From time to time, a file that I'm interested in is modified by some process. I need to find out which process is modifying this file. Using lsof will not work, nor does kqueue. Is this possible under FreeBSD and Linux?
+2
A:
On Linux, there's a kernel patch floating around for inotify. However, some have said this is rarely useful and that it can be a security risk. In any case, here's the patch.
Apart from that, I'm not sure there's any way to get the PID, either with inotify or dnotify. You could investigate further (e.g. search for pid dnotify or pid inotify), but I believe it isn't likely.
Eduard - Gabriel Munteanu
2009-01-30 20:48:07
A:
You can see which processes opened a file just installing and using lsof (LiSt Open Files) command.
SourceRebels
2009-02-02 11:47:29
+1
A:
On FreeBSD, perhaps it should be best if you check its auditing features.
aldrinleal
2009-02-02 12:14:17