How do I know which file a program is trying to access?

files process

Solution 1:

(I first posted my answer at this askubuntu question, but removed it from there and posted it here, as it is more relevant.)

There are several ways you can investigate what files and libraries processes have opened; the main tools are lsof, strace and ltrace. Sometimes it is necesary to run them with sudo, so the program has access to everything it needs to gain an accurate snapshot of what a program is calling.

1) With lsof you need to find the process id you want to query, so use, for example:

lsof -c firefox

which will list all the files firefox has open and all its calls to system shared libraries. (Firefox currently has a pid of 3310 on my system, so you could also use lsof -p 3310, but you would have had to look up the process id first with ps aux | grep [f]irefox ). More information on lsof is detailed in this useful IBM article.

2) ltrace and strace have very similar functions and options, and are very useful for finding out detailed information about what calls a process is making. The main difference is that ltrace usually only traces library calls (although it can trace system calls with the -S option), while strace traces both library and other system calls. More information on tracing processes is available in this IBM article. Lsof is probably more useful for you if you want to examine an already running process but strace can also do this and monitor the calls in real time when given a process pid (sudo is always used when one attaches to a process): 

sudo strace -p 3310

but it is much more useful to launch the program with strace and see what was called, as in the following example:

strace -f -e trace=open /usr/bin/firefox

You can just run strace with the target process and no options, but the switches here mean that child processes are traced (-f) and that all open system calls are traced (-e trace=open) If you want to save the output to file you can specify -o ~/firefox.trace before specifying /usr/bin/firefox.

If you want a summary list of library calls, for example, you could use

ltrace -c /usr/bin/leafpad

and then exit the program and the list would be produced. Omit the -c option to view the calls in real time.

The results from strace and ltrace may not be greatly useful to you, as they are difficult to decipher unless you know what you are looking for, but lsof should provide some basic useful information.

Solution 2:

Easiest way to do this seems to be to run the program through strace and watch for stat64() calls (which get file info) or open() calls which open files.

So you do:

strace -e stat64 -e open [program name]

And in the resulting output look for:

(No such file or directory)

The path it was trying to open should be to the left of this error.

Related

How can I duplicate my existing software packages on a new system?
Errors "*ERROR* UVD not responding, trying to reset the VCPU!!!"
Ubuntu 18.04 not working with Intel Integrated Graphics
How to boot Ubuntu from SSD drive which cannot be selected as boot device?
No sound in Ubuntu 18.04 HP notebook
Zeitgeist does not index folders in NTFS partition
How do I join a Windows Active Directory?
How to install latest Code::Blocks from tar.xz?
How can I enable hardware acceleration for an ATI Radeon HD?
Discs in DVD Drive not being read
Why removing gnome-core does not remove all of it's dependencies?
Error parsing PCC subspaces from PCCT: ACPI PCC probe failed