Given that you said "... corrupting or rewriting a critical file just before it runs", would it be worth renaming, removing or changing permissions on the file just before that to see what fails or logs an error?

Larry

On Tue, Mar 1, 2011 at 8:14 AM, Alex Dean <alex@crackpot.org> wrote:

On Feb 28, 2011, at 5:33 PM, Kurt Granroth wrote:

> Maybe incron (cron version of inotify) could trigger a script that runs 'stat' on the file.  Still wouldn't give me the "who", though.

At first glance, I thought inotify would be perfect for this.  But (as you say) it doesn't appear that inotify events contain any information about which process performed the change which trigged the event.

struct inotify_event {
       __s32 wd;             /* watch descriptor */
       __u32 mask;           /* watch mask */
       __u32 cookie;         /* cookie to synchronize two events */
       __u32 len;            /* length (including nulls) of name */
       char name[0];        /* stub for possible name */
};
http://www.linuxjournal.com/article/8478?page=0,1

There are some handy-looking tools in https://github.com/rvoicilas/inotify-tools/wiki/.  Seems like you should be able to write a shell script to wait for a modification event on your file, and run stat or lsof when the file is changed.  That's not perfect, since the modifying process might be done by the time lsof actually runs, but it seems like it's worth a try.

alex
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
Dazed_75 a.k.a. Larry

The spirit of resistance to government is so valuable on certain occasions, that I wish it always to be kept alive.
  - Thomas Jefferson