How do I know which file a program is trying to access?
Solution 1:
(I first posted my answer at this askubuntu question, but removed it from there and posted it here, as it is more relevant.)
There are several ways you can investigate what files and libraries processes have opened; the main tools are lsof
, strace
and ltrace
. Sometimes it is necesary to run them with sudo
, so the program has access to everything it needs to gain an accurate snapshot of what a program is calling.
1) With lsof
you need to find the process id you want to query, so use, for example:
lsof -c firefox
which will list all the files firefox
has open and all its calls to system shared libraries. (Firefox currently has a pid of 3310 on my system, so you could also use lsof -p 3310
, but you would have had to look up the process id first with ps aux | grep [f]irefox
). More information on lsof
is detailed in this useful IBM article.
2) ltrace
and strace
have very similar functions and options, and are very useful for finding out detailed information about what calls a process is making. The main difference is that ltrace
usually only traces library
calls (although it can trace system calls with the -S
option), while strace
traces both library
and other system
calls. More information on tracing processes is available in this IBM article. Lsof
is probably more useful for you if you want to examine an already running process but strace
can also do this and monitor the calls in real time when given a process pid (sudo is always used when one attaches to a process):
sudo strace -p 3310
but it is much more useful to launch the program with strace
and see what was called, as in the following example:
strace -f -e trace=open /usr/bin/firefox
You can just run strace
with the target process and no options, but the switches here mean that child processes are traced (-f
) and that all open system calls are traced (-e trace=open
)
If you want to save the output to file you can specify -o ~/firefox.trace
before specifying /usr/bin/firefox
.
If you want a summary list of library calls, for example, you could use
ltrace -c /usr/bin/leafpad
and then exit the program and the list would be produced. Omit the -c
option to view the calls in real time.
The results from strace
and ltrace
may not be greatly useful to you, as they are difficult to decipher unless you know what you are looking for, but lsof
should provide some basic useful information.
Solution 2:
Easiest way to do this seems to be to run the program through strace
and watch for stat64() calls (which get file info) or open() calls which open files.
So you do:
strace -e stat64 -e open [program name]
And in the resulting output look for:
(No such file or directory)
The path it was trying to open should be to the left of this error.