Thursday, May 2, 2024
Homepage · filesystem
 Popular · Latest · Hot · Upcoming
5
rated 0 times [  5] [ 0]  / answers: 1 / hits: 27180  / 2 Years ago, sun, september 4, 2022, 5:08:37

My Ubuntu server has about roughly 30 active users on it. I personally know everyone using the server. Recently, a few friends and I were working on project. We made a new directory for the project and since everyone knows everyone we didn't bother protecting our work under a bunch of permissions. We should have though, because we woke up this morning to find that someone removed our entire directory.



Our work is backed up every night so it's really not a big deal to restore our work. However, we would like to find out who removed it so we can confront them. So far the best thing we've come up with for finding our culprit is checking everyone's bash history but this is long and tedious and chances are that if there was a malicious intent behind the directory removal that our culprit probably modified theirs to cover their tracks (or of course they might use a different shell).



So, basically, what is the easiest and quickest way to find out who deleted a directory?



Thanks in advance for your time.


More From » filesystem
 Answers
5

I didn't find a magic bullet answer to your question; part of that reason is detailed here: https://superuser.com/questions/178596/checking-user-command-history-in-unix



This simple command may help you track down what happened, searching for rm & mv commands in all shell history files in all users home directories:



find /home -type f -iname .*history -exec grep "rm|mv" {} ;


It's good you have a valid backup to save you, but I highly recommend creating some groups for project folders and just adding user accounts to those groups; that will save you a lot of pain in the future.



Example:
add a group and add project team members to it



groupadd coolproject

adduser jim coolproject

adduser joe coolproject

adduser charlie coolproject


set the permissions properly recursively and guarantee access going forward for the team regardless of who creates/edits files



chown -R yourusername:coolproject /path/to/projectdir

find /path/to/projectdir -type d -exec chmod 2775 {} ;


(the 2 sets the group ownership to "sticky" this makes sure the group owner of any projects remains "coolproject")



find /path/to/projectdir -type f -exec chmod 664 {} ;


Hope that helps ya out! B-)


[#44536] Tuesday, September 6, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
ugeeport
Add To Favorites
Follow
Total Points: 181
Total Questions: 108
Total Answers: 99
Location: El Salvador
Member since Tue, Jun 29, 2021
3 Years ago
ugeeport questions
Sun, Jun 20, 21, 16:51, 3 Years ago
Sat, Nov 20, 21, 10:59, 3 Years ago
Sat, Jul 23, 22, 19:06, 2 Years ago
Wed, Oct 12, 22, 02:26, 2 Years ago
Mon, Aug 29, 22, 22:50, 2 Years ago
View All
;