Date: Sun, 23 Nov 2003 10:58:51 +1030 From: Greg 'groggy' Lehey <grog@FreeBSD.org> To: Cordula's Web <cpghost@cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: Monitoring a file? Message-ID: <20031123002851.GD82843@wantadilla.lemis.com> In-Reply-To: <200311222258.hAMMwApd092388@fw.farid-hajji.net> References: <200311222258.hAMMwApd092388@fw.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--lc9FT7cWel8HagAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Saturday, 22 November 2003 at 23:58:10 +0100, Cordula's Web wrote: > Hello list, > > maybe someone knows the answer for the following problem already? > > Summary: > ======== > What is the canonical way to monitor accesses to a file? > > Problem description: > ==================== > > A file, let's say, /path/to/a/file, is being modified by > an unknown process P(u) at random times. Unfortunately, > the name of the program ran by P(u) is unknown. > > The goal is to catch P(u) "red-handed," just the moment > it accesses /path/to/a/file, e.g. by looking up in the > process table with ps(1). That's not exactly red-handed, it's just not too long afterwards. I don't think you're going to find a simple answer to this one. If I had this problem, I'd probably build a kernel with special code to recognize opens on this file (so that you can get the address of the file table) and writes to it (though this may be redundant). The code would enter the kernel debugger or maybe just panic, depending on the environment. That way you'd really catch the culprit red-handed. An alternative might depend on knowledge of what the file does. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply or reply to the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address and phone numbers. --lc9FT7cWel8HagAv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE/v/9DIubykFB6QiMRAgSzAJwIyyrzWCiPXS+25FkkFU0vOgCUYQCeOH/2 2sDrFo4d3G3zGOPyTECBeGs= =SYE0 -----END PGP SIGNATURE----- --lc9FT7cWel8HagAv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031123002851.GD82843>