You still can use lsof, even for deleted files. There is always more than a way to do it... Em Sáb, 2005-12-03 às 10:19 +1100, Arafangion escreveu: > On Sat, 3 Dec 2005 10:58 am, Marcello Di Marino Azevedo wrote: > > fuser - identify processes using files or sockets. > > > > debian:/var/log# fuser syslog > > syslog: 3407 > > debian:/var/log# fuser -u syslog > > syslog: 3407(root) > > Yes, it identifies processes _using_ files or sockets. > In other words, knowing the file or socket is a prerequisite for identifying > the process. > > What if you've deleted the file in question, but said process still has it > open? How can you then identify which processes are using the deleted file - > despite no-longer having the entry available. > > > > > Em Sáb, 2005-12-03 às 09:50 +1100, Arafangion escreveu: > > > On Sat, 3 Dec 2005 10:42 am, René Seindal wrote: > > > > Roberto C. Sanchez wrote (03-12-2005 00:34): > > > > > > <snip> > > > > > > > > That is because, although auth.log is gone, any file descriptors that > > > > > were open to it are still available. Thus, until all the file > > > > > descriptors have also been released, the file still "exists." If you > > > > > are not certain of which applications on your system normally write > > > > > to auth.log, your best option may be a reboot. > > > > > > This leads to an interesting question - are there any tools that can > > > reveal "lost" files - those who no-longer have an entry in the fs, but > > > are still open? > > > > > > I would imagine that certain sockets and temp files would fall in this > > > category. > >
Attachment:
signature.asc
Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente