On Mon, Nov 10, 2008 at 2:36 PM, ashish mahamuni <[EMAIL PROTECTED]>wrote:
> Hello All, > > I am trying to write a module which will log the user who deleted the > file... > So, I am thinking of hooking the unlink system call... > Which is the best way to achieve this? > Is it possible in 2.6 kernel? > Hi Ashish, Can we know your intention behind hooking the unlink call ? Do you wish to log the deletion to detect malicious users who delete files or is it for any other reason ? If avoiding malice is your intention(since you say 'user who deleted _the_ file'), then you'll have to check a lot of other syscalls too. A user could just 'dd' the file with zeroes and unlink will never be called; yet, the file is as good as deleted(actually worse). Just a thought... Best regards, Pranav http://pranavsbrain.peshwe.com