0

There are some 4 people who know my root password.And someone deleted my code directory.

We have a single system where everyone has his own code base directory and everyone ssh to this system and work on that.

I tried looking into history ~/.bash_history. it shows that rm -rf command was executed but I do not know who logged in as root and deleted it. I have also tried list command. But unfortunately 3 people were logged in at that point of time and anyone of them might have done that. accounting info also did not help. Is there any way to find out?

If not, how can I write some script that I can run in background that captures all the commands that get issued from an ip address (SSH sessions) and at what time.

Improve this question
3
  • 1
    Read Multiple Root Accounts. Also, use a version control system for your codebase.
    – choroba
    Commented Mar 9, 2013 at 7:43
  • 2
    1) It sounds like you want to talk to your boss or your professor, 2) it sounds like maybe root privileges should be revoked for all uses, and 3) it sounds like you want to take frequent backups ;)
    – paulsm4
    Commented Mar 9, 2013 at 7:43
  • You should learn to backup and to use some version control system (e.g. git) for your source code.
    – Basile Starynkevitch
    Commented Mar 9, 2013 at 8:42

2 Answers 2

Reset to default
2

The problem with history history or similar commands is, they don't show you the time when commands where entered.

last will show you who logged in or is still logged in, but if three people know the root password, it is still difficult to tell them appart.

A simple script would be to send a mail every time someone logins. Place this script in .bash_profile, if you are using bash. But as soon as someone notices this script and has root access, there is nothing that stops them from changing it or even sending fake mailes.

For the future, I would suggest using sudo (man sudo). Users will login with their personal account and if they need root permission for certain commands, the have to to it through sudo and everything will be loged.

Improve this answer
1
  • Amen to using sudo in this kind of environment.
    – davidgo
    Commented Mar 9, 2013 at 8:14
0

Even if you write a script to do that and one of the other three has root permissions, what is to stop them editing the file and covering up their crime.

So in summary if you are unsure as to the competence of one or more of the others then remove their root access (i.e. change the password and do no tell that individual).

Also it is a good idea to only use root access when absolutely necessary. Also use something like SVN and a backup mechanism so that at most you lose a days work (or less)

Improve this answer
2
  • Thanks everyone for quick response. But I was looking more into ways that I can prove to that guy that "you made this mistake, your responsibility".Actually, I lost around 2 weeks of work. Yeah, I will take more backups from now on and I already use SVN but probably will update it more frequently.Lesson learnt the hard way.
    – user2150973
    Commented Mar 9, 2013 at 7:49
  • @user2150973 - Probably the person knows he made a mistake and pride is getting in the way from admitting it. Anyway what will it achieve as you have lost data. Better to spend your efforts recovering from this disaster. I would also imagine that you have learned to make backups etc.
    – Ed Heal
    Commented Mar 9, 2013 at 7:52

You must log in to answer this question.