[nycbug-talk] how to "watch" a file?

Jeff Quast af.dingo at gmail.com
Wed Dec 6 12:05:39 EST 2006


On 12/4/06, Charles Sprickman <spork at bway.net> wrote:
> Hi all,
>
> I'm still tracking down a really weird problem, and each time I think I've
> got a line on the cause, it turns out to be a dead end.
>
> In short, I've got a mail "toaster" running qmail w/vpopmail.  It's a
> pretty simple setup that leverages qmail's weird "-" aliasing.  It calls
> it's own delivery agent to handle final delivery.  All messages are stored
> in Maildir format, and quotas are enforced using the mechanism in
> Maildir++ which relies on size info being stored in a file called
> "maildirsize" in the root of the user's Maildir.
>
> Problem:  Something is messing with this file and leaving it owned by
> root.  This breaks all sorts of things (overquota users can get more mail,
> imapd won't read it and report the quota in webmail, and other oddities).
>
> I thought that I'd caught qmail-local running as root, which it should
> never, ever do.  But that may not be it as I have a wrapper in place that
> will bail and log if it's called as root.  So far I'm not seeing it trip,
> but I'm still seeing some users ending up with a root-owned maildirsize
> file.
>
> I want to take a different approach - I've got some overquota/locked users
> that this happens to all the time.  Is there something I can put in the
> maildirsize location that will look/act like a file, but is not a file?
> Something that would record what process touched it and as who?
>
> Any other ways to "watch" a file and record the above info each time it's
> manipulated?
>
> Thanks,
>
> Charles

I may not fully understand your question, but I would probobly do
something like (psuedo-code not tested probobly needs work!):

file=/usr/home/some/maildir
oldstate=$(stat ${file})
while [ 0 ]; do
  state="$(stat $file)"
  if [ X"$state" != X"$oldstate" ]; then
    fstat ${file}
    exit
  fi
  oldstate="${state}"
done

I'm not sure it'll be fast enough to "catch" the perpetrator , but its
worth a shot.

There should be some sort of tool that holds a fifo or pipe, blocks
stdin from writing until it can fstat and know the perpetrator, then
let it finish. Or you could write one with the help of aup book...



More information about the talk mailing list