lsof [file]In the previous section, you saw what files a particular user had open. Let's reverse that, and see who's using a particular file. To do so, simply follow lsof with the path to a file on your system. For instance, let's take a look at who's using the SSH daemon, used to connect remotely to this computer (remember that lsof must be run as root). # lsof /usr/sbin/sshd COMMAND PID USER TYPE NAME sshd 7814 root REG /usr/sbin/sshd sshd 10542 root REG /usr/sbin/sshd sshd 10548 scott REG /usr/sbin/sshd That's the result you wanted: two users, root and scott. If an unexpected user had shown up heresay, 4ackordoodyou'd know that you've been compromised. Note Yes, sshd is a program, but remember, that's from your human perspective. To Linux, /usr/sbin/sshd is just another file. |