Want to know (using any linux tool/cmd), who actually started a process using sudo, on linux and using a configuration file from his home directory? How to check who started it and what's the absolute path of this configuration file? I have looked into /proc/$PID/environ and found the user but can't seem to find, the absolute path of the config file? This user has same dir/conf.prod in multiple sub directories?
-
"using sudo ... and using a configuration file from his home dir" - do you mean a sudo command that reads a configuration ? Started a daemon or ran sudo or both?– suspectusCommented Apr 19, 2013 at 22:04
-
@suspectus He started a server and config file is for server's use. sudo is used to start the process as root. hope it helps.– Curious MindCommented Apr 19, 2013 at 22:15
Add a comment
|
1 Answer
Look at the system log first. This will be in /var/log
. Depending on what platform, it will called messages
or auth.log
or system.log
.
example in system log of sudo command logging-:
Apr 19 23:22:14 diabolus.local sudo[1583]: suspectu : TTY=ttys001 ; PWD=/home/suspectu ; USER=root ; COMMAND=/bin/date
Regarding the configuration used to start a service, look at the service's logs. Alternatively lsof
can be used to display thefiles (which may include config files) a process has open.
lsof -p <pid>