From owner-freebsd-hackers@FreeBSD.ORG  Mon May 23 19:33:15 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: hackers@freebsd.org
Delivered-To: freebsd-hackers@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3B95E16A420
	for <hackers@freebsd.org>; Mon, 23 May 2005 19:33:15 +0000 (GMT)
	(envelope-from bms@spc.org)
Received: from arginine.spc.org (arginine.spc.org [83.167.185.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 93CE443D49
	for <hackers@freebsd.org>; Mon, 23 May 2005 19:33:14 +0000 (GMT)
	(envelope-from bms@spc.org)
Received: from localhost (localhost [127.0.0.1])
	by arginine.spc.org (Postfix) with ESMTP
	id C56B365410; Mon, 23 May 2005 20:31:38 +0100 (BST)
Received: from arginine.spc.org ([127.0.0.1])
	by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 22725-03-5; Mon, 23 May 2005 20:31:37 +0100 (BST)
Received: from empiric.dek.spc.org (wifi177.icsi.berkeley.edu
	[192.150.187.177])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by arginine.spc.org (Postfix) with ESMTP
	id 7030B653F8; Mon, 23 May 2005 20:31:33 +0100 (BST)
Received: by empiric.dek.spc.org (Postfix, from userid 1001)
	id 1785364D9; Sun, 22 May 2005 04:05:50 +0100 (BST)
Date: Sun, 22 May 2005 04:05:50 +0100
From: Bruce M Simpson <bms@spc.org>
To: Charles Sprickman <spork@fasttrackmonkey.com>
Message-ID: <20050522030550.GE1108@empiric.icir.org>
References: <Pine.OSX.4.61.0505212229560.385@gee5.nat.fasttrackmonkey.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.OSX.4.61.0505212229560.385@gee5.nat.fasttrackmonkey.com>
Cc: hackers@freebsd.org
Subject: Re: watching a file for ownership change
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2005 19:33:15 -0000

On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
> I'd like to find a way to watch one of the user's maildirsize files that 
> seems to flip ownerships at least once a day and try to determine what 
> process is changing the ownership.
> How can I do that without dropping a bunch of daemons on a production 
> machine into heavy-debug mode?  OS is 4.8 with all current patches.

You could try watching kevent() on the file for EVFILT_VNODE with NOTE_ATTRIB.
You'd need to write a small C program to do this.

Whilst this won't tell you who did what, it could give you sufficiently
good timestamps from it happening to begin tracking the culprit down further,
perhaps using lsof.

BMS