Which process created file linux

How find out which process is using a file in Linux?

I tried to remove a file in Linux using rm -rf file_name , but got the error:

How can I find out which process is using this file?

4 Answers 4

You can use the fuser command, like:

You will receive a list of processes using the file.

You can use different flags with it, in order to receive a more detailed output.

You can find more info in the fuser’s Wikipedia article, or in the man pages.

@jim’s answer is correct — fuser is what you want.

Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)

For example, with a tail -F /etc/passwd running in one window:

Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.

For users without fuser :

Although we can use lsof, there is another way i.e., we can query the /proc filesystem itself which lists all open files by all process.

Sample output below:

l-wx——. 1 root root 64 Aug 15 02:56 /proc/5026/fd/4 -> /var/log/filename.log

From the output, one can use the process id in utility like ps to find program name

Источник

Is it possible to find out what program or script created a given file?

Three files have suddenly appeared in my home directory, called «client_state.xml», «lockfile», and «time_stats_log». The last two are empty. I’m wondering how they got there. It’s not the first time it has happened, but the last time was weeks ago; I deleted the files and nothing broke or complained. I haven’t been able to think of what I was doing at the time reported by stat $filename . Is there any way I can find out where they came from?

Alternatively, is there a way to monitor the home directory (but not sub-directories) for the creation of files?

7 Answers 7

You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.

Logging your whole home directory might slow your system down though. You’ll at least want to write a configuration file with stringent filters.

If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

or in the long form

If you put a watch on a directory (with -w or -F dir= ), the files in it and its subdirectories recursively are also watched.

I don’t believe there is a way to determine which program created a file.

For your alternative question: You can watch for the file to be recreated, though, using inotify . inotifywait is a command-line interface for the inotify subsystem; you can tell it to look for create events in your home directory:

You probably want to run it with -m (monitor), which tells it not to exit after it sees the first event

I know this is an old question, but I’ll suggest another approach just in case someone finds it useful. I originally posted this as an answer to a question that was duped to this one.

One option is to use sysdig : an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt :

From that output, you can see that a process named touch with pid 5470 opened the file.

If you want more information, you could run in «capture mode» where a system call trace is collected:

Then wait for the file to be created, then stop sysdig and run:

That’ll let you explore everything that happened. You can press and select Files , the press to search for the filename, then press to «dig» (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file.

There’s a GUI version of csysdig called sysdig-inspect , if that’s more your cup of tea.

Источник

How to check running process in Linux using command line

I am a new system administrator for the Linux operating system. How do I check running process in Linux using the command line option?

Tutorial details
Difficulty level	Easy
Root privileges	Yes
Requirements	Linux terminal
Est. reading time	4 mintues

One can use the Linux command line or terminal app to display a running process, change their priorities level, delete process and more. This page shows how to use various commands to list, kill and manage process on Linux.

Check running process in Linux

The procedure to monitor the running process in Linux using the command line is as follows:

1. Open the terminal window on Linux
2. For remote Linux server use the ssh command for log in purpose
3. Type the ps aux command to see all running process in Linux
4. Alternatively, you can issue the top command or htop command to view running process in Linux

Let us see some example and usage in details.

Please note that vivek@nixcraft:

$ is my shell prompt. You need to type commands after the $ prompt.

How to manage processes from the Linux terminal

The ps command is a traditional Linux command to lists running processes. The following command shows all processes running on your Linux based server or system:
vivek@nixcraft:

$ ps -aux
vivek@nixcraft:

1. root – User name
2. 1 – PID (Linux process ID)
3. 19:10 – Process start time
4. /sbin/init splash – Actual process or command

There may be too many processes. Hence, it uses the following less command/more command as pipe to display process one screen at a time:
vivek@nixcraft:

$ ps -aux | more
vivek@nixcraft:

$ sudo ps -aux | less
Press q to exit from above Linux pagers. You can search for a particular Linux process using grep command/egrep command:
vivek@nixcraft:

$ ps aux | grep firefox
vivek@nixcraft:

$ sudo ps aux | grep vim
vivek@nixcraft:

$ sudo ps -aux | egrep ‘sshd|openvpn|nginx’

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

Linux pgrep command

Many variants of Linux comes with the pgrep command to search/find process. The syntax is:
vivek@nixcraft:

$ sudo pgrep sshd
vivek@nixcraft:

$ pgrep vim
vivek@nixcraft:

$ pgrep firefox
vivek@nixcraft:

Linux top command

The top command is another highly recommended method to see your Linux servers resource usage. One can see a list of top process that using the most memory or CPU or disk.
vivek@nixcraft:

$ sudo top
vivek@nixcraft:

Linux htop command to check running process in Linux

The htop command is an interactive process viewer and recommended method for Linux users. One can see a list of top process that using the most memory or CPU or disk and more:
vivek@nixcraft:

$ sudo htop
vivek@nixcraft:

Linux kill command

Want to kill a process? Try kill command. The syntax is:
vivek@nixcraft:

$ kill pid
vivek@nixcraft:

$ kill -signal pid
Find PID using ps, pgrep or top commands. Say you want to kill a PID # 16750, run:
vivek@nixcraft:

$ kill 16750
For some reason if the process can not be killed, try forceful killing:
vivek@nixcraft:

$ kill -9 16750
OR
vivek@nixcraft:

$ kill -KILL 16750

Linux pkill command

If you wish to kill a process by name, try pkill command. The syntax is:
vivek@nixcraft:

$ pkill processName
vivek@nixcraft:

$ pkill vim
vivek@nixcraft:

$ pkill firefox
vivek@nixcraft:

$ pkill -9 emacs
vivek@nixcraft:

$ sudo pkill -KILL php7-fpm

Linux killall command

The killall command kills processes by name, as opposed to the selection by PID as done by kill command:
vivek@nixcraft:

$ killall vim
vivek@nixcraft:

$ killall -9 emacs

Linux nice and renice command

The primary purpose of the nice command is to run a process/command at a lower or higher priority. Use the renice command to alter the nice value of one or more running Linux processes. The nice value can range from -20 to 19, with 19 being the lowest priority. Say, you want to compile software on a busy Linux server. You can set a very low priority, enter:
vivek@nixcraft:

$ nice -n 13 cc -c *.c &
Set a very high priority for a kernel update. Before rebooting Linux server, run:

Источник

How to Find Out Who is Using a File in Linux

In this article, we will explain how to find out who is using a particular file in Linux. This will help you know the system user or process that is using an open file.

We can use the lsof command to know if someone is using a file, and if they are, who. It reads kernel memory in its search for open files and helps you list all open files. In this case, an open file may be a regular file, a directory, a block special file, a character special file, a stream, a network file and many others – because in Linux everything is a file.

Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.

To list user specific opened files, run the following command replace tecmint with the actual user name.

Another important use of lsof is to find out the process listening on a specific port. For example identify the process listening on port 80 using the following command.

Note: Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may result into unpredictable outputs. This is one of the major downsides of using lsof command.

For more information, look at the lsof man page:

That’s all! In this article, we have explained how to know who is using a particular file in Linux. We have shown how to identify the owner and process information for processes using an open file. Use the feedback form below to reach us for any questions or comments.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Источник

Linux track all files accessed by process?

Is there a way to track all file I/O for a given process? All I really need is the locations of files being read from/written to from a given process (and ideally if it was a read or write operation although that’s not as important).

I can run the process and track it rather than needing to attach to an existing process which I would assume is significantly simpler. Is there any kind of wrapper utility I can run a process though that will monitor file access?

4 Answers 4

Try doing this as a starter :

this command will list all opened files, fd, sockets.

For your special needs, see what I can offer as a solution to monitor a php script :

As a better alternative, I recommend the use of strace :

or for an already running process :

Besides strace there is another option which does not substantially slow down the monitored process. Using the Liunx kernel’s fanotify (not to be confused with the more popular inotify) it is possible to monitor whole mount-points for IO-activity. With unshared mountnamespaces the mounts of a given process can be isolated fromt the rest of the system (a key technology behind docker).

An implementation of this concept can be found in shournal, which I am the author of.

Example on the shell:

strace is an amazing tool but its output is a bit verbose.
If you want you can use a tool I’ve written which processes strace output and provide a CSV report of all files accessed (TCP sockets too) with the following data:
1. Filename
2. Read/Written bytes
3. Number of read/write operations
4. Number of time the file was opened

It can be run on new processes or processes already running (using /proc/fd data).
I found it useful for debugging scenarios and performance analysis.
You can find it here: iotrace

Afterward, you can process the CSV data in Excel or other tools for sorting or other analysis required.
The downside is you need to download & compile and it isn’t always 100% accurate.

Источник