From owner-freebsd-questions@FreeBSD.ORG Sun Nov 23 02:01:25 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 557F716A4CE for ; Sun, 23 Nov 2003 02:01:25 -0800 (PST) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9675043FBF for ; Sun, 23 Nov 2003 02:01:23 -0800 (PST) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hANA0Wpd097626; Sun, 23 Nov 2003 11:00:32 +0100 (CET) (envelope-from cpghost@cordula.ws) Date: Sun, 23 Nov 2003 11:00:32 +0100 (CET) Message-Id: <200311231000.hANA0Wpd097626@fw.farid-hajji.net> From: "Cordula's Web" To: MLandman@face2interface.com In-reply-to: <6.0.0.22.0.20031122185606.02ddc240@pop.face2interface.com> (message from Marty Landman on Sat, 22 Nov 2003 19:06:37 -0500) X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> <6.0.0.22.0.20031122185606.02ddc240@pop.face2interface.com> cc: freebsd-questions@freebsd.org Subject: Re: Monitoring a file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 10:01:25 -0000 > > A file, let's say, /path/to/a/file, is being modified by > > an unknown process P(u) at random times. Unfortunately, > > the name of the program ran by P(u) is unknown. > > I'd think the failsafe way to approach this is with a wrapper so that when > process P accesses file F it's really accessing W(F), i.e. a software > wrapper which would then emulate F, only since W's a pgm it can also log > the activity as well as reply to P with basically whatever you want it to > reply with. Unfortunately, FreeBSD doesn't have the equivalent of GNU/Hurd translators. On the Hurd, the filesystems are served by userland programs called translators. It is possible to set a translator anywhere on the filesystem. This is similar to a mount(8), with the difference that you can mount a program instead of a raw device. This program (translator in Hurd parlance) would serve VFS requests and actually reply to calls like open(), read(), write(), etc... A translator actually intercepts the VFS calls. In this case, it would be trivial to do a ps [or on the Hurd to query the proc server], and obtain at least a list of running processes in a very timely fashion [P(u) would certainly be present at that time!]. Because the translator replies directly to P(u), it *may* be possible to identify P(u) this way... Perhaps FreeBSD's mount_portal(8) could be used for this? I'm not familiar with portalfs... > Would ln(1) be able to serve as the setup for W? I've only done soft links > for directory aliasing on websites. So I don't know if you can get away > with e.g. having a shebang line on top W and expect it to execute; if you > could work it that way though you'd be golden afaict. A she bang would be useless here, because P(u) uses, say, open() and read(), not exec(). The kernel would never try to execute the file, and would therefore not try to read the she-bang line. > Rereading this I > realize for W to work it'd also have to be able to know who P is, i.e. the > process and what it was wanting to do so it could emulate it. Or is there a > way to just have W pass F on to P after logging the activity? And why do I > suddenly crave a bowl of alphabet soup? That is precisely the problem here. -- Cordula's Web. http://www.cordula.ws/