From owner-freebsd-questions@FreeBSD.ORG Sat Nov 22 16:28:56 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7741616A4CE for ; Sat, 22 Nov 2003 16:28:56 -0800 (PST) Received: from ozlabs.org (ozlabs.org [203.10.76.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 559A343FBF for ; Sat, 22 Nov 2003 16:28:55 -0800 (PST) (envelope-from grog@lemis.com) Received: from blackwater.lemis.com (blackwater.lemis.com [192.109.197.80]) by ozlabs.org (Postfix) with ESMTP id AB3DB2BD0F for ; Sun, 23 Nov 2003 11:28:53 +1100 (EST) Received: by blackwater.lemis.com (Postfix, from userid 1004) id C123D511F9; Sun, 23 Nov 2003 10:58:51 +1030 (CST) Date: Sun, 23 Nov 2003 10:58:51 +1030 From: Greg 'groggy' Lehey To: Cordula's Web Message-ID: <20031123002851.GD82843@wantadilla.lemis.com> References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lc9FT7cWel8HagAv" Content-Disposition: inline In-Reply-To: <200311222258.hAMMwApd092388@fw.farid-hajji.net> User-Agent: Mutt/1.4.1i Organization: The FreeBSD Project Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.FreeBSD.org/ X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F 09AC 22E6 F290 507A 4223 cc: freebsd-questions@freebsd.org Subject: Re: Monitoring a file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 00:28:56 -0000 --lc9FT7cWel8HagAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Saturday, 22 November 2003 at 23:58:10 +0100, Cordula's Web wrote: > Hello list, > > maybe someone knows the answer for the following problem already? > > Summary: > ======== > What is the canonical way to monitor accesses to a file? > > Problem description: > ==================== > > A file, let's say, /path/to/a/file, is being modified by > an unknown process P(u) at random times. Unfortunately, > the name of the program ran by P(u) is unknown. > > The goal is to catch P(u) "red-handed," just the moment > it accesses /path/to/a/file, e.g. by looking up in the > process table with ps(1). That's not exactly red-handed, it's just not too long afterwards. I don't think you're going to find a simple answer to this one. If I had this problem, I'd probably build a kernel with special code to recognize opens on this file (so that you can get the address of the file table) and writes to it (though this may be redundant). The code would enter the kernel debugger or maybe just panic, depending on the environment. That way you'd really catch the culprit red-handed. An alternative might depend on knowledge of what the file does. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply or reply to the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address and phone numbers. --lc9FT7cWel8HagAv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE/v/9DIubykFB6QiMRAgSzAJwIyyrzWCiPXS+25FkkFU0vOgCUYQCeOH/2 2sDrFo4d3G3zGOPyTECBeGs= =SYE0 -----END PGP SIGNATURE----- --lc9FT7cWel8HagAv--