Date: Mon, 23 May 2005 22:23:24 +0200 From: Marco Molteni <molter@tin.it> To: hackers@freebsd.org Subject: Re: watching a file for ownership change Message-ID: <20050523222324.536944a9.molter@tin.it> In-Reply-To: <20050522030550.GE1108@empiric.icir.org> References: <Pine.OSX.4.61.0505212229560.385@gee5.nat.fasttrackmonkey.com> <20050522030550.GE1108@empiric.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 22 May 2005 04:05:50 +0100 Bruce M Simpson <bms@spc.org> wrote: > On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote: > > I'd like to find a way to watch one of the user's maildirsize files > > that seems to flip ownerships at least once a day and try to > > determine what process is changing the ownership. > > How can I do that without dropping a bunch of daemons on a > > production machine into heavy-debug mode? OS is 4.8 with all > > current patches. > > You could try watching kevent() on the file for EVFILT_VNODE with > NOTE_ATTRIB. You'd need to write a small C program to do this. > > Whilst this won't tell you who did what, it could give you > sufficiently good timestamps from it happening to begin tracking the > culprit down further, perhaps using lsof. When I saw the first post I actually wrote the kevent program you are sugesting as an exercise, then I realized that I couldn't obtain the PID of the process that modified the file. Would it be feasible/reasonable to add this feature to kqueue ? marco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050523222324.536944a9.molter>