File Access Monitoring
Often, users and the system administrator need to keep track of which files the application accesses. In Linux, there are already all the means for this, and it is all the more surprising to constantly hear on the forums whether there is an analogue of Sysinternal Filemon. In this article, I will describe the use of the strace utility, and consider a number of points that escape some users who believe that applications need to restrict their rights even to read, for example, to limit the access of mplayer to only the movie being shown .
strace is a system call and signal tracer. To work with files, the system call “open” is used , and accordingly, it is only necessary to track it. Command example:
Here we specify to track all child processes, replace unprintable characters with a hexadecimal representation and save the call log to the / path / to / log file. Then the resulting log can be processed with the appropriate tools. Below are examples of how to isolate from the log all the necessary information.
First, let's look at which files are accessed by the simplest text editor nano:
With the sed command we convert the log to a shorter format for readability, and sort the lines. As a result, something like this should appear:
The following categories of files accessed by the program can be distinguished:
Those. during operation, programs need access to a sufficiently large number of files, and restricting access to reading will negatively affect the performance of programs.
Now let's try to run mplayer and check the files it just writes to. Perhaps this will give us the opportunity to create the desired safe profile of the program.
')
Here we limited the output using the grep command , and did not include files that were opened with the O_RDONLY flag (read-only). As you can see, not everything is so smooth here - mplayer has to write to other files, and it is possible that access restriction will completely break it, and it will not be able to play the video. So the above idea of ​​restricting access will not be so easy to implement, and not exactly implemented in its original sense.
In this small escort only one application of strace was given. This program has a lot of great abilities, and it can get rid of sleepless nights in search of the reasons why applications are not working even without using a debugger. This is a tool that any Linux-developer should know, and I hope that this will be of benefit to you in dealing with numerous bugs and improving the quality of the software being developed.
PS I will provide a list of other tools useful for monitoring access to files:
strace is a system call and signal tracer. To work with files, the system call “open” is used , and accordingly, it is only necessary to track it. Command example:
$ strace -xf -eopen -o /path/to/log /path/to/program
Here we specify to track all child processes, replace unprintable characters with a hexadecimal representation and save the call log to the / path / to / log file. Then the resulting log can be processed with the appropriate tools. Below are examples of how to isolate from the log all the necessary information.
Nano text editor monitoring
First, let's look at which files are accessed by the simplest text editor nano:
$ strace -xf -eopen -o out.log nano temp.txt
$ sed -n 's/.*open(\(.*\))\s*=.*/\1/p' out.log | sort
With the sed command we convert the log to a shorter format for readability, and sort the lines. As a result, something like this should appear:
"/etc/ld.so.cache", O_RDONLY
"/etc/nanorc", O_RDONLY
"/home/nuald/.nano_history", O_RDONLY
"/home/nuald/.nano_history", O_WRONLY|O_CREAT|O_TRUNC, 0666
"/home/nuald/.nanorc", O_RDONLY
"/lib/libc.so.6", O_RDONLY
"/lib/libdl.so.2", O_RDONLY
"/lib/libncursesw.so.5", O_RDONLY
"/lib/terminfo/x/xterm", O_RDONLY
"temp.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666
"/usr/lib/gconv/gconv-modules.cache", O_RDONLY
"/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY
...
"/usr/lib/locale/locale-archive", O_RDONLY
"/usr/share/locale/en/LC_MESSAGES/nano.mo", O_RDONLY
...
"/usr/share/locale/locale.alias", O_RDONLY
The following categories of files accessed by the program can be distinguished:
- Nano configuration (nanorc, ~ / .nano_history)
- The dynamic libraries used by the program (libc, etc.)
- Localization files
- And actually edited file
Those. during operation, programs need access to a sufficiently large number of files, and restricting access to reading will negatively affect the performance of programs.
Monitoring mplayer video player
Now let's try to run mplayer and check the files it just writes to. Perhaps this will give us the opportunity to create the desired safe profile of the program.
')
$ strace -xf -eopen -o out.log mplayer test.mp4
$ sed -n 's/.*open(\(.*\))\s*=.*/\1/p' out.log | grep -v O_RDONLY | sort
"/dev/3dfx", O_RDWR
"/dev/fb0", O_RDWR
"/dev/mga_vid", O_RDWR
"/dev/mga_vid", O_RDWR
"/dev/shm/pulse-shm-3056117003", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC, 0400
"/home/nuald/.mplayer/config", O_WRONLY|O_CREAT|O_EXCL, 0666
"/home/nuald/.pulse-cookie", O_RDWR|O_CREAT|O_NOCTTY, 0600
Here we limited the output using the grep command , and did not include files that were opened with the O_RDONLY flag (read-only). As you can see, not everything is so smooth here - mplayer has to write to other files, and it is possible that access restriction will completely break it, and it will not be able to play the video. So the above idea of ​​restricting access will not be so easy to implement, and not exactly implemented in its original sense.
Conclusion
In this small escort only one application of strace was given. This program has a lot of great abilities, and it can get rid of sleepless nights in search of the reasons why applications are not working even without using a debugger. This is a tool that any Linux-developer should know, and I hope that this will be of benefit to you in dealing with numerous bugs and improving the quality of the software being developed.
PS I will provide a list of other tools useful for monitoring access to files:
- SystemTap - tools for collecting statistics. Caution - requires a debug-version of the kernel (it takes debugging symbols and information from it). An example of monitoring an “open” operation is described in the documentation .
- / proc / sys / vm / block_dump - Debugging block I / O.
- inotify is a subsystem of the Linux kernel that allows you to receive notifications about changes in the file system. Can be used through inotify tools .
Source: https://habr.com/ru/post/92123/
All Articles