Linux what process using file

Files being used by a unix process

The fuser command lets me know which processes are using a file or directory. I’m looking for command that does the opposite: lets me know which files are being used by a process.

Update

6 Answers 6

lsof stands for “LiSt Open Files”. This shell command seems deceptively simple: It lists information about files opened by processes on a UNIX box.

Despite its (apparent) modest mission statement, lsof is actually one of the most powerful and useful UNIX commands. Its raw power comes from one of UNIX’s design principle often described as ”in UNIX everything is a file”. What this means is that the lsof concept of an open file not only covers regular files but also the following:

  • Directories
  • Streams or network files (for example, Internet or UNIX domain sockets and NFS files)
  • Native libraries (for example, .soor .dylibdynamic libraries linked to a process)
  • Block and character special files (for example, disk volume, external hard drive, console, or mouse)
  • Pipes

Wait, I Cannot Find lsof on My System!

lsof is such a popular tool that it has been ported to pretty much all UNIX dialects (Linux, Mac OS X, BSD, Solaris, and so on). If it is unavailable on your box, use your usual package management system to install it. You can find lsof packages for Solaris on Sun Freeware.

While I wouldn’t begrudge anyone learning Dtrace or gaining experience installing software, in Solaris there is a command to see the files a process has open: /usr/bin/pfiles

% tail -f /etc/motd & [1] 6033 % pfiles 6033 6033: tail -f /etc/motd Current rlimit: 256 file descriptors 0: S_IFREG mode:0644 dev:182,65538 ino:163065 uid:0 gid:3 size:54 O_RDONLY|O_LARGEFILE /etc/motd 1: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 2: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 
  1. you can use ls command and grep to find out the files used by chrome

$ ls -l /proc/*/fd | grep «chrome»

lrwx—— 1 ba abc 64 Jul 16 22:19 104 -> /home/abc/.config/google-chrome/Default/Cookies

lr-x—— 1 abc abc 64 Jul 16 22:19 113 -> /opt/google/chrome/nacl_irt_x86_64.nexe

lrwx—— 1 abc abc 64 Jul 16 22:19 121 -> /home/abc/.cache/google-chrome/Default/Cache/data_0

lrwx—— 1 abc abc 64 Jul 16 22:19 122 -> /home/abc/.cache/google-chrome/Default/Cache/data_1

lrwx—— 1 abc abc 64 Jul 16 22:19 123 -> /home/abc/.cache/google-chrome/Default/Cache/data_2

lr-x—— 1 abc abc 64 Jul 16 22:19 125 -> /home/abc/.config/google-chrome/Dictionaries/en-US-3-0.bdic

Another command to find out the result using lsof and grep

$ lsof | grep «chrome»

chrome 2204 abc cwd DIR 8,5 4096 1441794 /home/abc

chrome 2204 abc rtd DIR 8,5 4096 2 /

chrome 2204 abc txt REG 8,5 87345336 5111885 /opt/google/chrome/chrome

chrome 2204 abc mem REG 8,5 4202496 1443927 /home/abc/.cache/google-chrome/Default/Media Cache/data_3

chrome 2204 abc mem REG 8,5 1056768 1443926 /home/abc/.cache/google-chrome/Default/Media Cache/data_2

chrome 2204 abc mem REG 8,5 270336 1443925 /home/abc/.cache/google-chrome/Default/Media Cache/data_1

Читайте также:  Настройка openvpn linux fedora

chrome 2204 abc mem REG 8,5 45056 1443924 /home/abc/.cache/google-chrome/Default/Media Cache/data_0

This is a classic application for dtrace.

I can’t remember the syntax exactly, but you can have a trace fire every time a file is opened by any process on the system. It can be done on a running system without anywhere near as much overhead as I expected it would have. If you’re running solaris as an administrator, dtrace is your best friend. Even if you’re not a programmer, it is quite simple to learn and a VERY powerful system query tool.

I can not test it: it does not seem installed on my Solaris servers. If you can post an example, that would help.

Under some unix systems, ( IE: Linux ), all files opened by a process have a FD id.

ls -la /proc/2055/fd total 0 dr-x------ 2 kent kent 0 Nov 19 21:44 . dr-xr-xr-x 7 kent kent 0 Nov 19 21:42 .. lr-x------ 1 kent kent 64 Nov 19 21:44 0 -> /dev/null l-wx------ 1 kent kent 64 Nov 19 21:44 1 -> /home/kent/.xsession-errors lrwx------ 1 kent kent 64 Nov 19 21:44 10 -> socket:[3977613] lrwx------ 1 kent kent 64 Nov 19 21:44 11 -> /home/kent/.googleearth/Cache/dbCache.dat lrwx------ 1 kent kent 64 Nov 19 21:44 12 -> /home/kent/.googleearth/Cache/dbCache.dat.index lrwx------ 1 kent kent 64 Nov 19 21:44 13 -> socket:[3978765] lrwx------ 1 kent kent 64 Nov 19 21:44 14 -> socket:[3978763] lrwx------ 1 kent kent 64 Nov 19 21:44 15 -> socket:[3978766] lrwx------ 1 kent kent 64 Nov 19 21:44 17 -> socket:[3978764] l-wx------ 1 kent kent 64 Nov 19 21:44 2 -> /home/kent/.xsession-errors lr-x------ 1 kent kent 64 Nov 19 21:44 3 -> pipe:[3977583] l-wx------ 1 kent kent 64 Nov 19 21:44 4 -> pipe:[3977583] lr-x------ 1 kent kent 64 Nov 19 21:44 5 -> pipe:[3977584] l-wx------ 1 kent kent 64 Nov 19 21:44 6 -> pipe:[3977584] lr-x------ 1 kent kent 64 Nov 19 21:44 7 -> pipe:[3977587] l-wx------ 1 kent kent 64 Nov 19 21:44 8 -> pipe:[3977587] lrwx------ 1 kent kent 64 Nov 19 21:44 9 -> socket:[3977588] 

Additionally, sometimes you even get «FDINFO» ( I think this is a kernel flag on linux )

cat /proc/2055/fdinfo/11 pos: 232741818 flags: 02 

Источник

How to Find Out Who is Using a File in Linux

In this article, we will explain how to find out who is using a particular file in Linux. This will help you know the system user or process that is using an open file.

We can use the lsof command to know if someone is using a file, and if they are, who. It reads kernel memory in its search for open files and helps you list all open files. In this case, an open file may be a regular file, a directory, a block special file, a character special file, a stream, a network file and many others – because in Linux everything is a file.

Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.

$ lsof /dev/null 
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 1w CHR 1,3 0t0 6 /dev/null dbus-daem 1530 tecmint 0u CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 1w CHR 1,3 0t0 6 /dev/null at-spi-bu 1604 tecmint 0r CHR 1,3 0t0 6 /dev/null dbus-daem 1609 tecmint 0u CHR 1,3 0t0 6 /dev/null at-spi2-r 1611 tecmint 0u CHR 1,3 0t0 6 /dev/null xfconfd 1615 tecmint 0u CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 0r CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 1w CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 1w CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 0r CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 1w CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 0r CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 1w CHR 1,3 0t0 6 /dev/null .

To list user specific opened files, run the following command replace tecmint with the actual user name.

$ lsof -u tecmint 
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint cwd DIR 8,3 4096 2 / systemd 1480 tecmint rtd DIR 8,3 4096 2 / systemd 1480 tecmint txt REG 8,3 1595792 3147496 /lib/systemd/systemd systemd 1480 tecmint mem REG 8,3 1700792 3150525 /lib/x86_64-linux-gnu/libm-2.27.so systemd 1480 tecmint mem REG 8,3 121016 3146329 /lib/x86_64-linux-gnu/libudev.so.1.6.9 systemd 1480 tecmint mem REG 8,3 84032 3150503 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0 systemd 1480 tecmint mem REG 8,3 43304 3150514 /lib/x86_64-linux-gnu/libjson-c.so.3.0.1 systemd 1480 tecmint mem REG 8,3 34872 2497970 /usr/lib/x86_64-linux-gnu/libargon2.so.0 systemd 1480 tecmint mem REG 8,3 432640 3150484 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 systemd 1480 tecmint mem REG 8,3 18680 3150450 /lib/x86_64-linux-gnu/libattr.so.1.1.0 systemd 1480 tecmint mem REG 8,3 18712 3150465 /lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 systemd 1480 tecmint mem REG 8,3 27112 3150489 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 systemd 1480 tecmint mem REG 8,3 14560 3150485 /lib/x86_64-linux-gnu/libdl-2.27.so .

Another important use of lsof is to find out the process listening on a specific port. For example identify the process listening on port 80 using the following command.

$ sudo lsof -i TCP:80 
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 903 root 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1320 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1481 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1482 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1493 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1763 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2027 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2029 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2044 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3199 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3201 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN)

Note: Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may result into unpredictable outputs. This is one of the major downsides of using lsof command.

Читайте также:  Installing source files in linux

For more information, look at the lsof man page:

That’s all! In this article, we have explained how to know who is using a particular file in Linux. We have shown how to identify the owner and process information for processes using an open file. Use the feedback form below to reach us for any questions or comments.

Источник

Using lsof to find who is using a file or socket

lsof stands for List Open Files. It can help us find which process is using a file at a given point in time. The reason lsof is so useful in Unix/Linux systems is that sockets and devices are treated the same way as files (Pretty much everything is considered a file in Unix/Linux).

Running lsof without any arguments will list all open files in the system. If you have a lot of processes working with a lot of files, prepare to wait. The output looks somethins like this:

$ sudo lsof COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,1 4096 2 / systemd 1 root rtd DIR 253,1 4096 2 / systemd 1 root txt REG 253,1 1577264 5374284 /lib/systemd/systemd systemd 1 root mem REG 253,1 18976 5375835 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 .

This command works better if executed by root or using sudo . If you execute as any other user, you might only be able to see files owned by that user.

You can see a few things in the output:

  • COMMAND — The unix command associated with the process. This field might be truncated
  • PID — ID of the process using the file
  • TID — ID of the thread using the file
  • USER — User that owns the process
  • FD — Usually this is a number representing a file a descriptor, but there are also some special values (they can be found in man lsof ). A file descriptor can be followed by r , w or u to represent read , write and read-write modes
  • TYPE — Because pretty much everything is considered a file, lsof will list all kinds of things. This field helps identify exactly what is this thing (file, directory, socket, etc.)
  • DEVICE — Identifier for the device
  • SIZE/OFF — Depending on the type of file, this will be the size of the file or offset
  • NODE — This varies depending on the type of file, but it can be an inode number for a regular file
  • NAME — Name of the file, device, stream, etc
Читайте также:  Linux init android init

Find who is using the network

The most common use I have for lsof is finding which process is using a port I’m trying to use. I wrote an article a while ago explaining how to do this with ss (netstat), but it’s good to know how to do this with lsof too, in case ss is not available in the machine.

To see all the network connections we can use:

To find who is using port 4000, we can use:

Источник

Оцените статью
Adblock
detector