on a 2.6 kernel, you can take advantage of kernel's auditd daemon. Check this URL out. It might give you some hint on how to accomplish what you are trying to. I'm sure there is an API you could use in C.

Solution 2

Okay, using straight old standard Linux with normal file systems, you're not going to be able to do it. That information isn't stored anywhere (see man lstat for what is stored.)

As @pablo suggests, you can do this with security auditing turned on. The link he notes is a good start, but the gist of it is this:

  • you turn on the audit daemon, which enables auditing form the kernel
  • you configure the rules file to capture what you want
  • you search the audit files for the events you want.

The difficulty here is that if you start auditing all file operations for all files, the audit is going to get big.

So what is the actual need you want to fil?

Solution 3

To my knowledge, this information is not stored by any of the common filesystems, but you should by able to hook into inotify and keep an audit trail of which processes touch which files.

Share:
11,898
Tim Post
Author by

Tim Post

I'm Tim, and I used to work at Stack Overflow as the Community Evangelist. You'll notice that I've written quite a few things on many of our meta sites, and I hope you find some value in it! My day-to-day effort here goes mostly into moderation and helping to guide the community, as I've done since 2011. I'm also the Co-founder and General Manager of Echoreply Media, a company that markets strictly to developers. The best way to reach me is Twitter if you need to speak with me directly.

Updated on July 01, 2022

Comments

  • Tim Post
    Tim Post almost 2 years

    I'm writing a program that will be monitoring select files and directories for changes. Some of the files are world writeable, some owner, some group.

    What I need to do is be able to figure out the last person to modify (not just access) a file. Somehow I thought this would be simple, given that we know the inode of the file .. however I can not seem to find any way of obtaining this. I thought there was a practical way of correlating any given inode to the uid last accessing it.

    I think I've squeezed google for all its going to give me on the topic.

    Any help is appreciated. I'm writing the program in C.

    Edit:

    I need to be able to do this after the PID of whatever program modified the file is long gone.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to prevent creation of zombie processes while using fork() and exec() in Linux?
How to check CPU name, model, speed on Windows/Linux C?
How to copy file from linux to windows server using c
recipe for target 'all' failed on Ubuntu 15.10 64-bit
Deleting shared memory segment with shmctl
What if I allocate memory using mmap instead of malloc?
Why getppid() from the child return 1
subsititue of getchar and clrscr() in c for linux
Creating a shared library from a static library using GNU toolchain (gcc/ld)
How to debug a forked child process using CLion