Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3
Top Forums UNIX for Dummies Questions & Answers Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3 Post 51186 by Perderabo on Wednesday 12th of May 2004 10:29:18 PM
Old 05-12-2004
Yow! First of all, you can do "ps -fu <uid>" to get a list of process for a certain user. But even with that revision, I would certainly not run that script. Especially for root. I don't know AIX, but there are processes like swapper and init that are special. I wouldn't try a ptrace() on them without a lot of research.

Can you briefly unplug the system from the network? If the directory disappears while the box is unplugged from the network, you know that it's a local process. If the directory is exported via NFS or a similiar service the local box may be invoking a rmdir() or unlink(). Even without NFS, a cronjob on another system could use a remote shell. Unplugging the system for a a few carefully timed seconds will tell you if another box is involved.

Deleting a directory requires write permission to the parent directory. By varying the permissions on that parent, you should be able to nail down the uid involved.

I would do a "ps -fu <uid>" in a loop around 4:00, sending the results to a file. Then I would study the file looking for any commands that could delete the directory.


Most directories are deleted by program like rm or rmdir. Or maybe perl. For that to happen, the program must run. To run a program, you must read it. This updates atime in the inode. Run "ls -lu /usr/bin/rm" at 3:59 and 4:01. If the time doesn't change, that was not the program used.

With a little detective work, you can usually zero in on the culprit.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

lost or deleted data in Unix?

Quote: "Until the space is used for another file, it is not deleted and the data can be recovered (although it may require jumping through hoops)." Unquote I know this is true in the Windows world, but I didn't think it was true of Unix. I had always been told once it was deleted in Unix, it... (1 Reply)
Discussion started by: wmosley2
1 Replies

2. UNIX for Dummies Questions & Answers

Help comparing 2 files to find deleted records

Hi, I need to compare todays file to yesterdays file to find deletes. I cannot use comm -23 file.old file.new. Because each record may have a small change in it but is not really a delete. I have two delimited files. the first field in each file is static. All other fields may change. I... (2 Replies)
Discussion started by: eja
2 Replies

3. UNIX for Dummies Questions & Answers

is it possible to check logs in UNIX who deleted the files?

Hello, is it possible to check logs in UNIX who deleted the files? Is there logs in UNIX besides .sh_history? (1 Reply)
Discussion started by: james_falco
1 Replies

4. UNIX for Advanced & Expert Users

Unix ID deleted - What happen to process

I have an unix id (AIX system) which is used to run a couple of processes. They also write some log files into a file system (that is not in the home directory of the user id, but in different location). One bad day, the id was deleted accidentally. But the home directory, files and everything... (1 Reply)
Discussion started by: cmgreat
1 Replies

5. UNIX for Dummies Questions & Answers

recover deleted file in unix

hi after using rm command how to recover the deleted file (7 Replies)
Discussion started by: arulkumar
7 Replies

6. UNIX for Dummies Questions & Answers

how to recover deleted files in unix

Hi Experts, by mistake i deleted some files that are very important to the project. is there any way that i can recover those files,there is no backup for that but the details of the file we know. This will be a great help. Thanks (5 Replies)
Discussion started by: namishtiwari
5 Replies

7. UNIX for Dummies Questions & Answers

Restoring back a deleted file in unix.

Hi, Can any one tell me how to restore back the deleted file in unix? I know the file name. If i know the inode number of the file does help more to restore back the file? (1 Reply)
Discussion started by: siba.s.nayak
1 Replies

8. AIX

AIX emgr -l -u VUID command and differences from AIX3 to 6?

Hey, I currently only have access to an AIX 6.1 system with no interim fix information I.E. any emgr -l -u command results in the following: 'There is no efix data on this system' Could anyone provide me with valid output of a emgr -l -u VUID command when there IS efix data on a system for the... (0 Replies)
Discussion started by: bstullkid
0 Replies

9. UNIX for Dummies Questions & Answers

To find the Ip address of the user who deleted files

Hi, There were a few files deleted from a server by user xyz. The file names are:- /oraextME4/oradata/ME11G22/TEST_IMPORT_01.dbf /oraextME4/oradata/ME11G22/RKVITR1_03.dbf /oraextME4/oradata/ME11G22/TEST_IMPORT_02.dbf need to know the ip address of the terminal from which that... (10 Replies)
Discussion started by: Abhinav Jaiswal
10 Replies

10. UNIX for Advanced & Expert Users

How to list deleted files in UNIX?

Hi All, Its an interview question. I just want to know the answer of below question. 1) How to list deleted files in unix (13 Replies)
Discussion started by: pspriyanka
13 Replies

LEARN ABOUT OSF1

rmdir

rmdir(2)							System Calls Manual							  rmdir(2)

NAME

       rmdir - Removes a directory file

SYNOPSIS

       #include <unistd.h>

       int rmdir (	const char *path );

STANDARDS

       Interfaces documented on this reference page conform to industry standards as follows:

       rmdir(): XSH5.0

       Refer to the standards(5) reference page for more information about industry standards and associated tags.

PARAMETERS

       Specifies the directory pathname.  The final component of the path parameter cannot be a symbolic link.

DESCRIPTION

       The rmdir() function removes the directory specified by the path parameter.  The directory is removed only if it is an empty directory.

       For  the rmdir() function to execute successfully, the calling process must have write access to the parent directory of the path parameter
       with respect to all of the system's access control policies.

       If the directory's link count becomes 0 (zero) and no process has the directory open, the space occupied by the directory is freed and  the
       directory  is  no  longer  accessible.	If one or more processes have the directory open when the last link is removed, the . (dot) and ..
       (dot-dot) entries, if present, are removed before the rmdir() function returns, and no new entries may be created in the  directory.   How-
       ever, the directory is not removed until all references to the directory have been closed.

       Upon successful completion, the rmdir() function marks the st_ctime and st_mtime fields of the parent directory for update.

RETURN VALUES

       Upon  successful completion, the rmdir() function returns a value of 0 (zero). If the rmdir() function fails, a value of -1 is returned and
       errno is set to indicate the error.

ERRORS

       If the rmdir() function fails, the directory is not deleted and errno may be set to one of  the	following  values:  Search  permission	is
       denied  on  a  component  of the path parameter, or write permission is denied on the parent directory of the directory to be removed.  The
       process does not have write access to the parent directory with respect to one of the system's access control policies.	The  directory	is
       in use as either the mount point for a file system or the current directory of the process that issued the rmdir() function.  The directory
       named by the path parameter is not empty.  The path parameter is an invalid address.  While reading from or writing to the file system,	an
       I/O error occurred.  Too many links were encountered in translating path.  The length of the path parameter exceeds PATH_MAX, or a pathname
       component is longer than NAME_MAX.  The directory named by the path parameter does not exist or is an empty string.   A	component  of  the
       path  parameter	is not a directory.  The S_ISVTX flag is set on the parent directory of the directory to be removed, and the caller is not
       the file owner.	The directory named by the path parameter resides on a read-only file system.

       [Tru64 UNIX]  For NFS file access, if the rmdir() function fails, errno may also be set to one of the following values: The  file  position
       pointer	associated  with  the  filedes parameter was negative.	Indicates either that the system file table is full, or that there are too
       many files currently open in the system.  Indicates a stale NFS file handle.  An opened file was deleted by the server or another client; a
       client  cannot  open  a	file because the server has unmounted or unexported the remote directory; or the directory that contains an opened
       file was either unmounted or unexported by the server.

RELATED INFORMATION

       Functions: chmod(2), mkdir(2), mknod(2), rename(2), umask(2), unlink(2), mkfifo(3), remove(3)

       Standards: standards(5) delim off

																	  rmdir(2)
All times are GMT -4. The time now is 01:07 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy