5

I need to find out all the file system modifications an installer did. Most likely the installed package is an rpm or deb, but an app could of course be simply copied over or compiled and installed with the configure;make;make install way. Even though rpm and deb have file lists, their post install scripts could do additional file system modifications.

I first went looking for an application that could monitor another application to find all file system modifications the other app did. I haven't found any.

Next I looked into layered file systems, thinking before I started the app install I'd put in a layered file system and then install the app on the layered file system, and then find out all the modifications that happened in the layer. The best I could find was mini_fo but it seems it hasn't been maintained since 2006. It also does not seem like it could just be overlaid on / (this hides some stuff from the layer).

Then I looked into inotify-based solutions, but it seems like it is impractical for monitoring everything starting from /. For example, inotifywatch (linux.die.net/man/1/inotifywatch) mentions by default the limit of watches is just 8k. It also takes some time to install the watchers. There also appear to be bugs, where newly created directories are not immediately watched so changes in them can be missed.

Apart from taking snapshots from the file system before and after installation and comparing, is there any other way of achieving what I want to do?

5 Answers5

5

I would be tempted to try running your install via strace. It will be a bit noisy, but you among all the other things it logs, you should be able to see should see everything that gets written.

Here is a command that seemed to get close to showing all file accesses during an installation without too much noise.

sudo strace -o /tmp/install.log -f -e trace=file apt-get install package
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Promising. But it seems strace cannot reliably follow other processes the installer launches (there is a period of time when child is unmonitored per the docs). –  Nov 18 '09 at 23:53
  • You need to add the -f option to follow created processes. – Zoredache Nov 18 '09 at 23:59
  • 1
    Right, but the docs for -f say: "children may run uncontrolled for a while". –  Nov 19 '09 at 00:39
  • Since it seems this is as close to the answer I can get, I'm awarding this as the accepted answer. –  Nov 19 '09 at 00:42
  • @Zoredache: +1 Seems like a very useful oneliner. Thanks – Born To Ride Nov 19 '09 at 00:42
5

This question's already been answered, but I'll toss in what I do anyway. If all you want is to see if files were created, removed, or changed, you can do this:

find / -xdev -printf '%p\t%c\n' |sort >/tmp/before
rpm/dpkg/apt-get/yum/whatever
find / -xdev -printf '%p\t%c\n' |sort >/tmp/after
diff -u /tmp/before /tmp/after |less

That's it. It clearly won't tell you how a file was changed, but at least you'll know that it did change in some way.

Jeff Snider
  • 3,272
  • 18
  • 17
  • Thank you. I like the simplicity. I might be able to use this approach in some cases. –  Nov 19 '09 at 18:42
3

Regarding RPM, you can get a list of the files installed by a package by invoking the following command:

rpm -ql <package_name>

If you need to know before installing them, you can use the following one-liners, which will list the contents of the packages.

For RPM (requires the rpm2cpio & cpio commands):

rpm2cpio <package>.rpm | cpio -vt

For DEB (requires ar & tar commands):

ar p <package>.deb data.tar.gz | tar zt

All the above information has been taken from http://www.g-loaded.eu/2008/01/28/how-to-extract-rpm-or-deb-packages/ In both cases you get a listing of the files that will be installed. More files might be created by the pre/post installation scripts that these packages include. It is impossible to list those files.

Born To Ride
  • 1,084
  • 6
  • 10
  • It isn't really impossible to find out what is going on. Particularly since he seems to be willing to actually let the install complete and watch what actually happens. I think his question is more about trying to find a tool that will watch the installer and see exactly what it is doing. – Zoredache Nov 19 '09 at 00:32
  • Thanks, I knew this was possible with rpm and deb without knowing the actual commands to run. But like Zoredache showed, you *can* find what the the pre/post install scripts do by using strace (with the strace caveat that child processes will be unmonitored for some time after starting). –  Nov 19 '09 at 00:38
  • If you need to know a package's contents before installation, just use the -p switch for rpm: rpm -qlp cdapp-1.0-1.i386.rpm Or the --contents flag for dpkg: dpkg --contents ./cdapp-1.0-1.i386.deb – samuelstringham Nov 20 '09 at 19:38
1

You may want to check out installwatch: http://www.asic-linux.com.mx/~izto/checkinstall/installwatch.html and checkinstall: http://asic-linux.com.mx/~izto/checkinstall/ . Both very basic utilities to determine what an installation process actually touches.

That being said, Jeff's find | sort command is a good idea, but may be a bit "bulky" since it just manually inspects all the files on the machine twice.

samuelstringham
  • 171
  • 3
0

The question is ages old and the answers needs an update.

Solution 1: Use a container or VM and make the diff with the base-image.

Solution 2: Use auditd

Solution 3: Use systemtap and monitor all files open for write. See: https://sourceware.org/systemtap/examples/lwtools/opensnoop-nd.stp

stap -e 'probe begin{ printf("%6s %6s %16s %4s %s\n", "UID", "PID", "COMM", "FD", "PATH");} probe nd_syscall.open.return{ printf("%6d %6d %16s %4d %s\n", uid(), pid(), execname(),returnval(), user_string(@entry(pointer_arg(1))));}'

Solution 4: Use strace or ltrace as @Zoredache was mentioning.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83