Tail users commands

++nick++ · 01-30-2010, 01:53 PM

Hello All,

I have a quick question , This happened to me when I was logged in as a regular user in a production server . I was executing few commands , the person who was helping me was logged into the same host from another location (NY or something).I executed a script which is not accurate for that version of application running in the host . Then he pinged me via Microsoft communicator and instructed me not to use that script rather to use correct script for that version.

From then I was intrigued by how he found that out , I know that if one has root access he can view other users command history file but even root cannot tail the command history file.root can only cat the file once the user has ended the session.

Although "top -U username" will briefly show the command executed by the user.

Anyone here has any idea of how to tail other users commands or tail their command history file when they are in action.

thanks in advance,

devnull10 · 01-30-2010, 01:59 PM

Perhaps he just saw the results of the script and realised it was the wrong one? Is the script names differently? perhaps he ran the ps or top command?

EricTRA · 01-30-2010, 02:03 PM

Hi,

Maybe he's paranoid and watches logged on users with the 'w' command. That'll tell him what you are doing. He can even tail it with the use of a fifo pipe.

Kind regards,

Eric

++nick++ · 01-30-2010, 02:17 PM

Thanks devnull10,
Result of the script is not something logged anywhere or it doesnt leave any trace around , and yes the 2 scripts names are different.

Thanks EricTRA,
As far as i knew "w" command will only show who logged in from where and time. Am not sure about what you mean by "He can even tail it with the use of a fifo pipe" could you please elaborate

Thanks,

EricTRA · 01-30-2010, 02:25 PM

Hello,

Output of who:

Code:

root     tty1         2010-01-30 12:06
root     pts/0        2010-01-30 14:58 (:0)
root     pts/3        2010-01-30 20:59 (:0.0)

compared to output of w:

Code:

 21:18:52 up  9:14,  5 users,  load average: 0.73, 0.83, 0.67
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1     -                12:06    6:20m  0.16s  0.01s /bin/sh /usr/bin/startx
root     pts/0    :0               14:58    6:20m  0.00s  1.09s kded4
root     pts/3    :0.0             20:59    0.00s  0.02s  0.00s w

You'll notice that with who you get what you mentioned. The output of w also lists what the logged on users are currently doing. A fifo pipe is like a wormhole to which you can send data. You create it using:

Code:

mkfifo nameyougive

and then you can send data to it from another console, another user, whatever you like. And you can follow it (fifo = first in first out) with the tail command on your console:

Code:

tail -f nameyougive

So if you then have like a little script that executes:

Code:

w > nameyougave

in a loop with a sleep interval of 30 seconds, you can kind of follow what your logged on users are doing.

Kind regards,

Eric

++nick++ · 02-04-2010, 02:03 PM

Thanks EricTRA,

mkfifo gives me the following error,

mkfifo: cannot create fifo `test': Operation not permitted

is it possible only for root to mkfifo . Kindly advise

allanf · 02-04-2010, 02:16 PM

He was probably monitoring the log file for the application that you used in the script in a terminal via the "tail -f filename" command.

++nick++ · 02-04-2010, 02:21 PM

Thanks for the response,

However this command worked

$mkfifo /tmp/myfifo

seems like a permission issue.

++nick++ · 02-04-2010, 02:34 PM

Hello All,

The use of named pipe doesn't seem to work the expected way . whichever command (w , who , top -U <username>) doesn't seem to work the exact way as expected , none of the command redirected into the named pipe seems to show what that user is executing ,Is there any other way to accomplish the intial cause of this thread

Thanks.

chrism01 · 02-04-2010, 06:04 PM

Lateral approach; ask the guy who was monitoring you ...