2

As we know, the lsof can know which file/directory is take up by process. But I want to capture a command process to judge which file/directory the command will call.

For example,the useradd will call the /etc/passwd and etc/shadow,the lastb will call the /var/log/btmp. Of course,some programs may conditionally open files, but I am just interested in those files/directories during the command invocating? These information can be known by capturing the process produced by command?

If that is possible indeed, how to do it?

yode
  • 1,047
  • Some programs may conditionally open files; are you interested in all the possible files a program may open, or just the ones it does open during a certain invocation? – Jeff Schaller Jul 04 '17 at 21:58
  • @JeffSchaller Thanks,I have update the question as your case. :) – yode Jul 04 '17 at 22:02

1 Answers1

4

strace may be of interest.

# strace -fe open useradd bob
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libacl.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/proc/filesystems", O_RDONLY)     = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 4
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 4
open("/etc/default/useradd", O_RDONLY)  = 4
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
open("/etc/group", O_RDONLY|O_CLOEXEC)  = 5
open("/etc/login.defs", O_RDONLY)       = 4
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/tls/x86_64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[etc]
steve
  • 21,892