- How to determine which process is creating a file? [duplicate]
- 5 Answers 5
- How to Find Out Who is Using a File in Linux
- How to Check Open Files in Linux
- Pre-Requisites
- LSOF Utility
- How to Install lsof on Debian/Ubuntu
- How to Install on REHL/CentOS
- How to Install on Arch
- How to Install on Fedora
- Basic lsof Usage
- How to Show Processes that Opened a File
- How Show files Opened by a Specific User
- How to Show Files Opened by a Specific Process
- How to Show Files Opened in a Directory
- How to Show Network Connection
- How to Continuously Show Files
- Conclusion
- About the author
- John Otieno
How to determine which process is creating a file? [duplicate]
I thought one of the inotify_tools (inotifywatch or inotifywait) would do this kind of thing. These tools are great if you want to know when a filesystem event happens, but it doesn’t look like you can get a pid from inotify.
You could do inotifywait $file ; lsof -r1 $file , though. It’s much better than running while loops or using watch .
5 Answers 5
The lsof command (already mentioned in several answers) will tell you what process has a file open at the time you run it. lsof is available for just about every unix variant.
lsof won’t tell you about file that were opened two microseconds ago and closed one microsecond ago. If you need to watch a particular file and react when it is accessed, you need different tools.
If you can plan a little in advance, you can put the file on a LoggedFS filesystem. LoggedFS is a FUSE stacked filesystem that logs all accesses to files in a hierarchy. The logging parameters are highly configurable. FUSE is available on all major unices. You’ll want to log accesses to the directory where the file is created. Start with the provided sample configuration file and tweak it according to this guide.
loggedfs -l /path/to/log_file -c /path/to/config.xml /path/to/directory tail -f /path/to/log_file
Many unices offer other monitoring facilities. Under Linux, you can use the relatively new audit subsystem. There isn’t much literature about it (but more than about loggedfs); you can start with this tutorial or a few examples or just with the auditctl man page. Here, it should be enough to make sure the daemon is started, then run auditctl :
(I think older systems need auditctl -a exit,always -w /path/to/file ) and watch the logs in /var/log/audit/audit.log .
How to Find Out Who is Using a File in Linux
In this article, we will explain how to find out who is using a particular file in Linux. This will help you know the system user or process that is using an open file.
We can use the lsof command to know if someone is using a file, and if they are, who. It reads kernel memory in its search for open files and helps you list all open files. In this case, an open file may be a regular file, a directory, a block special file, a character special file, a stream, a network file and many others – because in Linux everything is a file.
Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.
$ lsof /dev/null
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 1w CHR 1,3 0t0 6 /dev/null dbus-daem 1530 tecmint 0u CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 1w CHR 1,3 0t0 6 /dev/null at-spi-bu 1604 tecmint 0r CHR 1,3 0t0 6 /dev/null dbus-daem 1609 tecmint 0u CHR 1,3 0t0 6 /dev/null at-spi2-r 1611 tecmint 0u CHR 1,3 0t0 6 /dev/null xfconfd 1615 tecmint 0u CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 0r CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 1w CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 1w CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 0r CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 1w CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 0r CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 1w CHR 1,3 0t0 6 /dev/null .
To list user specific opened files, run the following command replace tecmint with the actual user name.
$ lsof -u tecmint
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint cwd DIR 8,3 4096 2 / systemd 1480 tecmint rtd DIR 8,3 4096 2 / systemd 1480 tecmint txt REG 8,3 1595792 3147496 /lib/systemd/systemd systemd 1480 tecmint mem REG 8,3 1700792 3150525 /lib/x86_64-linux-gnu/libm-2.27.so systemd 1480 tecmint mem REG 8,3 121016 3146329 /lib/x86_64-linux-gnu/libudev.so.1.6.9 systemd 1480 tecmint mem REG 8,3 84032 3150503 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0 systemd 1480 tecmint mem REG 8,3 43304 3150514 /lib/x86_64-linux-gnu/libjson-c.so.3.0.1 systemd 1480 tecmint mem REG 8,3 34872 2497970 /usr/lib/x86_64-linux-gnu/libargon2.so.0 systemd 1480 tecmint mem REG 8,3 432640 3150484 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 systemd 1480 tecmint mem REG 8,3 18680 3150450 /lib/x86_64-linux-gnu/libattr.so.1.1.0 systemd 1480 tecmint mem REG 8,3 18712 3150465 /lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 systemd 1480 tecmint mem REG 8,3 27112 3150489 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 systemd 1480 tecmint mem REG 8,3 14560 3150485 /lib/x86_64-linux-gnu/libdl-2.27.so .
Another important use of lsof is to find out the process listening on a specific port. For example identify the process listening on port 80 using the following command.
$ sudo lsof -i TCP:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 903 root 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1320 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1481 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1482 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1493 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1763 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2027 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2029 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2044 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3199 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3201 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN)
Note: Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may result into unpredictable outputs. This is one of the major downsides of using lsof command.
For more information, look at the lsof man page:
That’s all! In this article, we have explained how to know who is using a particular file in Linux. We have shown how to identify the owner and process information for processes using an open file. Use the feedback form below to reach us for any questions or comments.
How to Check Open Files in Linux
You may have come across the saying, “Everything is a file in Linux.” Although this is not entirely true, it does hold a set of truths to it.
In Linux and Unix-like systems, everything is like a file. That means the resources in the Unix system get assigned a file descriptor, including storage devices, network sockets, processes, etc.
A file descriptor is a unique number that identifies a file and other input/output devices. It describes resources and how the kernel accesses them. Think of it as a gateway to the Kernel abstraction hardware resources.
Unfortunately, the concept of file descriptors is beyond the scope of this tutorial; consider the link provided below to get started on learning more:
That means that Unix and Unix-like systems such as Linux use such files heavily. As a Linux power user, seeing the open files and the process and users using them is incredibly useful.
This tutorial will focus on ways to view the files open and which process or user is responsible.
Pre-Requisites
Before we begin, ensure that you have:
If you have these, let us get started:
LSOF Utility
Created by Victor A Abell, List open files, or lsof for short, is a command-line utility that allows us to view the open files and the processes or users who opened them.
The lsof utility is available in major Linux distributions; however, you may find it not installed and thus may need to install manually.
How to Install lsof on Debian/Ubuntu
To install it on Debian, use the command:
sudo apt-get install lsof -y
How to Install on REHL/CentOS
To install on REHL and CentOS, use the command:
How to Install on Arch
On Arch, call the package manager using the command:
How to Install on Fedora
On Fedora, use the command:
Once you have the lsof utility installed and updated, we can begin using it.
Basic lsof Usage
To use the lsof tool, enter the command:
Once you execute the above command, lsof will dump a lot of information as shown below:
The above output shows all the files opened by the processes. The output has various columns, each representing specific information about the file.
- The COMMAND column – shows the name of the process that is using the file.
- PID – shows the Process Identifier of the process using the file.
- The TID – Shows the task ID (threads) of the process.
- TASKCMD – Represent the name of the task command.
- USER – The owner of the process.
- FD – Shows the file descriptor number. This is how processes use the file; the options available in this column output include:
- cwd – current working directory.
- mem – memory-mapped file
- pd – parent directory
- jld – jail directory
- ltx – shared library text
- rtd – root directory.
- txt – program code and data
- tr – kernel trace file.
- err – File descriptor information error
- mmp – Memory-mapped device.
- TYPE – Shows the type of node associated with the file, such as:
- Unix – for Unix domain socket.
- DIR – represents the directory
- REG – representing the regular file
- CHR – represents the special character file.
- LINK – symbolic link file
- BLK – Block special file
- INET – Internet domain socket
- FIFO – a named pipe (First In First Out file)
- PIPE – for pipes
- DEVICES – Shows the device numbers separated by commas in the order of special character file, block special, regular, directory, and NFS file.
- SIZE/OFF – shows the size of the file pr file offset in bytes.
- NODE – shows the node number of the local file, type for internet protocol type, etc.
- NAME – shows the name of the mount point and fs on which the file is located.
Note: Please Refer to the lsof Manual for detailed information on the columns.
How to Show Processes that Opened a File
Lsof provides us with options that help us filter the output to show only the processes that opened a specific file.
For example, to see the file that opened the file /bin/bash, use the command as:
This will give you an output as shown below:
COMMAND PID USER FD TYPE DEVICE SIZE / OFF NODE NAME
ksmtuned 1025 root txt REG 253 , 0 1150704 428303 / usr / bin / bash
bash 2968 centos txt REG 253 , 0 1150704 428303 / usr / bin / bash
bash 3075 centos txt REG 253 , 0 1150704 428303 / usr / bin / bash
How Show files Opened by a Specific User
We can also filter the output to show the files opened by a specific user. We do this by using the -u flag followed by the username as:
This will give you an output as shown below:
How to Show Files Opened by a Specific Process
Suppose we want to view all the files opened by a specific process? For this, we can use the PID of the process to filter the output.
For example, the below command shows the files opened by bash.
This will give you only the files opened by systemd as shown:
How to Show Files Opened in a Directory
To get the files opened in a specific directory, we can pass the +D option followed by the directory path.
For example, list open files in the /etc directory.
Below is the output for this:
How to Show Network Connection
Since everything in Linux is a file, we can get the network files such as TCP files or connections.
This will give you the TCP connections in the system.
You can also filter by the specific port using the command shown below:
This will give you the output as shown below:
How to Continuously Show Files
Lsof provides us with a mode to loop the output every few seconds. This allows you to monitor the files opened by a process or user continuously.
This option, however, requires you to terminate the process manually.
For example, the command below continuously monitors the files opened on port 22:
As you can see, in the third loop, lsof catches the established connection to the server on SSH.
Conclusion
Lsof is an incredibly useful utility. It allows you to monitor for critical files as well as monitor users and processes opening files. This can be incredibly useful when troubleshooting or looking for malicious attempts to the system.
As shown in this tutorial, using various examples and methods, you can combine the functionality provided by the lsof tool for custom monitoring.
Thank you for reading and sharing! I hope you learned something new!
About the author
John Otieno
My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list