Given that you said "... corrupting or rewriting a critical file *just before* it runs", would it be worth renaming, removing or changing permissions on the file just before that to see what fails or logs an error? Larry On Tue, Mar 1, 2011 at 8:14 AM, Alex Dean wrote: > > On Feb 28, 2011, at 5:33 PM, Kurt Granroth wrote: > > > Maybe incron (cron version of inotify) could trigger a script that runs > 'stat' on the file. Still wouldn't give me the "who", though. > > At first glance, I thought inotify would be perfect for this. But (as you > say) it doesn't appear that inotify events contain any information about > which process performed the change which trigged the event. > > struct inotify_event { > __s32 wd; /* watch descriptor */ > __u32 mask; /* watch mask */ > __u32 cookie; /* cookie to synchronize two events */ > __u32 len; /* length (including nulls) of name */ > char name[0]; /* stub for possible name */ > }; > http://www.linuxjournal.com/article/8478?page=0,1 > > There are some handy-looking tools in > https://github.com/rvoicilas/inotify-tools/wiki/. Seems like you should > be able to write a shell script to wait for a modification event on your > file, and run stat or lsof when the file is changed. That's not perfect, > since the modifying process might be done by the time lsof actually runs, > but it seems like it's worth a try. > > alex > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Dazed_75 a.k.a. Larry The spirit of resistance to government is so valuable on certain occasions, that I wish it always to be kept alive. - Thomas Jefferson