RE: watching a file for ownership change

• Previous message: Darren Pilgrim: "RE: Forcing static-linking on a port?"
• Maybe in reply to: Charles Sprickman: "watching a file for ownership change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 23 May 2005 13:31:26 -0700
To: "Marco Molteni" <molter@tin.it>, <hackers@freebsd.org>

If you're hacking the kernel, you could embed the pid in the VNODE
filter data value, or perhaps copy it to the user udata (breaking
semantics).

vijay

-----Original Message-----
From: Marco Molteni [mailto:molter@tin.it]
Sent: Monday, May 23, 2005 1:23 PM
To: hackers@freebsd.org
Subject: Re: watching a file for ownership change

On Sun, 22 May 2005 04:05:50 +0100
Bruce M Simpson <bms@spc.org> wrote:

> On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
> > I'd like to find a way to watch one of the user's maildirsize files
> > that seems to flip ownerships at least once a day and try to
> > determine what process is changing the ownership.
> > How can I do that without dropping a bunch of daemons on a
> > production machine into heavy-debug mode? OS is 4.8 with all
> > current patches.
>
> You could try watching kevent() on the file for EVFILT_VNODE with
> NOTE_ATTRIB. You'd need to write a small C program to do this.
>
> Whilst this won't tell you who did what, it could give you
> sufficiently good timestamps from it happening to begin tracking the
> culprit down further, perhaps using lsof.

When I saw the first post I actually wrote the kevent program you are
sugesting as an exercise, then I realized that I couldn't obtain the PID
of the process that modified the file.

Would it be feasible/reasonable to add this feature to kqueue ?

marco
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
"freebsd-hackers-unsubscribe@freebsd.org"
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

• Previous message: Darren Pilgrim: "RE: Forcing static-linking on a port?"
• Maybe in reply to: Charles Sprickman: "watching a file for ownership change"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: cups and samba stop working after upgrade to etch ... When I re-boot I get the following message from root: ... was called for PID 2540. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ... (Debian-User) Re: [opensuse] Process launching directory ... where <pid> is the process id of the process. ... just points to the process owner's home directory. ... To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... (SuSE) Re: Strange port usage ... >> there's strange behaviour in my box ... > Show the PID and name of the program to which ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ... (RedHat) Re: Force kill a process? ... but the processes are stillthere. ... _exit number of pid ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ... (Debian-User) Re: Killing a process that doesnt exist!? ... log file, however, tells a different story: ... running, pid: 29669 ... If not you'll need to post a short *extract* of the script and maybe ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ... (Debian-User)