dpavlich@math-cs.kent.edu (Dave Pavlich) (11/21/90)
Is there a way on unix to find out if someone has 'cd''d into your
directory ? I've tried checking processes ( almost impossible ) and I don't
want to set protection on these directories. Is there a shell program or
is it impossible ?
Thanks A Bunch
---------------------
Dave Pavlich "Gifted do what they can ....
Math/CS Department A Genius does what he must "
Kent State University - Best Fortune Cookie
I Ever Hadjxf@castor.cis.ksu.edu (Jerry Frain) (11/21/90)
dpavlich@math-cs.kent.edu (Dave Pavlich) writes: > Is there a way on unix to find out if someone has 'cd''d into your > directory ? I've tried checking processes ( almost impossible ) and I don't > want to set protection on these directories. Is there a shell program or > is it impossible ? It isn't possible in any conventional way that I know of, however, a friend of mine once create an 'ls' binary that he placed in his home directory which logged a message to some predetermined log file, and then exec'd /bin/ls with the original arguments. Doesn't work if they have /bin in their path before '.', though, but it still caught a lot of people snooping. --Jerry -- Jerry Frain -- Systems Programmer Kansas State University Department of Computing & Info Sciences Internet : jxf@cis.ksu.edu Manhattan, Kansas UUCP : ...!rutgers!ksuvax1!jxf
mjr@hussar.dco.dec.com (Marcus J. Ranum) (11/21/90)
In article <1990Nov21.004657.10564@mcs.kent.edu> dpavlich@math-cs.kent.edu (Dave Pavlich) writes: > Is there a way on unix to find out if someone has 'cd''d into your > directory ? I don't know a neat way to do this, but when I'm trying to get people off a filesystem I want to unmount, I use "ps -aeww | grep directory" which *sometimes* catches it, if the person is using a shell that keeps a $CWD or something like that in the environment. Otherwise, the only approaches I can think of involve rummaging around in the user structs. :( u_cdir, and follow the gnode. mjr. -- "When choosing between two evils, give preference to the council of your tummy over that of your testes. The history of mankind is full of disasters that could have been averted by a good meal, followed by a nap on the couch." -Me, as explained to me by my wife's cat Strummer.
gpvos@cs.vu.nl (Gerben 'P' Vos) (11/21/90)
jxf@castor.cis.ksu.edu (Jerry Frain) writes: >It isn't possible in any conventional way that I know of, however, a >friend of mine once create an 'ls' binary that he placed in his home >directory which logged a message to some predetermined log file, and >then exec'd /bin/ls with the original arguments. >Doesn't work if they have /bin in their path before '.', though, but >it still caught a lot of people snooping. I know a student around here with an "ls" shellscript in their home directory, which *copied your mailbox* into a subdirectory, so he could read it. The moral of this story: have ls aliased to /bin/ls or have /bin before . in your $PATH. - Gerben. -- --- Gerben Vos - Aconet: BIGBEN!Gerben Vos - Internet: gpvos@cs.vu.nl ---- Definition of intelligence: Anything a human does better than a computer
tchrist@convex.COM (Tom Christiansen) (11/21/90)
In article <1990Nov21.004657.10564@mcs.kent.edu> dpavlich@math-cs.kent.edu (Dave Pavlich) writes: > Is there a way on unix to find out if someone has 'cd''d into your > directory ? Use the BSD fstat if you have it; that one I know works. SysV fuser I've heard may also help. --tom
mjr@hussar.dco.dec.com (Marcus J. Ranum) (11/21/90)
In article <8314@star.cs.vu.nl> gpvos@cs.vu.nl (Gerben 'P' Vos) writes: > >I know a student around here with an "ls" shellscript in their home directory, >which *copied your mailbox* into a subdirectory, so he could read it. That's *nothing* compared to what he could have done. I used to have a hacked up version of sh that used to have a "set showexec" that would print the name of the program being run when it ran it - useful for catching something like that. You only catch it after the fact, but you can still go beat them bloody until they tell you in detail what './ls' really did. mjr. -- "When choosing between two evils, give preference to the council of your tummy over that of your testes. The history of mankind is full of disasters that could have been averted by a good meal, followed by a nap on the couch." -Me, as explained to me by my wife's cat Strummer.
jik@athena.mit.edu (Jonathan I. Kamens) (11/22/90)
In article <1990Nov21.013355.16798@maverick.ksu.ksu.edu>, jxf@castor.cis.ksu.edu (Jerry Frain) writes: |> It isn't possible in any conventional way that I know of, however, a |> friend of mine once create an 'ls' binary that he placed in his home |> directory which logged a message to some predetermined log file, and |> then exec'd /bin/ls with the original arguments. In article <1990Nov21.014439.11399@decuac.dec.com>, mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: |> I don't know a neat way to do this, but when I'm trying to get |> people off a filesystem I want to unmount, I use "ps -aeww | grep directory" |> which *sometimes* catches it, if the person is using a shell that keeps |> a $CWD or something like that in the environment. |> |> Otherwise, the only approaches I can think of involve rummaging |> around in the user structs. :( u_cdir, and follow the gnode. Both of these are correct, but a better answer is that the "ofiles" program can tell you both which processes have a given directory open as their current working directory, and which processes are accessing a particular filesystem. "Ofiles" is available at an comp.sources.unix archive near you, in volume 18. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710
tif@doorstop.austin.ibm.com (Paul Chamberlain) (11/22/90)
dpavlich@math-cs.kent.edu (Dave Pavlich) writes: >Is there a way on unix to find out if someone has 'cd''d into your directory? I once managed to find a working directory by looking at what directories were open. Will "ofiles" do this for you? Paul Chamberlain | I do NOT represent IBM. tif@doorstop, sc30661 at ausvm6 512/838-7008 | ...!cs.utexas.edu!ibmchs!auschs!doorstop.austin.ibm.com!tif
dylan@ibmpcug.co.uk (Matthew Farwell) (11/23/90)
In article <8314@star.cs.vu.nl> gpvos@cs.vu.nl (Gerben 'P' Vos) writes: >jxf@castor.cis.ksu.edu (Jerry Frain) writes: >>It isn't possible in any conventional way that I know of, however, a >>friend of mine once create an 'ls' binary that he placed in his home >>directory which logged a message to some predetermined log file, and >>then exec'd /bin/ls with the original arguments. >>Doesn't work if they have /bin in their path before '.', though, but >>it still caught a lot of people snooping. >I know a student around here with an "ls" shellscript in their home directory, >which *copied your mailbox* into a subdirectory, so he could read it. >The moral of this story: have ls aliased to /bin/ls or have /bin before . in >your $PATH. Or don't have . in your $PATH at all. Get used to typing ./<command> if you're that concerned. Its not that hard. Dylan. -- Matthew J Farwell | Email: dylan@ibmpcug.co.uk The IBM PC User Group, PO Box 360,| ...!uunet!ukc!ibmpcug!dylan Harrow HA1 4LQ England | CONNECT - Usenet Access in the UK!! Phone: +44 81-863-1191 | Sun? Don't they make coffee machines?
alex@am.sublink.org (Alex Martelli) (11/23/90)
dpavlich@math-cs.kent.edu (Dave Pavlich) writes: > Is there a way on unix to find out if someone has 'cd''d into your > directory ? I've tried checking processes ( almost impossible ) and I don't At least in System/V Unix, fuser(1M) will do that for you, amongst other similar checks. It's in /etc/fuser in my machine. -- Alex Martelli - (home snailmail:) v. Barontini 27, 40138 Bologna, ITALIA Email: (work:) staff@cadlab.sublink.org, (home:) alex@am.sublink.org Phone: (work:) ++39 (51) 371099, (home:) ++39 (51) 250434; Fax: ++39 (51) 366964 (work only), Fidonet: 332/401.3 (home only).
src@scuzzy.in-berlin.de (Heiko Blume) (11/23/90)
tchrist@convex.COM (Tom Christiansen) writes: >In article <1990Nov21.004657.10564@mcs.kent.edu> dpavlich@math-cs.kent.edu (Dave Pavlich) writes: >> Is there a way on unix to find out if someone has 'cd''d into your >> directory ? >Use the BSD fstat if you have it; that one I know works. SysV fuser >I've heard may also help. yep, fuser(1M) does it, but only if you are root. it also says if the directory is the current, parrent, or root directory of the processe(s) that use the given directory. -- Heiko Blume <-+-> src@scuzzy.in-berlin.de <-+-> (+49 30) 691 88 93 public source archive [HST V.42bis]: scuzzy Any ACU,f 38400 6919520 gin:--gin: nuucp sword: nuucp uucp scuzzy!/src/README /your/home
shwake@raysnec.UUCP (Ray Shwake) (11/23/90)
gpvos@cs.vu.nl (Gerben 'P' Vos) writes: >I know a student around here with an "ls" shellscript in their home directory, >which *copied your mailbox* into a subdirectory, so he could read it. >The moral of this story: have ls aliased to /bin/ls or have /bin before . in >your $PATH. A better approach, if current directory must be supported, is to search current directory *LAST*. It's a point SA's and security types have argued for years, but it bears repeating. Users - and vendors - take note!
lbr@holos0.uucp (Len Reed) (11/24/90)
In article <1990Nov21.155805.27426@decuac.dec.com> mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: >In article <8314@star.cs.vu.nl> gpvos@cs.vu.nl (Gerben 'P' Vos) writes: >> >>I know a student around here with an "ls" shellscript in their home directory, >>which *copied your mailbox* into a subdirectory, so he could read it. = = That's *nothing* compared to what he could have done. = = I used to have a hacked up version of sh that used to have a ="set showexec" that would print the name of the program being run when =it ran it - useful for catching something like that. You only catch it =after the fact, but you can still go beat them bloody until they tell =you in detail what './ls' really did. Hmm, so what you're saying is that you leave a big security hole and then, after the fact, retaliate against whoever broke in. Why don't you publish your password and set things up so you can catch whoever broke in? Such things are reasonable only if you're conducting a sting operation. If not, '.' shouldn't be in your path ahead of the public directories. -- Len Reed Holos Software, Inc. Voice: (404) 496-1358 UUCP: ...!gatech!holos0!lbr
wmark@wb3ffv.ampr.org (Mark Winsor) (11/24/90)
The /etc/fuser -u command will tell you who is in a file, but it reads /dev/kmem so it requires root access. Mark S. Winsor Systems Analyst ProVAR, Inc.
mju@mudos.ann-arbor.mi.us (Marc Unangst) (11/26/90)
wmark@wb3ffv.ampr.org (Mark Winsor) writes: > The /etc/fuser -u command will tell you who is in a file, but it reads > /dev/kmem so it requires root access. Not necessarily. How do you think ps(1) and friends work? Try this: # chown bin /etc/fuser /dev/kmem # chgrp kmem /etc/fuser /dev/kmem # chmod 2111 /etc/fuser # chmod 040 /dev/kmem Presto, fuser can read /dev/kmem, but ordinary users can't. You may need to do this to /{vmunix,unix} (whatever your kernel is called), since a lot of those sort of utilities read the kernel namelist to find out where the stuff is in /dev/kmem. (Caveat: I don't have fuser, so I don't know if this opens up any security holes. Check closely; if it required root access before, there might have been a reason.) -- Marc Unangst | mju@mudos.ann-arbor.mi.us | "Bus error: passengers dumped" ...!umich!leebai!mudos!mju |
lerman@stpstn.UUCP (Ken Lerman) (11/28/90)
In article <1990Nov21.155805.27426@decuac.dec.com> mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: ->In article <8314@star.cs.vu.nl> gpvos@cs.vu.nl (Gerben 'P' Vos) writes: ->> ->>I know a student around here with an "ls" shellscript in their home directory, ->>which *copied your mailbox* into a subdirectory, so he could read it. -> -> That's *nothing* compared to what he could have done. -> -> I used to have a hacked up version of sh that used to have a ->"set showexec" that would print the name of the program being run when ->it ran it - useful for catching something like that. You only catch it ->after the fact, but you can still go beat them bloody until they tell ->you in detail what './ls' really did. -> ->mjr. ->-- ->"When choosing between two evils, give preference to the council of your ->tummy over that of your testes. The history of mankind is full of disasters ->that could have been averted by a good meal, followed by a nap on the couch." -> -Me, as explained to me by my wife's cat Strummer. If you are clever enough to "have a hacked up version of sh", you should be smart enough to take dot out of your path. Ken
barnett@grymoire.crd.ge.com (Bruce Barnett) (11/29/90)
In article <1990Nov21.185812.19152@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: >Both of these are correct, but a better answer is that the "ofiles" program >can tell you both which processes have a given directory open as their current >working directory, and which processes are accessing a particular filesystem. >"Ofiles" is available at an comp.sources.unix archive near you, in volume 18. Here is a shell script that might work for BSD systems. I call it 'pswd' Output looks like: barnett 4777 co 0:00 PWD=/home/kreskin/u0/barnett etc. This only works is a processes current working directory is visible with a ps wweuax command. #!/bin/sh # this script is like ps but prints out the current directory also ps wweuax!| awk ' /PWD/ { # print user PID TTY COMMAND printf "%8s %8s %2s %14s ",$1,$2,$7,$10 ; for (i=11;i<NF;i++) if (index($i,"PWD=") == 1) printf "%s",$i ; printf "\n" ; }' -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett
tchrist@convex.COM (Tom Christiansen) (11/29/90)
In article <BARNETT.90Nov28121406@grymoire.crd.ge.com>, barnett@crdgw1.ge.com scrawls: >Here is a shell script that might work for BSD systems. I call it 'pswd' >Output looks like: > > barnett 4777 co 0:00 PWD=/home/kreskin/u0/barnett > etc. > >This only works is a processes current working directory is visible >with a ps wweuax command. > >#!/bin/sh ># this script is like ps but prints out the current directory also >ps wweuax!| awk ' >/PWD/ { ># print user PID TTY COMMAND > printf "%8s %8s %2s %14s ",$1,$2,$7,$10 ; > for (i=11;i<NF;i++) > if (index($i,"PWD=") == 1) printf "%s",$i ; > printf "\n" ; > }' Sorry, but very few programs keep your cwd in the $PWD envariable. So this won't work very often. I would still go with fuser for SysV boxes, fstat for BSD ones, or ofiles if you can't find any better. Furthermore, you cannot process ps output with awk that way. That STAT column is fixed width but with an unknown number of elements. If you try to do it all with fixed width columns, you'll be unhappy again because sometimes things like SZ or RSS get really big (at least on my machine) and push things aside. If you parse 'ps l' output, then you have to deal with the WCHAN column being there or not, depending. I'm not just going to criticize. Here's a solution I came up with. After running 'ps l' through this filter, you can split on white space and guarantee that the 0th field is the flags, ..., the 9th one is the wait channel (which is 0 if originally missing), the 10th field is the process run state with spaces set to dots to yield things like ".D.<." or ".R..." or "VS.N.". Field #13..$#F are the commands. #!/usr/local/bin/perl # fixps: put 'ps l' output into reliable fields # warning: sub-optimal perl code follows while (<>) { # feed me output from 'ps l' if (/COMMAND/) { print; next; } ($fixed, $float) = /^(\s*\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+ )(.*)$/; ($wchan, $stat, $tt, $time, $command) = ($float =~ /^(.{8}) (.{5}) (..) +(\d+:\d+) +(.*)/); $wchan = ' 0 ' if $wchan eq ' '; $stat =~ s/ /./g; print "$fixed $wchan $stat $tt $time $command\n"; } So you then do something like this: ps axl | fixps | something_else Where something else can do this if you don't want to just split into one big array. This is now *much* easier to deal with. #!/usr/local/bin/perl while (<>) { ($flags, $uid, $pid, $ppid, $cp, $pri, $nice, $size, $rss, $wchan, $state, $tty, $time, $command) = split(' ',$_,14); if ($state =~ /V/) { # found a vector job } if ($uid != 0 && $state =~ />/) { # OR: if ($uid != 0 && $nice < 0) { # negatively reniced non-root process } if ($ppid == 1 && $uid != 0 && !(hex($flags) & 0x00800000) && $tty ne "?") { # SLOGIN bit # someone logged out with something in background } } --tom
andyc@bucky.intel.com (Andy Crump) (11/29/90)
>>>>> On 21 Nov 90 00:46:57 GMT, dpavlich@math-cs.kent.edu (Dave Pavlich) said:
Dave> Is there a way on unix to find out if someone has 'cd''d into your
Dave> directory ? I've tried checking processes ( almost impossible ) and I don't
Dave> want to set protection on these directories. Is there a shell program or
Dave> is it impossible ?
In System V Release 4, the 'fuser' utility will tell you which process
have a given file/directory open. The -u option also tells you the
owner of the process. For example when I did
'/usr/sbin/fuser -u /home2/andyc' I got:
/home2/andyc: 21741c(andyc) 21630c(andyc) 21628c(andyc) 17133c(andyc) 17122c(andyc) 17120c(andyc) 789c(andyc) 696c(andyc) 694c(andyc) 693c(andyc) 692c(andyc) 687c(andyc) 684c(andyc) 683c(andyc) 674c(andyc) 651c(andyc)
whoa! Not only that, its fast!!. This is similar functionality to
ofiles referenced elsewhere.
--
-- Andy Crump
...!tektronix!reed!littlei!andyc | andyc@littlei.intel.com
...!uunet!littlei!andyc | andyc@littlei.uu.net
Disclaimer: Any opinions expressed here are my own and
not representive of Intel Corportation.barnett@grymoire.crd.ge.com (Bruce Barnett) (12/01/90)
In article <109418@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes: >In article <BARNETT.90Nov28121406@grymoire.crd.ge.com>, >barnett@crdgw1.ge.com scrawls: (p.s. I apologize for the bad handwritting. You should see what it looks like when I don't use a keyboard! :-) >>This only works is a processes current working directory is visible >>with a ps wweuax command. >Sorry, but very few programs keep your cwd in the $PWD envariable. So >this won't work very often. I would still go with fuser for SysV boxes, >fstat for BSD ones, or ofiles if you can't find any better. Yeah - I know. But I wanted to post something that sometimes works and doesn't require any special program. No one else posted a shell only "solution". Unmounting a file system in an emergency is a tough problem if you use talk(1), wall(1), and the telephone - and the guy doesn't answer. I used the above script to detect and the force program to change someone's current directory, if I could. (Force is a program by jjg@linus.UUCP (Jeff Glass) that I got from comp.sources.misc. It uses the TIOCSTI ioctl). If not - the kill command is sure to get their attention. :-) I looked at your script, and it doesn't quite work on my Sun4. the SZ field can be 4 characters wide, and runs into the NI field: F UID PID PPID CP PRI NI SZ RSS WCHAN STAT TT TIME COMMAND 80012067 6958 6957 32 33 02056 2680 R co 16:39 process I am willing to work on a perlized version of the above, but Tom is a zillion times better than I am with perl. (Tom - send me e-mail if you want to continue this). -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett
seanf@sco.COM (Sean Eric Fagan) (12/03/90)
dpavlich@math-cs.kent.edu (Dave Pavlich) writes: >Is there a way on unix to find out if someone has 'cd''d into your directory? If you wish to find out if someone is currently in your directory, under many (most or all?) implementations of *nix you can do so, provided you're root, or run an SUID program, and any of the files in question have not disappeared in the meantime. If, however, you wish to find out if someone has *ever* been in your directory, the answer is: no. (Side note: one of the features of NOS [which runs only on CDC Cybers, in 170-state] that I liked was that it kept a log of who accessed your files, and when, and what mode. [NOS also had ACL's.] There are times when I'd really like something like that...) -- -----------------+ Sean Eric Fagan | "*Never* knock on Death's door: ring the bell and seanf@sco.COM | run away! Death hates that!" uunet!sco!seanf | -- Dr. Mike Stratford (Matt Frewer, "Doctor, Doctor") (408) 458-1422 | Any opinions expressed are my own, not my employers'.