From owner-freebsd-hackers@FreeBSD.ORG  Mon May 23 20:24:26 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: hackers@freebsd.org
Delivered-To: freebsd-hackers@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1FEE316A41F
	for <hackers@freebsd.org>; Mon, 23 May 2005 20:24:26 +0000 (GMT)
	(envelope-from molter@tin.it)
Received: from vsmtp3.tin.it (vsmtp3alice.tin.it [212.216.176.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BAC2943D48
	for <hackers@freebsd.org>; Mon, 23 May 2005 20:24:25 +0000 (GMT)
	(envelope-from molter@tin.it)
Received: from gattaccio.codalunga (83.201.26.125) by vsmtp3.tin.it (7.0.027)
	(authenticated as molter@tin.it)
	id 42920E800001808E; Mon, 23 May 2005 22:24:23 +0200
Received: by gattaccio.codalunga (Postfix, from userid 1001)
	id 34D3DC2F9; Mon, 23 May 2005 22:23:24 +0200 (CEST)
Date: Mon, 23 May 2005 22:23:24 +0200
From: Marco Molteni <molter@tin.it>
To: hackers@freebsd.org
Message-Id: <20050523222324.536944a9.molter@tin.it>
In-Reply-To: <20050522030550.GE1108@empiric.icir.org>
References: <Pine.OSX.4.61.0505212229560.385@gee5.nat.fasttrackmonkey.com>
	<20050522030550.GE1108@empiric.icir.org>
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: watching a file for ownership change
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2005 20:24:26 -0000

On Sun, 22 May 2005 04:05:50 +0100
Bruce M Simpson <bms@spc.org> wrote:

> On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
> > I'd like to find a way to watch one of the user's maildirsize files
> > that  seems to flip ownerships at least once a day and try to
> > determine what  process is changing the ownership.
> > How can I do that without dropping a bunch of daemons on a
> > production  machine into heavy-debug mode?  OS is 4.8 with all
> > current patches.
> 
> You could try watching kevent() on the file for EVFILT_VNODE with
> NOTE_ATTRIB. You'd need to write a small C program to do this.
> 
> Whilst this won't tell you who did what, it could give you
> sufficiently good timestamps from it happening to begin tracking the
> culprit down further, perhaps using lsof.

When I saw the first post I actually wrote the kevent program
you are sugesting as an exercise, then I realized that I couldn't
obtain the PID of the process that modified the file.

Would it be feasible/reasonable to add this feature to kqueue ?

marco