tags:

views:

264

answers:

3
+2  Q: 

Detecting that log file has been deleted or truncated on POSIX systems?

Suppose a long-running process writes to a log file. Suppose that log file is kept open indefinitely. Suppose that a careless system administrator deletes that log file. Can the program detect that this has happened?

Is it safe to assume that fstat() will report a link count of zero for a deleted file?

Truncation, it seems to me, is slightly trickier. In part, it depends on whether the file descriptor is running in O_APPEND mode. If the log file is not running with O_APPEND, then the current write position of the program's log descriptor doesn't change, and the truncation removes the leading bytes, but the program continues to write at 'the end', leaving a gap of phantasmal zero bytes (they read as zeroes, but don't necessarily occupy space on disk). If the program runs with O_APPEND, then it will write at the end of the file as it currently exists. The only way to observe the truncation is to note that the file position is not where the program expected it - which in turn means tracking that position explicitly.

On the whole, I'm not so worried about truncation as deletion, but any thoughts would be welcome.

+2  A: 

Checking that fstat() returns a link count of zero would fail if the file was hard linked or renamed. I would probably instead periodically compare stat()'s inode number against fstat()'s.

I'm not sure about truncation.

tail -F checks for deletion and maybe truncation, so I'd check its source to see how it implements it.

Josh Kelley  2009-01-20 17:03:34
Good point on the link count not being zero if the file was hard linked. For my purposes, renaming is not a problem. I'll need to think about whether linking is a problem - the data is still available via some name, which is the key thing.
Jonathan Leffler  2009-01-20 17:22:56
+1  A: 

You could use inotify to watch your log file, monitoring it for file system events.

Jeff Bauer  2009-01-20 17:06:51
Interesting software - but I'm looking at it from the perspective of the program writing the log file, not from the outside 'consumer' of the log file.
Jonathan Leffler  2009-01-20 17:58:15
+2  A: 

Suppose the careless system administrator kills the process. Do you really want to protect against the admin doing random things? I guess you're just looking for a way to start a new logfile from time to time, like using logrotate. There it is enough to provide a way to manually let the program reopen the logfile. The standard way to do this is to listen for the HUP-Signal in the program, and reopen the logfile if it arrives:

#include <signal.h>

volatile int f_sighup;

void sighup_handler() {
  f_sighup = 1;
}

void trap_sighup() {
  struct sigaction sa;
  int rv;

  memset(&sa, 0, sizeof(struct sigaction));
  sa.sa_handler = &sighup_handler;
  rv = sigaction(SIGHUP, &sa, NULL);
  if (-1 == rv) {
    fprintf(stderr, "warning: setting SIGHUP signal handler failed");
  }
}

int main() {
  f_sighup = 0;
  trap_sighup();
  ...
}

Then regularly check the f_sighup flag in the main program to see if the logfile should be reopened. This plays nice with tools like logrotate, which can rename the old logfile and then call kill -s HUP $PID. And the careless sysadmin can do this manually, after deleting (or better renaming) the old logfile.

sth  2009-01-20 18:10:18
Should that be "sig_atomic_t volatile f_sighup = 0;"?
Jonathan Leffler  2009-01-21 00:10:26
Probably can't hurt, though I would assume int to be always atomic. volatile might be a good idea in any case.
sth  2009-01-21 01:59:09

related questions

Obscuring network proxy password in plain text files on Linux/UNIX-likes
Why doesn't **find** find anything?
Getting stack traces on Unix systems, automatically
Differences between unix and windows files
How do you do a case insensitive search using a pattern modifier using less ?
Using Visual Studio to develop for C++ for Unix
How do I generate ASCII codes 2 and 3 in a Bash command line?
What's in your .procmailrc
Allow user to set up an SSH tunnel, but nothing else
What is PHP Safe Mode GID?
How to avoid redefining VERSION, PACKAGE, etc.
How can I encode xml files to xfdl (base64-gzip)?
Faster way to find duplicates conditioned by time
Date arithmetic in Unix shell scripts
Using Xming X Window Server over a VPN
Windows Equivalent of 'nice'
How do I configure and communicate with a serial port?
Choosing a static code analysis tool
What should a longtime Windows user know when starting to use Linux?
How do I use (n)curses in Ruby?
Process size on UNIX
Getting root permissions on a file inside of vi?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
Fastest way to get value of pi