11

We have an Ubuntu 12.04/apache server and a directory in the "/var/www/foo" and root permission.

Something is repeatedly changes the permission of this directory.

Question: How can we investigate, what is changing the permission?

freaking-good-question
  • 573

3 Answers3

22

You could investigate using auditing to find this. In ubuntu the package is called auditd.

Use that command to start a investigation if a file or folder:

auditctl -w /var/www/foo -p a
  • -w means watch the file/folder
  • -p a means watch for changes in file attributes

Now start tail -f /var/log/audit/audit.log. When the attributes change you will see something like this in the log file:

type=SYSCALL msg=audit(1429279282.410:59): arch=c000003e syscall=268 success=yes exit=0
  a0=ffffffffffffff9c a1=23f20f0 a2=1c0 a3=7fff90dd96e0 items=1 ppid=26951 pid=32041
  auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5
  ses=4294967295 comm="chmod" exe="/bin/chmod"
type=CWD msg=audit(1429279282.410:59):  cwd="/root"
type=PATH msg=audit(1429279282.410:59): item=0 name="/var/www/foo" inode=18284 dev=00:13
  mode=040700 ouid=0 ogid=0 rdev=00:00

I executed chmod 700 /var/www/foo to trigger it.

  • In the 1st line, you see
    • which executable did it: exe="/bin/chmod"
    • the pid of the process: pid=32041
    • You could also find out which user it was: uid=0, root in my case.
  • In the 3rd line, you see the changed mode: mode=040700
chaos
  • 48,171
3

I don't think there is any way to answer how you could know what changed the permissions in the past, but you can use the lsof command to see what user or process is using a file at any given time. You could try putting that on a cron and possibly catch it. If something is randomly changing your file permissions and you don't know what it is, it may be very hard to find.

You can prevent your file permissions from being changed with the 'chattr' command. Chattr locks the file so that even root users cannot modify without first running the appropriate chattr command.

chattr +i filename (Make the properties of filename 'immutable', note noone can write to the file either) chattr -i filename (Remove the immutable flag so the file ownership and permissions can be changed again.)

Baazigar
  • 730
2

Without auditctl on a system you can start the investigation by using:

$ ls -lc /path/to/folder

This will "show ctime and sort by name" so show the last time the folder was changed. Maybe you can use this information to connect it to a cron job, or when looking at who was logged in at the time of the change, connecting the change to a user triggered event.

To see the last logins, duration of the session, and much more with time stamps use the following command:

$ last | more
AdminBee
  • 22,803
alex
  • 23