watching a file for ownership change

[Joe McGuckin]

It seems like you'd want your kevent() callback (or whatever) to be
triggered as the modifying process is exiting the syscall that is modifying
the file but before control is actually passed back to it - you'd want to be
able to 'catch it in the act' so to speak.



On 5/23/05 1:23 PM, "Marco Molteni" <molter at tin.it> wrote:

> On Sun, 22 May 2005 04:05:50 +0100
> Bruce M Simpson <bms at spc.org> wrote:
> 
>> On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
>>> I'd like to find a way to watch one of the user's maildirsize files
>>> that  seems to flip ownerships at least once a day and try to
>>> determine what  process is changing the ownership.
>>> How can I do that without dropping a bunch of daemons on a
>>> production  machine into heavy-debug mode?  OS is 4.8 with all
>>> current patches.
>> 
>> You could try watching kevent() on the file for EVFILT_VNODE with
>> NOTE_ATTRIB. You'd need to write a small C program to do this.
>> 
>> Whilst this won't tell you who did what, it could give you
>> sufficiently good timestamps from it happening to begin tracking the
>> culprit down further, perhaps using lsof.
> 
> When I saw the first post I actually wrote the kevent program
> you are sugesting as an exercise, then I realized that I couldn't
> obtain the PID of the process that modified the file.
> 
> Would it be feasible/reasonable to add this feature to kqueue ?
> 
> marco
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

-- 

Joe McGuckin

ViaNet Communications
994 San Antonio Road
Palo Alto, CA  94303

Phone: 650-213-1302
Cell:  650-207-0372
Fax:   650-969-2124