Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 May 2005 13:31:26 -0700
From:      "Singh, Vijay" <Vijay.Singh@netapp.com>
To:        "Marco Molteni" <molter@tin.it>, <hackers@freebsd.org>
Subject:   RE: watching a file for ownership change
Message-ID:  <637A278D8D0DBC438EA5E75C6E1818B9042CF2EF@magenta.hq.netapp.com>
next in thread | raw e-mail | index | archive | help 
If you're hacking the kernel, you could embed the pid in the VNODE
filter data value, or perhaps copy it to the user udata (breaking
semantics).

vijay

-----Original Message-----
From: Marco Molteni [mailto:molter@tin.it]=20
Sent: Monday, May 23, 2005 1:23 PM
To: hackers@freebsd.org
Subject: Re: watching a file for ownership change

On Sun, 22 May 2005 04:05:50 +0100
Bruce M Simpson <bms@spc.org> wrote:

> On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote:
> > I'd like to find a way to watch one of the user's maildirsize files=20
> > that  seems to flip ownerships at least once a day and try to=20
> > determine what  process is changing the ownership.
> > How can I do that without dropping a bunch of daemons on a=20
> > production  machine into heavy-debug mode?  OS is 4.8 with all=20
> > current patches.
>=20
> You could try watching kevent() on the file for EVFILT_VNODE with=20
> NOTE_ATTRIB. You'd need to write a small C program to do this.
>=20
> Whilst this won't tell you who did what, it could give you=20
> sufficiently good timestamps from it happening to begin tracking the=20
> culprit down further, perhaps using lsof.

When I saw the first post I actually wrote the kevent program you are
sugesting as an exercise, then I realized that I couldn't obtain the PID
of the process that modified the file.

Would it be feasible/reasonable to add this feature to kqueue ?

marco
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
"freebsd-hackers-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?637A278D8D0DBC438EA5E75C6E1818B9042CF2EF>