how to know which processes accessed a file?
my os is linux. I have a file located at /etc,
its full path like /etc/AAA. any tools or command can tell me the file is accessed by which processes during a period. for example 1:10 AM, process A write /etc/AAA 3:50 AM , process B read /etc/AAA I need know all processes id who accessed the /et/AAA Thanks.
3 Answers 3
The linux audit system can help you and will provide detailed information:
Here’s some documentation on Redhat’s site, but should be adaptable to other linux variants. Most distros have the audit system but may be an optional install. (also see man pages for the commands below)
Assuming the audit subsystem is already running, you can add a rule to watch read access on your example file like this:
auditctl -w /etc/AAA -p r -k mywatch
(-w tells what file to watch, -p tells what activity to watch for [in this case read], and -k is an arbitrary key that can be used to find the records later)
Then you can see the results with the command:
or watch the audit.log file (in /var/log/audit on some systems)
Limitation: Note that the filesystem watch (with -p) only logs the opening of a file (with read or write permission), not the time of individual read/write calls. Reading/Writing a large file for example would otherwise generate too many log messages and use up your log file space, so it doesn’t do that, it just records the opening of the file. So, in theory a program that’s a long running daemon, could open a file for writing at startup (which would be logged) but then not write to it until days later (which wouldn’t be logged). Still it should be useful for observing short-lived programs that make a quick change to a file. If you really do want to watch individual calls, there is the -S option to watch syscalls, but use with caution as you can quickly overwhelm your logs if too general.
How find out which process is using a file in Linux?
You can use the fuser command, which is part of the psmisc package, like:
You will receive a list of processes using the file.
You can use different flags with it, in order to receive a more detailed output.
You can find more info in the fuser’s Wikipedia article, or in the man pages.
@khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I’m using AIX right now, and the fuser available in this system does not have the -i option either.
For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me.
@jim’s answer is correct — fuser is what you want.
Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)
For example, with a tail -F /etc/passwd running in one window:
ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd
Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.
How can I determine what process has a file open in Linux?
I’d like to determine what process has ownership of a lock-file. The lock-files are simply a file with a specific name that has been created. So, how can I determine what process has a particular file open in Linux? Preferably a one-liner type or a particular Linux tool solution would be optimal.
5 Answers 5
You can also use fuser for this:
~> less .vimrc # put in background ~> fuser .vimrc .vimrc: 28135 ~> ps 28135 PID TTY STAT TIME COMMAND 28135 pts/36 T 0:00 less .vimrc
fuser has strange behavior with exit codes. it returns 1 exitcode with two states: A/ some internal error, checked file not found etc, B/ no process opened specified file. In situation A/ some error message is printed to its output. Unfortunately when file is available and opened by something, output is generated but with exit code 0. It would be better if fuser will exit with three codes, not two like currently. lsoft is a bit worse resolve because this is working more slowly.
This is essentially the same pattern that ls follows — it returns exit code 2 if there’s an error (e.g., invalid option specified) or file not found (and 0 if it successfully reports information).
On most Linux systems lsof NAME does the job:
fin@r2d2:~$ lsof /home/fin COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME bash 21310 fin cwd DIR 8,1 4096 5054467 /home/fin lsof 21320 fin cwd DIR 8,1 4096 5054467 /home/fin lsof 21321 fin cwd DIR 8,1 4096 5054467 /home/fin fin@r2d2:~$
@JoseLSegura: I assuming you’re resourceful enough for the answer ‘then install lsof’ to be useless for you. Can you elaborate on your problem? If you don’t have root, you likely don’t have privs to find out if another user has the file open anyhow.
@Jason: it does work for files, but cwd lines (which report use as the current working directory of a process) only report directories.
Having a file open is not a lock because, if each process has to check whether the file is open first and not proceed if it is or create/open it if it isn’t, then two processes could quite well check simultaneously, both find that it isn’t open, then both create or open it.
To use a file as a lock, the check-and-lock operation has to be a single uninterruptable operation. You can achieve this in a Unix filesystem by creating a file with read-only mode and removing it to unlock. If the file exists (and is read only) the file creation will fail, so you get check-and-lock in a single atomic operation.
If your locking process is a shell script that will be running as a daemon, you can get this effect by using umask , a per-process setting that sets the permissions that new files are created with:
oldumask=$(umask) umask 222 # create files unwritable to owner too if echo $$ > /var/lock/foo then : locking succeeded else : locking failed fi umask $oldumask
This also writes the owning process’ PID into the file, which solves your other problem: cat /var/lock/foo As regards the specific question «Which processes have this file open?», this can be useful when you want to unmount a filesystem but can’t because some process has a file open in it. If you don’t have those commands available, you can ask /proc as root:
ls -l /proc/*/cwd | grep ‘/var/lock/foo$’
ls -l /proc/*/cwd 2>/dev/null | grep ‘/var/lock/foo$’
How to Find Out Who is Using a File in Linux
In this article, we will explain how to find out who is using a particular file in Linux. This will help you know the system user or process that is using an open file.
We can use the lsof command to know if someone is using a file, and if they are, who. It reads kernel memory in its search for open files and helps you list all open files. In this case, an open file may be a regular file, a directory, a block special file, a character special file, a stream, a network file and many others – because in Linux everything is a file.
Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.
$ lsof /dev/null
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 1w CHR 1,3 0t0 6 /dev/null dbus-daem 1530 tecmint 0u CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 1w CHR 1,3 0t0 6 /dev/null at-spi-bu 1604 tecmint 0r CHR 1,3 0t0 6 /dev/null dbus-daem 1609 tecmint 0u CHR 1,3 0t0 6 /dev/null at-spi2-r 1611 tecmint 0u CHR 1,3 0t0 6 /dev/null xfconfd 1615 tecmint 0u CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 0r CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 1w CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 1w CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 0r CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 1w CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 0r CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 1w CHR 1,3 0t0 6 /dev/null .
To list user specific opened files, run the following command replace tecmint with the actual user name.
$ lsof -u tecmint
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint cwd DIR 8,3 4096 2 / systemd 1480 tecmint rtd DIR 8,3 4096 2 / systemd 1480 tecmint txt REG 8,3 1595792 3147496 /lib/systemd/systemd systemd 1480 tecmint mem REG 8,3 1700792 3150525 /lib/x86_64-linux-gnu/libm-2.27.so systemd 1480 tecmint mem REG 8,3 121016 3146329 /lib/x86_64-linux-gnu/libudev.so.1.6.9 systemd 1480 tecmint mem REG 8,3 84032 3150503 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0 systemd 1480 tecmint mem REG 8,3 43304 3150514 /lib/x86_64-linux-gnu/libjson-c.so.3.0.1 systemd 1480 tecmint mem REG 8,3 34872 2497970 /usr/lib/x86_64-linux-gnu/libargon2.so.0 systemd 1480 tecmint mem REG 8,3 432640 3150484 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 systemd 1480 tecmint mem REG 8,3 18680 3150450 /lib/x86_64-linux-gnu/libattr.so.1.1.0 systemd 1480 tecmint mem REG 8,3 18712 3150465 /lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 systemd 1480 tecmint mem REG 8,3 27112 3150489 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 systemd 1480 tecmint mem REG 8,3 14560 3150485 /lib/x86_64-linux-gnu/libdl-2.27.so .
Another important use of lsof is to find out the process listening on a specific port. For example identify the process listening on port 80 using the following command.
$ sudo lsof -i TCP:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 903 root 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1320 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1481 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1482 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1493 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1763 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2027 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2029 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2044 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3199 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3201 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN)
Note: Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may result into unpredictable outputs. This is one of the major downsides of using lsof command.
For more information, look at the lsof man page:
That’s all! In this article, we have explained how to know who is using a particular file in Linux. We have shown how to identify the owner and process information for processes using an open file. Use the feedback form below to reach us for any questions or comments.