Home / server / Questions / 344597
Accepted
Ywen
Asked: 2011-12-28 03:41:21 +0800 CST

Track, save and revert file system modifications made by a program under Linux

  • 772

I'd like to be able to, when a program such as an installer is ran, track the list of the modifications made to my filesystem so that I can revert them afterwards.

EDIT: This concerns a non-packaged program. I use apt-get as far as I can.

Ideally I'd like to be able to do something like:

(sudo) catch-modifs some-installer.bin > fsmodifs.patch

And then:

(sudo) revert-modifs fsmodifs.patch

Is there a convenient way to do that?

linux installation unix filesystems rollback

6 Answers

  1. Maybe take a look at tripwire? Tripwire is more passive than your active example, but it still may work for you.

    http://www.linuxjournal.com/article/8758

    Tripwire is an intrusion detection system (IDS), which, constantly and automatically, keeps your critical system files and reports under control if they have been destroyed or modified by a cracker (or by mistake). It allows the system administrator to know immediately what was compromised and fix it.

    • 2
    • 1
  3. Best Answer

    Possibly the easiest (?) way to do this is to boot off of a LiveUSB with a "persistent data partition." (Or, to replicate the effect yourself, in a chroot jail: mount a rw layer over a ro layer.) Take a snapshot of the rw filesystem -- which should be very slim after a fresh boot -- then run your installer. Every file it alters or creates will be on the rw "persistent data" overlay partition. Even removed files will appear as "magic dotfiles."

    • 1

  4. Use LD_PRELOAD to load a library that intercepts the open library function and changes the pathname / logs the output / makes a backup before opening the file.

    Have a look at the source code for strace.

    • 1

  5. If the installer uses some packaging facility (i.e. for .deb packages for Debian/Ubuntu/..., .rpm packages for RedHat/CentOS/... etc) then the package installer should know what to do on installation and on removal. And I believe you should use existing packaging systems, not invent your own one. (Linux conventionally don't have installers like Windows does).

    If you really want to follow the file changes made by some process, you could use strace, or ltrace to catch system calls. You can also inotify and related facilities.

    But I don't know of a catch-modifs & revert-modifs like you want.

    I do suggest to not make an installer for your application, but to use the package manager, hence to provide .deb (and/or .rpm) packages for your application. They will handle the dependency issues better than your own installer.

    • 0

  6. The easy way to achieve what you want: install the "untrusted" application in a brand-new virtual machine instance (VMWare workstation, Oracle VirtualBox, etc.).

    When you decide you no longer want the application, delete the virtual machine.

    Your other alternatives -- catching file access syscalls -- are likely going to be error prone and incomplete. Be especially wary of any solution that requires dynamic linking in order to work (as Installwatch appears to do). An installer can quite legitimately exercise direct system calls, or be statically linked.

    • 0