Re: Monitoring a file?

From: Cordula's Web (cpghost_at_cordula.ws)
Date: 11/23/03

Next message: Cordula's Web: "Re: Monitoring a file?"

Previous message: Cordula's Web: "Re: Monitoring a file?"
In reply to: Greg 'groggy' Lehey: "Re: Monitoring a file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sun, 23 Nov 2003 11:13:29 +0100 (CET)
To: grog@FreeBSD.org

> > What is the canonical way to monitor accesses to a file?
> >
> > Problem description:
> > ====================
> >
> > A file, let's say, /path/to/a/file, is being modified by
> > an unknown process P(u) at random times. Unfortunately,
> > the name of the program ran by P(u) is unknown.
> >
> > The goal is to catch P(u) "red-handed," just the moment
> > it accesses /path/to/a/file, e.g. by looking up in the
> > process table with ps(1).
>
> That's not exactly red-handed, it's just not too long afterwards.

Right. Ideally, the kernel should block P(u), notify P(m), and
then unblock P(u). Of course, this doesn't happen with the
current kernels (?).

> I don't think you're going to find a simple answer to this one. If I
> had this problem, I'd probably build a kernel with special code to
> recognize opens on this file (so that you can get the address of the
> file table) and writes to it (though this may be redundant). The code
> would enter the kernel debugger or maybe just panic, depending on the
> environment. That way you'd really catch the culprit red-handed.

Yes, that was the idea with the debug nfsd. P(u) would block as
long as debug-nfsd didn't reply, and would be hanging around in
the process table. Surely, P(u) would still not be directly
identifiable by debug-nfsd.

Modifying the kernel really seems to be the only solution here.

> An alternative might depend on knowledge of what the file does.

It is a DNS map. On that special host, named is not even running,
so I suspect some rogue program. And no, there's nothing in
crontab either.... However, the problem is more general than
this. I just hoped that a generic solution exists.

> Greg

Thank you for all the help.

-- 
Cordula's Web. http://www.cordula.ws/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

Next message: Cordula's Web: "Re: Monitoring a file?"

Previous message: Cordula's Web: "Re: Monitoring a file?"
In reply to: Greg 'groggy' Lehey: "Re: Monitoring a file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Zugriff auf Device nicht =?iso-8859-1?Q?m=F6glich?=
... ich habe hier ein Problem beim Zugriff auf ein Device. ... Unknown process called vm-main driver, access has been denied. ... System: Debian Sarge, Kernel 2.8.6-2-k7 ...
(de.comp.os.unix.linux.misc)
Re: How to convert "DeviceHarddiskVolume1" to "C:"
... If you need a generic solution that works in both kernel and user mode, ... you will get a string in the form ...
(microsoft.public.win32.programmer.kernel)
Re: [PATCH] [Request for inclusion] Filesystem in Userspace
... >>reason we tend to do them in kernel space. ... and a more generic solution. ... send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel)