Monitoring a file?
Cordula's Web
cpghost at cordula.ws
Sun Nov 23 02:01:25 PST 2003
> > A file, let's say, /path/to/a/file, is being modified by
> > an unknown process P(u) at random times. Unfortunately,
> > the name of the program ran by P(u) is unknown.
>
> I'd think the failsafe way to approach this is with a wrapper so that when
> process P accesses file F it's really accessing W(F), i.e. a software
> wrapper which would then emulate F, only since W's a pgm it can also log
> the activity as well as reply to P with basically whatever you want it to
> reply with.
Unfortunately, FreeBSD doesn't have the equivalent of GNU/Hurd
translators. On the Hurd, the filesystems are served by userland
programs called translators. It is possible to set a translator
anywhere on the filesystem. This is similar to a mount(8), with
the difference that you can mount a program instead of a raw
device. This program (translator in Hurd parlance) would serve
VFS requests and actually reply to calls like open(), read(),
write(), etc...
A translator actually intercepts the VFS calls. In this case,
it would be trivial to do a ps [or on the Hurd to query the
proc server], and obtain at least a list of running processes
in a very timely fashion [P(u) would certainly be present
at that time!]. Because the translator replies directly to
P(u), it *may* be possible to identify P(u) this way...
Perhaps FreeBSD's mount_portal(8) could be used for this?
I'm not familiar with portalfs...
> Would ln(1) be able to serve as the setup for W? I've only done soft links
> for directory aliasing on websites. So I don't know if you can get away
> with e.g. having a shebang line on top W and expect it to execute; if you
> could work it that way though you'd be golden afaict.
A she bang would be useless here, because P(u) uses, say, open()
and read(), not exec(). The kernel would never try to execute
the file, and would therefore not try to read the she-bang line.
> Rereading this I
> realize for W to work it'd also have to be able to know who P is, i.e. the
> process and what it was wanting to do so it could emulate it. Or is there a
> way to just have W pass F on to P after logging the activity? And why do I
> suddenly crave a bowl of alphabet soup?
That is precisely the problem here.
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list