2

At first I was going to ask the question "Find all files I've created / changed after installation?" but that is a duplicate of (Find all files on the filesystem that I have edited or created) which doesn't have a satisfactory answer because it includes stuff downloaded and never changed plus thousands of thumbnails Nautilus has created under my user ID unbeknownst to me.

The reason for this need is I had written a nifty script to power-off a USB port on my laptop that always has power in order to win a bounty.

Now I'm very displeased that my always powered on USB port by design is powered off during suspend or shutdown. I want to track down and revert the programs those systemd configurations I setup with gedit. Having a poor memory for impromptu things I can't remember what I changed.

How do I find all the files I've created or changed with gedit?

I have created a wrapper script called gsu that uses pkexec to replace gksu gedit (How can I create new "gksu" command based on pkexec?). I will change it to log all system files edited with their last date.

In the mean time someone hinted on that link all sudo commands using gedit were logged someplace. The question is where and how to succiently list them with grep or whatever?

Please note I can find this through other time-consuming means but feel this is an important question many others may have as well.

Community
  • 1
WinEunuuchs2Unix
  • 105,762

2 Answers2

2

I just edited a "system" file using this command to open the file: 

sudo -H gedit /etc/gtk-3.0/settings.ini

I immediately then looked at the last entry in ~/.local/share/recently-used.xbel and saw this:

  <bookmark href="file:///etc/gtk-3.0/settings.ini" added="2016-11-14T02:04:05Z" modified="2016-11-14T02:04:05Z" visited="2016-11-14T02:04:05Z">
    <info>
      <metadata owner="http://freedesktop.org">
        <mime:mime-type type="text/plain"/>
        <bookmark:groups>
          <bookmark:group>gedit</bookmark:group>
        </bookmark:groups>
        <bookmark:applications>
          <bookmark:application name="gedit" exec="&apos;gedit %u&apos;" modified="2016-11-14T02:04:05Z" count="1"/>
        </bookmark:applications>
      </metadata>
    </info>
  </bookmark>

Limitations:

  • the recently-used.xbel contents don't reveal how you invoked gedit.
  • it's not necessary that a file should have been edited or created with gedit; merely viewing a file with gedit gets the file listed.

Visual inspection of the file seems safer than using code to extract the needed information. Something like grep -B5 '<bookmark:group>gedit</bookmark:group>' recently-used.xbel | grep 'bookmark href=' | grep -v '///home/' may help isolate system files that were edited by gedit. But this would work only if gedit is the first application listed in the bookmark:group for that particular file. If you've edited the file previously with some other application that writes to recently-used.xbel, you may not catch that file.

    <bookmark:groups>
      <bookmark:group>geany</bookmark:group>
      <bookmark:group>gedit</bookmark:group>
    </bookmark:groups>

Anyway, this is the output of the grep command:

~/.local/share $ grep -B5 '<bookmark:group>gedit</bookmark:group>' recently-used.xbel | grep 'bookmark href=' | grep -v '///home/'
  <bookmark href="file:///usr/share/themes/Adwaita/gtk-2.0/gtkrc" added="2016-10-15T09:38:31Z" modified="2016-10-15T09:38:31Z" visited="2016-10-15T09:38:31Z">
  <bookmark href="file:///usr/share/themes/Numix/gtk-2.0/gtkrc" added="2016-10-15T09:40:25Z" modified="2016-10-15T09:40:25Z" visited="2016-10-15T09:40:25Z">
  <bookmark href="file:///usr/share/themes/Lubuntu-default/gtk-3.0/gtk-lubuntu.css" added="2016-10-27T03:26:38Z" modified="2016-10-27T03:26:38Z" visited="2016-10-27T03:26:38Z">
  <bookmark href="file:///etc/gtk-3.0/settings.ini.dpkg-old" added="2016-11-14T02:03:44Z" modified="2016-11-14T02:03:44Z" visited="2016-11-14T02:03:44Z">
  <bookmark href="file:///etc/gtk-3.0/settings.ini" added="2016-11-14T02:04:05Z" modified="2016-11-14T02:04:05Z" visited="2016-11-14T02:04:05Z">
~/.local/share $
DK Bose
  • 44,553
0

All sudo invocations are logged by default, not just sudo gedit. See /var/log/auth.log, or in modern systems, journalctl $(which sudo). Similarly, for pkexec: journalctl $(which pkexec).

This question has an example of sudo appearing in /var/log/auth.log:

Jul 16 11:50:56 laptop sudo: mv : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mv ; USER=root ; COMMAND=/usr/bin/env -u LANGUAGE LC_MESSAGES=C /bin/sh /tmp/tmpBHXhYV/:script:

What you need is COMMAND=... section.

Community
  • 1
muru
  • 207,228