0

The problem is that I'm not being able to keep track of all my files and I'm also tired of not telling which ones are important and which ones are a temporary file that some random programmer decided that it would look nice as a hidden file on my home folder.

I keep copies and organize my drives, but chaos happens sometimes.

For this I though that something that would help me to create and modify xattrs each time a file changes or is created would be very helpfull.

I tried with creating a service based in inotify but the problem is that it's low level description doesn't help that much and I would need more development to be sure that it's possible but I suspect that it's not.

The idea is to keep a record which app created foo, when, why, where, when it was moved from where to where,when it was copied from where to where, how many copies it haves, where are they, what files were deleted from it's directory, etc.

May be I'm asking too much to the filesystem, but can you give me some ideas?

Lerian Acosenossa
  • 63
  • 1
    One of the inotify tools may well be the right way to go. What did you try and where did you get stuck? – Chris Davies Oct 11 '21 at 19:56
  • @roaima Indeed I didn-t get stuck but went lazy on improoving my code. I left it when I noticed that there is no copy event but open+create sequence, so I had to rewrite my code to deduce from sequences instead of trapping events, also I needed some blacklisting method in case that some (nasty bash oneliner) program modifies a file 10 times per second. Indeed I should write an entire fs to do this authomatically but that would be even more work. How reliable inotify is? I guess that I cant trust 100% on any deductions I get from it. The only event that is straight is MOVE indeed. – Lerian Acosenossa Oct 11 '21 at 20:09
  • Use or patch loggedfs?https://unix.stackexchange.com/questions/13776/how-to-determine-which-process-is-creating-a-file https://unix.stackexchange.com/questions/13794/loggedfs-configuration-file-syntax – Gilles 'SO- stop being evil' Oct 12 '21 at 12:53

1 Answers1

0

The idea is to keep a record which app created foo, when, why, where, when it was moved from where to where,when it was copied from where to where, how many copies it haves, where are they, what files were deleted from it's directory, etc.

  • "which app created foo": traditionally Unix-like systems only track which user owns the file (which is initially the same as the user who created it, but sysadmin actions may change that), and applications are treated in this sense just as extensions of the user's will.

  • "when [created]": for this, you need a filesystem with creation time support, known as crtime if supported by a particular Linux filesystem. Not all Unix-like filesystems have that: the three classic timestamps are ctime = the time of last change to file metadata, mtime = the time of last modification to file contents, and atime = the last time the file was accessed. Unlike these three, crtime has very limited support in user-space tools.

  • "why [created]": Oh, you want some teleology too? This is a tricky one. Essentially you would need to have to have a metadata field associated with the file, and all applications would have to fill it in with meaningful information as they create files. The operating system cannot just know why an application wants to create a particular file unless it's somehow told that, and the application cannot know why user wants a file created unless it asks the user. But I guess you might want this only as a sort of broad category, like "temporary file", "application configuration file", "user document file" etc. Even so, you might need to update the entire operating system and all the applications to fully implement this.

  • "where": well, knowing where the files are is a pretty fundamental property of a filesystem. But you seem to be after some sort of an audit log.

  • "when it was moved from where to where": note that a move can be identified as such only within a single filesystem. Moves between filesystems are essentially copy+delete operations, which as you discovered are essentially "read from file A; write to file B; delete file A" as far as the operating system is concerned. And unless you trust the application doing that and know that its purpose is exclusively to copy/move things, it is possible that the application might modify the data in some way between the read and write operations, with the OS not knowing about the modification.

To fully realize what you're aiming for, you might have to write an entire new operating system with all the relevant file management APIs redesigned to track each file's ancestry and teleology.

If you are serious about this, you might want to first take a look at SELinux and/or other Mandatory Access Control systems, and to the Bell-LaPadula model. Those are designed to track files' security status, not their ancestry & teleology, but you might get from them some ideas on how such tracking might be implementable.

telcoM
  • 96,466