cancel
Showing results for 
Search instead for 
Did you mean: 

ownership change

 
himacs
Super Advisor

ownership change

Hi Admins,

My root filesystem ownership and group has been changed to a normal user.I want to find out when its changed and who changed.

Is there any option with find command like 'ctime'

If m not wrong , ctime will provide the time of ownership changing..


regards
himacs

6 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: ownership change

Hi:

Yes, the 'ctime' represents the time of change in permissions, ownership, or the name of a file or directory. Be aware that some backup software will change the 'ctime' as a consequence of resetting the 'atime' of backed-up files. For directories, the 'ctime' will be updated for the parent directory as a consequence of adding or removing files. Hence, good luck isolating the change.

Regards!

...JRF...
himacs
Super Advisor

Re: ownership change

Hi JRF,

Thanx for the reply..

ls -ld / give times as Sep 10.

dr-xr-xr-x 70 bin bin 8192 Sep 10 16:50 /

what does it means..?

andplz provide exact command to find out the time of ownership changing..


regards
himacs
James R. Ferguson
Acclaimed Contributor

Re: ownership change

Hi (again):

> ls -ld / give times as Sep 10.
> dr-xr-xr-x 70 bin bin 8192 Sep 10 16:50 /
> what does it means..?
> andplz provide exact command to find out the time of ownership changing..

This interrogates the 'mtime' or last modification timestamp. To examine the last "change" timestamp, do:

# ls -lcd

BUT, as I stated originally, the 'ctime' of a directory can change for a multitude of reasons. If your 'mtime' were older than your 'ctime' this would suggest that the 'ctime' really represented the time of your ownership modification.

AGAIN, you may be chasing an answer for which you have insufficient data.

I would examine root's shell history file in the hope that something there helps you.

Regards!

...JRF...
himacs
Super Advisor

Re: ownership change


OK JRF,

Actually i changed the ownership back to bin:bin.Nothing unusual found in .sh_history.
Anyhow let me check any other alternatives.

thanx for ur time.

regards
himacs
James R. Ferguson
Acclaimed Contributor

Re: ownership change

Hi (again):

I have one other thought for you. If you have scripts that perform a 'cd' to change directory's make sure to test if the change is successful and take action if not.

This could include code, like:

cd ${MYPATH}

...where the variable is empty and your 'root' account's $HOME path is '/'.

Good scripting would either do:

set -u
cd ${MYPATH}

or:

cd /somepath || { echo "bad path!"; exit 1; }

In the case of the 'root' account, this is another good reason to change the ${HOME} directory from '/' to '/root'.

Regards!

...JRF...
Raj D.
Honored Contributor

Re: ownership change

Himacs,

>My root filesystem ownership and group has been changed to a normal user.

What do you mean root filesystem permission.
I understand someone changed the mount point permission .

Btw, root can only change the mountpoint permission, and not the other users, unless the permission on that mountpoint is not root:root.


To check who changed permission check:
- you have howmany admins, or other users who uses root login.
- or howmany users you have with root sudo login access.

To Check : sulog , and sudolog what are the users logged in as root.

hth,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "