Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to check if a file is opened in Linux?

The thing is, I want to track if a user tries to open a file on a shared account. I'm looking for any record/technique that helps me know if the concerned file is opened, at run time.

I want to create a script which monitors if the file is open, and if it is, I want it to send an alert to a particular email address. The file I'm thinking of is a regular file.

I tried using lsof | grep filename for checking if a file is open in gedit, but the command doesn't return anything.

Actually, I'm trying this for a pet project, and thus the question.

like image 897
Darshit Patel Avatar asked Jun 19 '15 10:06

Darshit Patel


People also ask

How can I tell who accessed a file in Linux?

To find out what or who has a file open now, use lsof /path/to/file . To log what happens to a file in the future, there are a few ways: Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file .

How check if fd is open Linux?

In Linux you can check /proc/<pid>/fd directory - for every open fd there will be a file, named as handle. I'm almost sure this way is non-portable. Alternatively you can use lsof - available for Linux, AIX, FreeBSD and NetBSD, according to man lsof .

What is an open file in Linux?

What is an open file? An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file.


3 Answers

The command lsof -t filename shows the IDs of all processes that have the particular file opened. lsof -t filename | wc -w gives you the number of processes currently accessing the file.

like image 100
Thomas Schallar Avatar answered Oct 11 '22 16:10

Thomas Schallar


The fact that a file has been read into an editor like gedit does not mean that the file is still open. The editor most likely opens the file, reads its contents and then closes the file. After you have edited the file you have the choice to overwrite the existing file or save as another file.

like image 31
Henrik Carlqvist Avatar answered Oct 11 '22 16:10

Henrik Carlqvist


You could (in addition of other answers) use the Linux-specific inotify(7) facilities.

I am understanding that you want to track one (or a few) particular given file, with a fixed file path (actually a given i-node). E.g. you would want to track when /var/run/foobar is accessed or modified, and do something when that happens

In particular, you might want to install and use incrond(8) and configure it thru incrontab(5)

If you want to run a script when some given file (on a native local, e.g. Ext4, BTRS, ... but not NFS file system) is accessed or modified, use inotify incrond is exactly done for that purpose.

PS. AFAIK, inotify don't work well for remote network files, e.g. NFS filesystems (in particular when another NFS client machine is modifying a file).

If the files you are fond of are somehow source files, you might be interested by revision control systems (like git) or builder systems (like GNU make); in a certain way these tools are related to file modification.

You could also have the particular file system sits in some FUSE filesystem, and write your own FUSE daemon.

If you can restrict and modify the programs accessing the file, you might want to use advisory locking, e.g. flock(2), lockf(3).

Perhaps the data sitting in the file should be in some database (e.g. sqlite or a real DBMS like PostGreSQL ou MongoDB). ACID properties are important ....

Notice that the filesystem and the mount options may matter a lot.

You might want to use the stat(1) command.

It is difficult to help more without understanding the real use case and the motivation. You should avoid some XY problem

Probably, the workflow is wrong (having a shared file between several users able to write it), and you should approach the overall issue in some other way. For a pet project I would at least recommend using some advisory lock, and access & modify the information only thru your own programs (perhaps setuid) using flock (this excludes ordinary editors like gedit or commands like cat ...). However, your implicit use case seems to be well suited for a DBMS approach (a database does not have to contain a lot of data, it might be tiny), or some index locked file like GDBM library is handling.

Remember that on POSIX systems and Linux, several processes can access (and even modify) the same file simultaneously (unless you use some locking or synchronization).

Reading the Advanced Linux Programming book (freely available) would give you a broader picture (but it does not mention inotify which appeared aften the book was written).

like image 34
Basile Starynkevitch Avatar answered Oct 11 '22 15:10

Basile Starynkevitch