From owner-freebsd-hackers@FreeBSD.ORG Mon May 23 20:31:27 2005 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCCEA16A41C for ; Mon, 23 May 2005 20:31:27 +0000 (GMT) (envelope-from Vijay.Singh@netapp.com) Received: from mx2.netapp.com (mx2.netapp.com [216.240.18.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 929C843D1D for ; Mon, 23 May 2005 20:31:27 +0000 (GMT) (envelope-from Vijay.Singh@netapp.com) Received: from smtp1.corp.netapp.com (10.57.156.124) by mx2.netapp.com with ESMTP; 23 May 2005 13:31:28 -0700 X-IronPort-AV: i="3.93,129,1115017200"; d="scan'208"; a="217878158:sNHT20485748" Received: from svlexc03.hq.netapp.com (svlexc03.corp.netapp.com [10.57.156.149]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id j4NKVR5f018279; Mon, 23 May 2005 13:31:27 -0700 (PDT) Received: from burgundy.hq.netapp.com ([10.56.10.66]) by svlexc03.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 23 May 2005 13:31:27 -0700 Received: from magenta.hq.netapp.com ([10.56.11.84]) by burgundy.hq.netapp.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 23 May 2005 13:31:26 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 23 May 2005 13:31:26 -0700 Message-ID: <637A278D8D0DBC438EA5E75C6E1818B9042CF2EF@magenta.hq.netapp.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: watching a file for ownership change Thread-Index: AcVf1YDCadjjSWgVQBGxzq0mQI1jRAAAEBSQ From: "Singh, Vijay" To: "Marco Molteni" , X-OriginalArrivalTime: 23 May 2005 20:31:26.0940 (UTC) FILETIME=[64D751C0:01C55FD6] X-Mailman-Approved-At: Tue, 24 May 2005 12:41:13 +0000 Cc: Subject: RE: watching a file for ownership change X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2005 20:31:27 -0000 If you're hacking the kernel, you could embed the pid in the VNODE filter data value, or perhaps copy it to the user udata (breaking semantics). vijay -----Original Message----- From: Marco Molteni [mailto:molter@tin.it]=20 Sent: Monday, May 23, 2005 1:23 PM To: hackers@freebsd.org Subject: Re: watching a file for ownership change On Sun, 22 May 2005 04:05:50 +0100 Bruce M Simpson wrote: > On Sat, May 21, 2005 at 10:38:30PM -0400, Charles Sprickman wrote: > > I'd like to find a way to watch one of the user's maildirsize files=20 > > that seems to flip ownerships at least once a day and try to=20 > > determine what process is changing the ownership. > > How can I do that without dropping a bunch of daemons on a=20 > > production machine into heavy-debug mode? OS is 4.8 with all=20 > > current patches. >=20 > You could try watching kevent() on the file for EVFILT_VNODE with=20 > NOTE_ATTRIB. You'd need to write a small C program to do this. >=20 > Whilst this won't tell you who did what, it could give you=20 > sufficiently good timestamps from it happening to begin tracking the=20 > culprit down further, perhaps using lsof. When I saw the first post I actually wrote the kevent program you are sugesting as an exercise, then I realized that I couldn't obtain the PID of the process that modified the file. Would it be feasible/reasonable to add this feature to kqueue ? marco _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"