From owner-freebsd-questions@FreeBSD.ORG Sat Nov 22 14:58:53 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31EF516A4CE for ; Sat, 22 Nov 2003 14:58:53 -0800 (PST) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ACC143FCB for ; Sat, 22 Nov 2003 14:58:51 -0800 (PST) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hAMMwApd092388 for ; Sat, 22 Nov 2003 23:58:13 +0100 (CET) (envelope-from cpghost@cordula.ws) Date: Sat, 22 Nov 2003 23:58:10 +0100 (CET) Message-Id: <200311222258.hAMMwApd092388@fw.farid-hajji.net> From: "Cordula's Web" To: freebsd-questions@freebsd.org X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE Subject: Monitoring a file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2003 22:58:53 -0000 Hello list, maybe someone knows the answer for the following problem already? Summary: ======== What is the canonical way to monitor accesses to a file? Problem description: ==================== A file, let's say, /path/to/a/file, is being modified by an unknown process P(u) at random times. Unfortunately, the name of the program ran by P(u) is unknown. The goal is to catch P(u) "red-handed," just the moment it accesses /path/to/a/file, e.g. by looking up in the process table with ps(1). No solutions: ============= 1. Polling /path/to/a/file with stat(), lstat(), fstat(), and running a ps(1) as soon as the access times change; then diff(1) on all ps listings, trying to identify P(u). This solution is not good enough, because P(u) runs faster than the polling interval, and setting this polling interval to very small values is too expensive on a production server. 2. NFS mounting /path/to/a/file, and modifying nfsd(1) in such a way, that it runs ps(1) as soon as a request for /path/to/a/file is received. Let's call the modified nfsd nfsd-debug. Of course debug-nfsd and P(u) must run on the same machine. This is not good enough either, because ps(1)-listing is too long, and not always conclusive. 3. Using kqueue(2) and kevent(2) in a monitoring process P(m). P(m) would be attached to /path/to/a/file, and would use kevent(2) to receive kernel notifications as soon as /path/to/a/file is touched. Probably not enough either, because it is not possible to know which process triggered the event, only that an event occured on that vnode. -> Is that correct? I'm not familiar enough with kevent(2). Question: ========= I assume that some kind of monitoring process P(m) is needed, which would attach to /path/to/a/file, use kevent(2) to get notifications from the kernel. Now, how could P(m) find out, which process generated the events it gets? Alternative question: ===================== Is there another, preferably clever, way to solve this problem? Thank you. -- Cordula's Web. http://www.cordula.ws/