我们知道,lsof
可以知道进程占用了哪个文件/目录。但我想捕获一个命令过程来判断该命令将调用哪个文件/目录。
例如,theuseradd
将调用/etc/passwd
and etc/shadow
,thelastb
将调用/var/log/btmp
。当然,有些程序可能有条件地打开文件,但我只对命令调用期间的那些文件/目录感兴趣?通过捕获命令产生的进程就可以知道这些信息?
如果确实可以的话,该怎么做呢?
答案1
strace
可能会感兴趣。
# strace -fe open useradd bob
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libacl.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/proc/filesystems", O_RDONLY) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 4
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 4
open("/etc/default/useradd", O_RDONLY) = 4
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
open("/etc/group", O_RDONLY|O_CLOEXEC) = 5
open("/etc/login.defs", O_RDONLY) = 4
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
open("/lib64/tls/x86_64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[etc]