On Mon, Nov 10, 2008 at 2:36 PM, ashish mahamuni <[EMAIL PROTECTED]>wrote:
> Hello All,
>
> I am trying to write a module which will log the user who deleted the
> file...
> So, I am thinking of hooking the unlink system call...
> Which is the best way to achieve this?
> Is it possible in 2.6 kernel?
>
Hi Ashish,
Can we know your intention behind hooking the unlink call ? Do
you wish to log the deletion to detect malicious users who delete files or
is it for any other reason ? If avoiding malice is your intention(since you
say 'user who deleted _the_ file'), then you'll have to check a lot of other
syscalls too. A user could just 'dd' the file with zeroes and unlink will
never be called; yet, the file is as good as deleted(actually worse).
Just a thought...
Best regards,
Pranav
http://pranavsbrain.peshwe.com
