Which Process Deleted My File ?
Ever asked this question before: "Which process deleted my file ?". In Solaris 10, you can rely on DTrace to help you to figure that out. A simple one-liner is all your need.
#dtrace -qn 'syscall::unlink:entry {printf("PID=%d, CMD=%s, FILE=%s\n", pid, curpsinfo->pr_psargs, copyinstr(arg0));}' PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutTKG5dKjU0 PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutUKG6dKjU0 PID=13668, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mail5iaGSA PID=10389, CMD=/usr/sbin/cron, FILE=/tmp/croutLIEDWaOsu PID=13669, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCU0Ua013669 PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutVKG7dKjU0 PID=13678, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mailq0aWTA PID=13679, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCV0BF013679 PID=26993, CMD=/usr/sbin/cron, FILE=/tmp/croutWKG8dKjU0 PID=13689, CMD=/usr/bin/mail chihung, FILE=/var/tmp/mailtFaiVA PID=13690, CMD=/usr/lib/sendmail -oi -- chihung, FILE=./xfn4DCW0qf013690
In UNIX, the system call to delete/remove file is "unlink" and you can see that the "path" of the file to be deleted is the only parameter passed to the function call and that's why we de-reference the pointer using copyinstr(arg0)
#man -s 2 unlink System Calls unlink(2) NAME unlink, unlinkat - remove directory entry SYNOPSIS #includeint unlink(const char *path); int unlinkat(int dirfd, const char *path, int flag); DESCRIPTION The unlink() function removes a link to a file. If path names a symbolic link, unlink() removes the symbolic link named by path and does not affect any file or directory named by the contents of the symbolic link. Otherwise, unlink() removes the link named by the pathname pointed to by path and decrements the link count of the file referenced by the link.
Wanna to learn that, here are some tutorial materal I gathered from the web:
- Part 1 - Introduction
- Part 2 - Scripts and the D Language
- Part 3 - Advanced Scripting and Aggregations
- Part 4 - Solving Everyday Problems
- Part 5 - Completing the Picture
- DTrace on Solaris 10, by Brendan Gregg
You may also want to download the DTraceToolkit to see how powerful DTrace is.
posted by chihungchan at 8:39 PM
1 Comments:
Nice illustration of the DTrace script
Post a Comment
<< Home