Is strace a suitable tool for finding out where a program wrote to the filesystem?

Question

I'd like to determine where a certain app (as an example, surf) writes to the filesystem in order to make sure it leaves no traces. Without a dedicated sandboxing system this probably isn't easy, but I'm wondering if there is a better way than simply using strace.

For example here is a simple script called run:

#!/bin/bash

mkdir history
echo foo bar > history/hist.db
echo hello > test

I run strace like this:

strace ./run 2>&1 | sed -n '/^open.*WRONLY/p' | sed 's/.*"\(.*\)"[^"]*$/\1/'

to see all the files (but not directories) that were written (I don't think this will capture files that were created, but not written to, like those created by touch). Output:

history/hist.db
test

Is there a better way to do this, since this gets unwieldy for anything besides trivial applications, or are there options I can pass to strace (or better regexes maybe?) that make this a bit more robust? Do I run the risk of missing files that are written to the filesystem?

Answer 1

You can also use lsof to "watch" a process as it writes files out to the disk. This is more of a polling solution so you'll possibly miss some files if they're small and quickly written to the disk, but if the application that's writing files out to disk is a server/service you can use lsof to watch these types of processes fairly easily.

$ lsof -p PID

Example

$ lsof -p `pidof gnome-terminal` | head -5
COMMAND    PID USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
gnome-ter 7423 saml  cwd    DIR              253,2    32768  10354689 /home/saml
gnome-ter 7423 saml  rtd    DIR              253,0     4096         2 /
gnome-ter 7423 saml  txt    REG              253,0   338632   1220790 /usr/bin/gnome-terminal
gnome-ter 7423 saml  mem    REG              253,0   614032   1192949 /usr/lib64/libfreetype.so.6.6.0