2

I want to monitor a file while it's moving in the system. Can iNotify tell me its new position whenever it's moves?

Amanda
  • 219
  • 3
  • 5

3 Answers3

3

You can grab a file descriptor to the file before the move and read the symlink at:

'/proc/self/fd/' + $fd

where $fd is your file descriptor, this file descriptor will point to your file. Note I have only tested this on ext4 and it works with LVM2, but does not work with OverlayFS. Also opening a file descriptor will block remove events from being fired for the file.

There may also be issues between linux kernel versions

Speedy
  • 326
  • 2
  • 7
  • its not much clear how it can be used. – dani 'SO learn value newbies' Nov 10 '21 at 23:22
  • Background: https://en.wikipedia.org/wiki/File_descriptor https://en.wikipedia.org/wiki/Open_(system_call) https://en.wikipedia.org/wiki/Symbolic_link Creating a file handle to the file before the move operation will allow you to track it's new location by reading the symlink at: `'/proc/self/fd/' + $fd` Most programming languages have a way to open a file. When a file is open by a process it creates a file descriptor which is usually represented by a unique number issued by the operating system; that is the $fd variable in question. – Speedy Nov 12 '21 at 01:21
  • 1
    I'd used auditctl and it worked (but required sudo). – dani 'SO learn value newbies' Nov 12 '21 at 17:35
3

If you're watching both the directory the file was moved from, and the directory the file was moved to, then you will receive an IN_MOVED_FROM event on the source directory and an IN_MOVED_TO event on the target directory, both with the same cookie. You can then use the name fields of the two events to find out where the file was moved to and from.

If you're only watching the source directory, or only the target directory, then you will only get one of the events, so you will only have half of the info. This is a limitation of inotify.

hobbs
  • 223,387
  • 19
  • 210
  • 288
  • 1
    How about monitor the file with "IN_MOVE_SELF"? I don't know where a file will be moved, so I need to know the new file path when it's moved. – Amanda Feb 16 '11 at 01:41
  • No, like I said, you won't get any information about the move destination unless you're watching the directory it moved to. – hobbs Feb 17 '11 at 22:25
0

According to @slightly_toasted's answer there, you can use sudo auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE.

The DONT_MOVE key/tag is what identifies the file/folder you'll be monitoring.

You can create different tags to different files/folder you are going to watch.

To ensure that these rules are stored, append the same command (except auditctl) -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE to the /etc/audit/audit.rules file.

For this, you can use: sudo echo "-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE" >> /etc/audit/audit.rules (it says permission denied so it need a fix)

Then

The file/folder is missing and you want to know its new path? Use ausearch -k DONT_MOVE (DONT_MOVE or any other tag you chose individually for every file/folder you wanted to monitor)

dani 'SO learn value newbies'
  • 151
  • 1
  • 15