watching a file for ownership change
Singh, Vijay
Vijay.Singh at netapp.com
Mon May 23 13:31:27 PDT 2005
If you're hacking the kernel, you could embed the pid in the VNODE
filter data value, or perhaps copy it to the user udata (breaking
semantics).
vijay
-----Original Message-----
From: Marco Molteni [mailto:molter at tin.it]
Sent: Monday, May 23, 2005 1:23 PM
To: hackers at freebsd.org
Subject: Re: watching a file for ownership change
On Sun, 22 May 2005 04:05:50 +0100
Bruce M Simpson <bms at spc.org> wrote:
> On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
> > I'd like to find a way to watch one of the user's maildirsize files
> > that seems to flip ownerships at least once a day and try to
> > determine what process is changing the ownership.
> > How can I do that without dropping a bunch of daemons on a
> > production machine into heavy-debug mode? OS is 4.8 with all
> > current patches.
>
> You could try watching kevent() on the file for EVFILT_VNODE with
> NOTE_ATTRIB. You'd need to write a small C program to do this.
>
> Whilst this won't tell you who did what, it could give you
> sufficiently good timestamps from it happening to begin tracking the
> culprit down further, perhaps using lsof.
When I saw the first post I actually wrote the kevent program you are
sugesting as an exercise, then I realized that I couldn't obtain the PID
of the process that modified the file.
Would it be feasible/reasonable to add this feature to kqueue ?
marco
_______________________________________________
freebsd-hackers at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
"freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list