Re: watching a file for ownership change

From: Marco Molteni (molter_at_tin.it)
Date: 05/23/05

  • Next message: Amandeep: "Re: Error installing FreeBSd 5.3 AMD 64 bit-Highpoint 1820A" 
    Date: Mon, 23 May 2005 22:23:24 +0200
To: hackers@freebsd.org

    On Sun, 22 May 2005 04:05:50 +0100
    Bruce M Simpson <bms@spc.org> wrote:

    > On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
    > > I'd like to find a way to watch one of the user's maildirsize files
    > > that seems to flip ownerships at least once a day and try to
    > > determine what process is changing the ownership.
    > > How can I do that without dropping a bunch of daemons on a
    > > production machine into heavy-debug mode? OS is 4.8 with all
    > > current patches.
    >
    > You could try watching kevent() on the file for EVFILT_VNODE with
    > NOTE_ATTRIB. You'd need to write a small C program to do this.
    >
    > Whilst this won't tell you who did what, it could give you
    > sufficiently good timestamps from it happening to begin tracking the
    > culprit down further, perhaps using lsof.

    When I saw the first post I actually wrote the kevent program
    you are sugesting as an exercise, then I realized that I couldn't
    obtain the PID of the process that modified the file.

    Would it be feasible/reasonable to add this feature to kqueue ?

    marco
    _______________________________________________
    freebsd-hackers@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
    To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

  • Next message: Amandeep: "Re: Error installing FreeBSd 5.3 AMD 64 bit-Highpoint 1820A"