确定上次修改 Linux 中文件的 UID?
[英]Determine UID that last modified a file in Linux?
问题描述
I'm writing a program that will be monitoring select files and directories for changes.
我正在编写一个程序,它将监视 select 文件和目录的更改。 Some of the files are world writeable, some owner, some group.有些文件是世界可写的,有些是所有者,有些是组。
What I need to do is be able to figure out the last person to modify (not just access) a file.我需要做的是能够找出最后一个修改(不仅仅是访问)文件的人。 Somehow I thought this would be simple, given that we know the inode of the file.. however I can not seem to find any way of obtaining this.不知何故,我认为这很简单,因为我们知道文件的 inode。但是我似乎找不到任何方法来获得它。 I thought there was a practical way of correlating any given inode to the uid last accessing it.我认为有一种实用的方法可以将任何给定的 inode 与上次访问它的 uid 关联起来。
I think I've squeezed google for all its going to give me on the topic.我想我已经挤压了谷歌,因为它会给我关于这个话题的所有信息。
Any help is appreciated.任何帮助表示赞赏。 I'm writing the program in C.我正在 C 中编写程序。
Edit:编辑:
I need to be able to do this after the PID of whatever program modified the file is long gone.在修改文件的任何程序的PID早已消失后,我需要能够做到这一点。
4 个解决方案
解决方案1
5 已采纳 2009-03-18 03:34:31
If you are on a 2.6 kernel, you can take advantage of kernel's auditd daemon.如果您使用的是 2.6 kernel,则可以利用内核的 auditd 守护程序。 Check this URL out . 检查此 URL 。 It might give you some hint on how to accomplish what you are trying to.它可能会给你一些关于如何完成你想要做的事情的提示。 I'm sure there is an API you could use in C.我确定您可以在 C 中使用 API。
解决方案2
2 2009-03-18 03:37:40
解决方案3
2 2009-03-18 03:44:03
Okay, using straight old standard Linux with normal file systems, you're not going to be able to do it.好的,使用普通文件系统的直接旧标准 Linux,您将无法做到这一点。 That information isn't stored anywhere (see man lstat for what is stored.)该信息不会存储在任何地方(有关存储的内容,请参见man lstat 。)
As @pablo suggests, you can do this with security auditing turned on.正如@pablo 建议的那样,您可以在打开安全审计的情况下执行此操作。 The link he notes is a good start, but the gist of it is this:他指出的链接是一个好的开始,但它的要点是:
- you turn on the audit daemon, which enables auditing form the kernel你打开审计守护进程,它启用审计形式 kernel
- you configure the rules file to capture what you want您配置规则文件以捕获您想要的内容
- you search the audit files for the events you want.您在审计文件中搜索您想要的事件。
The difficulty here is that if you start auditing all file operations for all files, the audit is going to get big.这里的困难在于,如果您开始审核所有文件的所有文件操作,那么审核将会变得很大。
So what is the actual need you want to fil?那么你想要满足的实际需求是什么?
解决方案4
-4 2010-05-19 11:59:57
very basic, but it works: you can easily write a little c-program that does what you want this example retrieves the UID of file or directory or link, just try to find the properties that you want.非常基本,但它有效:您可以轻松编写一个小 c 程序来执行您想要的操作 此示例检索文件或目录或链接的 UID,只需尝试找到您想要的属性。
compile with:编译:
gcc -x c my-prog.c -o my-prog
then:然后:
./my-prog /etc
a lot of other information can be obtained like this可以像这样获得很多其他信息
it's not robust.它不坚固。 but whatever, i know how to use it, and do the checking in a bash shell:-)但无论如何,我知道如何使用它,并在 bash shell 中进行检查:-)
[ -x /etc ] && my-prog /etc
source code:源代码:
# retrieve the uid of a file
# source code: my-prog.c
#
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc, char **argv) {
struct stat buffer;
int status;
char *fname;
fname=argv[1];
status = stat(fname, &buffer);
printf("%i",buffer.st_uid);
return 0;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.