2

At first I was going to ask the question "Find all files I've created / changed after installation?" but that is a duplicate of (Find all files on the filesystem that I have edited or created) which doesn't have a satisfactory answer because it includes stuff downloaded and never changed plus thousands of thumbnails Nautilus has created under my user ID unbeknownst to me.

The reason for this need is I had written a nifty script to power-off a USB port on my laptop that always has power in order to win a bounty.

Now I'm very displeased that my always powered on USB port by design is powered off during suspend or shutdown. I want to track down and revert the programs those systemd configurations I setup with gedit. Having a poor memory for impromptu things I can't remember what I changed.

How do I find all the files I've created or changed with gedit?

I have created a wrapper script called gsu that uses pkexec to replace gksu gedit (How can I create new "gksu" command based on pkexec?). I will change it to log all system files edited with their last date.

In the mean time someone hinted on that link all sudo commands using gedit were logged someplace. The question is where and how to succiently list them with grep or whatever?

Please note I can find this through other time-consuming means but feel this is an important question many others may have as well.

Community
  • 1
WinEunuuchs2Unix
  • 102,282
  • 1
    :) You fall in same pit as I did before. I have learned to leave a special tag wherever I change something in configuration like my old username ##sneetsher: comment or //sneetsher: comment so I can collect them using grep before reinstalling or upgrade. But if all your edits are using gedit, gedit by default leaves a hidden backup file, its filename ends with ~. So you may find your edited files among the output of sudo updatedb; locate -br ~$ – user.dz Nov 14 '16 at 12:10
  • 1
    Actually I put comments on almost all scripts whenever I change them with reasons why. Then I log the script name into a spreadsheet that cat's the code with 'grep' command and dumps the output in neighbouring cells. In this case with the bounty question for another person, I did not :( – WinEunuuchs2Unix Nov 14 '16 at 12:17

2 Answers2

2

I just edited a "system" file using this command to open the file: 

sudo -H gedit /etc/gtk-3.0/settings.ini

I immediately then looked at the last entry in ~/.local/share/recently-used.xbel and saw this:

  <bookmark href="file:///etc/gtk-3.0/settings.ini" added="2016-11-14T02:04:05Z" modified="2016-11-14T02:04:05Z" visited="2016-11-14T02:04:05Z">
    <info>
      <metadata owner="http://freedesktop.org">
        <mime:mime-type type="text/plain"/>
        <bookmark:groups>
          <bookmark:group>gedit</bookmark:group>
        </bookmark:groups>
        <bookmark:applications>
          <bookmark:application name="gedit" exec="&apos;gedit %u&apos;" modified="2016-11-14T02:04:05Z" count="1"/>
        </bookmark:applications>
      </metadata>
    </info>
  </bookmark>

Limitations:

  • the recently-used.xbel contents don't reveal how you invoked gedit.
  • it's not necessary that a file should have been edited or created with gedit; merely viewing a file with gedit gets the file listed.

Visual inspection of the file seems safer than using code to extract the needed information. Something like grep -B5 '<bookmark:group>gedit</bookmark:group>' recently-used.xbel | grep 'bookmark href=' | grep -v '///home/' may help isolate system files that were edited by gedit. But this would work only if gedit is the first application listed in the bookmark:group for that particular file. If you've edited the file previously with some other application that writes to recently-used.xbel, you may not catch that file.

    <bookmark:groups>
      <bookmark:group>geany</bookmark:group>
      <bookmark:group>gedit</bookmark:group>
    </bookmark:groups>

Anyway, this is the output of the grep command:

~/.local/share $ grep -B5 '<bookmark:group>gedit</bookmark:group>' recently-used.xbel | grep 'bookmark href=' | grep -v '///home/'
  <bookmark href="file:///usr/share/themes/Adwaita/gtk-2.0/gtkrc" added="2016-10-15T09:38:31Z" modified="2016-10-15T09:38:31Z" visited="2016-10-15T09:38:31Z">
  <bookmark href="file:///usr/share/themes/Numix/gtk-2.0/gtkrc" added="2016-10-15T09:40:25Z" modified="2016-10-15T09:40:25Z" visited="2016-10-15T09:40:25Z">
  <bookmark href="file:///usr/share/themes/Lubuntu-default/gtk-3.0/gtk-lubuntu.css" added="2016-10-27T03:26:38Z" modified="2016-10-27T03:26:38Z" visited="2016-10-27T03:26:38Z">
  <bookmark href="file:///etc/gtk-3.0/settings.ini.dpkg-old" added="2016-11-14T02:03:44Z" modified="2016-11-14T02:03:44Z" visited="2016-11-14T02:03:44Z">
  <bookmark href="file:///etc/gtk-3.0/settings.ini" added="2016-11-14T02:04:05Z" modified="2016-11-14T02:04:05Z" visited="2016-11-14T02:04:05Z">
~/.local/share $
DK Bose
  • 42,548
  • 23
  • 127
  • 221
  • When I copied and pasted the command it generated an error on my Ubuntu 16.04: $ ~/.local/share $ grep -B5 '<bookmark:group>gedit</bookmark:group>' recently-used.xbel | grep 'bookmark href=' | grep -v '///home/' bash: /home/rick/.local/share: Is a directory – WinEunuuchs2Unix Nov 17 '16 at 00:29
  • What about something simpler like just grep '<bookmark:group>gedit</bookmark:group>' recently-used.xbel? Does that also not work? What are the file attributes for recently-used.xbel on your system? Mine are -rw------- (also 16.04). – DK Bose Nov 17 '16 at 11:00
0

All sudo invocations are logged by default, not just sudo gedit. See /var/log/auth.log, or in modern systems, journalctl $(which sudo). Similarly, for pkexec: journalctl $(which pkexec).

This question has an example of sudo appearing in /var/log/auth.log:

Jul 16 11:50:56 laptop sudo: mv : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mv ; USER=root ; COMMAND=/usr/bin/env -u LANGUAGE LC_MESSAGES=C /bin/sh /tmp/tmpBHXhYV/:script:

What you need is COMMAND=... section.

Community
  • 1
muru
  • 197,895
  • 55
  • 485
  • 740
  • I don't invoke gedit using sudo. I always used to use gksu until recently. Using the command: 1$ journalctl $(which gksu)results in-- No entries --using the same withsudoparameter only lists 23 entries from today none of which containgksu. Am I to surmise there is no log file ofgksu gedit` on system files? – WinEunuuchs2Unix Nov 14 '16 at 01:16
  • @WinEunuuchs2Unix gksu by itself doesn't do any authentication, it's essentially a wrapper around su or sudo. See if su has any auth.log entries. – muru Nov 14 '16 at 01:21
  • $ journalctl $(which su) -- No entries -- – WinEunuuchs2Unix Nov 14 '16 at 01:56
  • Hmm, then I need to install gksu to see where it does dump logs. One more reason not to use gksu or gksudo, where plain sudo -i works fine. – muru Nov 14 '16 at 01:59
  • I just got .bashrc copied over to /root so sudo -i gives me nice colours tonight. I thought sudo for editing was persona non-grata though. – WinEunuuchs2Unix Nov 14 '16 at 02:07
  • sudo for GUI programs is frowned upon because sudo doesn't reset some environment variables (like $HOME) by default. sudo -i does, so that's what I always use: sudo -i <gui-command> – muru Nov 14 '16 at 02:09
  • I use sudo -i to elevate to a # prompt and just go on my merry way. – WinEunuuchs2Unix Nov 14 '16 at 02:42
  • @WinEunuuchs2Unix then you lose much of the logging and fine-grained control with individual sudo invocations. I don't blame you, I always have a sudo -i terminal open somewhere. – muru Nov 14 '16 at 02:43