Find Out Who’s Modifying a File in Linux: A SysAdmin’s Guide
In a multi-user Linux environment, knowing who is accessing or modifying a critical file is essential for security, troubleshooting, and collaboration. When a configuration file is unexpectedly changed or a script is locked, you need to quickly identify the responsible process and user. Fortunately, Linux provides powerful command-line utilities to track down exactly who is editing a file in real-time.
This guide will walk you through the most effective methods for identifying which users and processes have a file open, giving you the visibility needed to manage your system effectively.
Using lsof to See Who Has a File Open
The lsof (List Open Files) command is one of the most powerful and versatile tools for this task. It provides detailed information about files that are currently opened by active processes. To find out who is editing a specific file, simply provide the file’s path to the command.
For example, to check who has /etc/hosts open, you would run:
lsof /etc/hosts
The output will give you a clear, table-based view of any process interacting with that file.
| COMMAND | PID | USER | FD | TYPE | DEVICE | SIZE/OFF | NODE | NAME |
| :— | :— | :— | :— | :— | :— | :— | :— | :— |
| nano | 12345 | admin | 3u | REG | 8,1 | 247 | 134567 | /etc/hosts |
Here’s what the key columns mean:
- COMMAND: The name of the command or editor being used (e.g.,
vim,nano,emacs). - PID: The Process ID. This is crucial for managing the process if needed.
- USER: The username of the account that is running the process.
- FD: The File Descriptor. A value like
3uindicates the file is open for reading and writing (u).
With lsof, you can instantly see the exact command, process ID, and user responsible for accessing the file. This is often the quickest way to solve the mystery.
A Direct Approach with the fuser Command
Another excellent utility is fuser, which is specifically designed to identify which processes are using a file, socket, or filesystem. It’s often faster than lsof if all you need is the process ID.
To get detailed information about who is using a file, use the verbose (-v) flag:
fuser -v /var/log/syslog
The output will look something like this, providing the user, PID, and access type:
| | USER | PID | ACCESS | COMMAND |
| :— | :— | :— | :— | :— |
| /var/log/syslog: | root | 1201 | F.ce. | rsyslogd |
Here, the ACCESS column tells you how the file is being used (F means the file is open, c means it’s the current directory, e means it’s an executable being run).
For a more direct look at just the user, you can use the -u flag:
fuser -u /etc/passwd
This will return the file path followed by the PIDs and the associated usernames in parentheses, like 12345c(root).
Security Tip: The fuser command can also be used to terminate processes that have a file open. By adding the -k (kill) flag, you can immediately stop a process from holding a file hostage. Use this with caution, as it will abruptly end the process.
# This command will terminate any process using /etc/important.conf
fuser -k /etc/important.conf
Proactive Monitoring: Tracking File Changes with auditd
While lsof and fuser are excellent for identifying real-time file access, they can’t tell you who edited a file in the past. For that, you need a proactive auditing solution. The Linux Audit Daemon (auditd) is a powerful tool for this purpose. It allows you to create rules to watch specific files and log every interaction with them.
First, you need to set up a “watch” on the file you want to monitor. For instance, to monitor all write, read, execute, and attribute changes to your SSH server configuration, you would use auditctl:
auditctl -w /etc/ssh/sshd_config -p warx -k sshd_config_changes
Let’s break down this command:
- -w /etc/ssh/sshd_config: Specifies the file path to watch.
- -p warx: Sets the permissions to watch for: w (write), a (attribute change), r (read), and x (execute).
- -k sshd_config_changes: Assigns a custom key or tag to the log entries, making them easy to find later.
Once the rule is in place, auditd will log every access event that matches the rule. You can then search the audit logs using the ausearch command and your custom key.
ausearch -k sshd_config_changes
The output from ausearch is extremely detailed, showing the exact time of the event, the user ID (uid), the command that was run (comm), and whether the action was successful. This creates an immutable record of file modifications, which is invaluable for security audits and forensic analysis.
By mastering these tools—lsof for detailed real-time analysis, fuser for quick identification, and auditd for robust, long-term monitoring—you gain complete control and visibility over file activity on your Linux systems.
Source: https://kifarunix.com/find-out-who-edited-files-in-linux/
