Process-Management
如何擷取命令程序
眾所周知,
lsof可以知道程序佔用了哪個文件/目錄。但是我想擷取一個命令程序來判斷該命令將呼叫哪個文件/目錄。例如,
useradd將呼叫/etc/passwd和etc/shadow,lastb將呼叫/var/log/btmp。當然,有些程序可能會有條件地打開文件,但我只是在命令呼叫期間對那些文件/目錄感興趣?這些資訊可以通過擷取命令產生的程序知道嗎?如果確實有可能,該怎麼做?
strace可能感興趣。# strace -fe open useradd bob open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libacl.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/proc/filesystems", O_RDONLY) = 3 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 4 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 4 open("/etc/default/useradd", O_RDONLY) = 4 open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5 open("/etc/group", O_RDONLY|O_CLOEXEC) = 5 open("/etc/login.defs", O_RDONLY) = 4 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 open("/lib64/tls/x86_64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [etc]