Files being used by a unix process

Question

The fuser command lets me know which processes are using a file or directory.

I'm looking for command that does the opposite: lets me know which files are being used by a process.

---

Update

Forgot to mention that it's for a Solaris system.

Answer 1

1. you can use ls command and grep to find out the files used by chrome

$ ls -l /proc/*/fd | grep "chrome"

lrwx------ 1 ba abc 64 Jul 16 22:19 104 -> /home/abc/.config/google-chrome/Default/Cookies

lr-x------ 1 abc abc 64 Jul 16 22:19 113 -> /opt/google/chrome/nacl_irt_x86_64.nexe

lrwx------ 1 abc abc 64 Jul 16 22:19 121 -> /home/abc/.cache/google-chrome/Default/Cache/data_0

lrwx------ 1 abc abc 64 Jul 16 22:19 122 -> /home/abc/.cache/google-chrome/Default/Cache/data_1

lrwx------ 1 abc abc 64 Jul 16 22:19 123 -> /home/abc/.cache/google-chrome/Default/Cache/data_2

lr-x------ 1 abc abc 64 Jul 16 22:19 125 -> /home/abc/.config/google-chrome/Dictionaries/en-US-3-0.bdic

Another command to find out the result using lsof and grep

$ lsof | grep "chrome"

chrome 2204 abc cwd DIR 8,5 4096 1441794 /home/abc

chrome 2204 abc rtd DIR 8,5 4096 2 /

chrome 2204 abc txt REG 8,5 87345336 5111885 /opt/google/chrome/chrome

chrome 2204 abc mem REG 8,5 4202496 1443927 /home/abc/.cache/google-chrome/Default/Media Cache/data_3

chrome 2204 abc mem REG 8,5 1056768 1443926 /home/abc/.cache/google-chrome/Default/Media Cache/data_2

chrome 2204 abc mem REG 8,5 270336 1443925 /home/abc/.cache/google-chrome/Default/Media Cache/data_1

chrome 2204 abc mem REG 8,5 45056 1443924 /home/abc/.cache/google-chrome/Default/Media Cache/data_0

Answer 2

You can get lsof from http://www.sunfreeware.com/programlistsparc10.html#lsof

You can also try pfiles:

http://docs.oracle.com/cd/E23823_01/html/816-5165/pfiles-1.html#scrolltoc

Answer 3

While I wouldn't begrudge anyone learning Dtrace or gaining experience installing software, in Solaris there is a command to see the files a process has open: /usr/bin/pfiles

% tail -f /etc/motd &
[1] 6033

% pfiles 6033
6033:   tail -f /etc/motd

      Current rlimit: 256 file descriptors
       0: S_IFREG mode:0644 dev:182,65538 ino:163065 uid:0 gid:3 size:54
          O_RDONLY|O_LARGEFILE
          /etc/motd
       1: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3
          O_RDWR|O_NOCTTY|O_LARGEFILE
          /dev/pts/3
       2: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3
          O_RDWR|O_NOCTTY|O_LARGEFILE
          /dev/pts/3

Answer 4

Under some unix systems, ( IE: Linux ), all files opened by a process have a FD id.

These can be seen under

/proc/$PID/fd

ls -la /proc/2055/fd 
total 0
dr-x------ 2 kent kent  0 Nov 19 21:44 .
dr-xr-xr-x 7 kent kent  0 Nov 19 21:42 ..
lr-x------ 1 kent kent 64 Nov 19 21:44 0 -> /dev/null
l-wx------ 1 kent kent 64 Nov 19 21:44 1 -> /home/kent/.xsession-errors
lrwx------ 1 kent kent 64 Nov 19 21:44 10 -> socket:[3977613]
lrwx------ 1 kent kent 64 Nov 19 21:44 11 -> /home/kent/.googleearth/Cache/dbCache.dat
lrwx------ 1 kent kent 64 Nov 19 21:44 12 -> /home/kent/.googleearth/Cache/dbCache.dat.index
lrwx------ 1 kent kent 64 Nov 19 21:44 13 -> socket:[3978765]
lrwx------ 1 kent kent 64 Nov 19 21:44 14 -> socket:[3978763]
lrwx------ 1 kent kent 64 Nov 19 21:44 15 -> socket:[3978766]
lrwx------ 1 kent kent 64 Nov 19 21:44 17 -> socket:[3978764]
l-wx------ 1 kent kent 64 Nov 19 21:44 2 -> /home/kent/.xsession-errors
lr-x------ 1 kent kent 64 Nov 19 21:44 3 -> pipe:[3977583]
l-wx------ 1 kent kent 64 Nov 19 21:44 4 -> pipe:[3977583]
lr-x------ 1 kent kent 64 Nov 19 21:44 5 -> pipe:[3977584]
l-wx------ 1 kent kent 64 Nov 19 21:44 6 -> pipe:[3977584]
lr-x------ 1 kent kent 64 Nov 19 21:44 7 -> pipe:[3977587]
l-wx------ 1 kent kent 64 Nov 19 21:44 8 -> pipe:[3977587]
lrwx------ 1 kent kent 64 Nov 19 21:44 9 -> socket:[3977588]

Additionally, sometimes you even get "FDINFO" ( I think this is a kernel flag on linux )

cat /proc/2055/fdinfo/11 
pos:    232741818
flags:  02

Answer 5

This is a classic application for dtrace.

I can't remember the syntax exactly, but you can have a trace fire every time a file is opened by any process on the system. It can be done on a running system without anywhere near as much overhead as I expected it would have. If you're running solaris as an administrator, dtrace is your best friend. Even if you're not a programmer, it is quite simple to learn and a VERY powerful system query tool.

Answer 6

lsof -p <pid>

From here

lsof stands for “LiSt Open Files”. This shell command seems deceptively simple: It lists information about files opened by processes on a UNIX box.

Despite its (apparent) modest mission statement, lsof is actually one of the most powerful and useful UNIX commands. Its raw power comes from one of UNIX’s design principle often described as ”in UNIX everything is a file”. What this means is that the lsof concept of an open file not only covers regular files but also the following:

• Directories
• Streams or network files (for example, Internet or UNIX domain sockets and NFS files)
• Native libraries (for example, .soor .dylibdynamic libraries linked to a process)
• Block and character special files (for example, disk volume, external hard drive, console, or mouse)
• Pipes

---

Wait, I Cannot Find lsof on My System!

lsof is such a popular tool that it has been ported to pretty much all UNIX dialects (Linux, Mac OS X, BSD, Solaris, and so on). If it is unavailable on your box, use your usual package management system to install it. You can find lsof packages for Solaris on Sun Freeware.