I spawn a child process and need to know what files it modifies, creates or deletes.
I can't use dtrace because I cannot sudo.
I can't use FSEvents because it reports modifications that occur for all processes on the system and I'm only interested in my child process.
Thanks for your help.
I would explore using DYLD_INSERT_LIBRARIES (the Mac OS equivalent of LD_PRELOAD) to interpose your own monitoring routine for the libc routines or system calls you are interested in. For example, you could write a my_open() routine that does whatever tracing you are interested in, and then invokes the real libc open() to do the rest of the work. You'll need to do this for all of the filesystem-related calls that you want to trap (open, close, read, write, rename, etc.) You should be able to set up the DYLD_INSERT_LIBRARIES environment variable before you spawn your child process, without needing to be root.
There is more information about this, and an example, in Chapter 2 of "Mac OS X Internals: A Systems Approach" by Amit Singh. If you don't have a copy, you can read the relevant section on Google Books.