incron.portable - perform actions when a file or directory is modified
incron.portable
incron is a Linux-only program which watches for file and directory
changes. It uses the inotify() API (triggering on file events) which
does not exist on HP-UX (or many other platforms).
This program fakes the same functionality by polling quite quickly.
It reads /etc/incron.d/* and /var/spool/incron/* to know what it is supposed to do.
The file names in /var/spool/incron/ are usernames -- the command listed will run as that username. i.e. the commands listed in /var/spool/incron/tim will run as the user tim. Entries in /etc/incron.d/* run as root.
incron will check that the file ownership matches the user it will run as.
Download from http://sourceforge.net/project/platformdownload.php
Project website: http://portable-incron.sourceforge.net/
The user table rows have the following syntax (use one or more spaces between elements):
<path> <mask> <command>
Where:
is a filesystem path (each whitespace must be prepended by a backslash)
is a symbolic (see EVENT SYMBOLS and OTHER EVENT SYMBOLS below; use commas for separating symbols)
is an application or script to run on the events
The command may contain these wildcards:
a dollar sign
the watched filesystem path (see above)
the event-related file name
the event flags (textually)
the event flags (numerically)
These basic event mask symbols are supported by the real incron.
Metadata changed (permissions, timestamps, extended attributes, etc.)
File/directory created in watched directory (*)
File/directory deleted from watched directory (*)
Watched file/directory was itself deleted
File was modified (*)
Instead of IN_CLOSE_WRITE, which is quite hard to do without kernel assistance, there is a different symbol:
File has finished being modified and/or created. We watch a file and see if keeps being modified. When it has stopped being modified for longer than we saw it being modified we assume that it's no longer being written to. If it gets deleted very soon after being written, it's a transient file and we don't report on it.
File was accessed (read) (*)
File opened for writing was closed (*)
File not opened for writing was closed (*)
File moved into watched directory (*)
File moved out of watched directory (*)
File was opened (*)
Watched file/directory was itself moved
Copy incron.portable to /usr/local/bin (or wherever you want to put it). Edit /etc/inittab add a line:
in:2345:respawn:/usr/local/bin/incron.portable
Monitoring is performed as root even for actions which will only run as an ordinary user. This could perhaps be used as a way to leak information about files in directories which a user does not have access to.