jirutka/procs-using-deleted-files

## procs-using-deleted-files
#!/bin/sh
#---help---
# Usage: procs-using-deleted-files [options]
#
# Find processes that use (maps into memory) files which have been deleted
# or replaced on disk.  If /proc/$PID/map_files is accessible, then it omits
# files that have been replaced by the same files (i.e. content is the same).
#
# Options:
#   -e PATT...  Case pattern (POSIX shell's "case") specifying paths to exclude
#               when looking for modified mapped files.
#   -H          Print heading.
#   -v...       Verbosity (may be repeated up to 3 times).
#   -h          Show this message and exit.
#
# Source: <https://gist.github.com/jirutka/9f7624a54b6f44b31c1dce3bea11708f>
#---help---
set -eu

# Set pipefail if supported.
if ( set -o pipefail 2>/dev/null ); then
	set -o pipefail
fi

PROGNAME='procs-using-deleted-files'


help() {
	sed -En '/^#---help---/,/^#---help---/p' "$0" | sed -E 's/^# ?//; 1d;$d;'
	exit ${1:-0}
}

# Returns 0 if $1 matches "case" pattern $2, otherwise returns 1.
case_match() {
	[ "$2" ] || return 1
	eval "case \"$1\" in $2) return 0;; *) return 1;; esac"
}

# Prints paths of files mapped by the process with PID $1 that have been
# deleted or replaced. You may specify "case" pattern $2 to exclude certain
# paths (e.g. "/dev/*|/home/*"). Returns 1 if no files was found.
changed_map_files() {
	local pid="$1"
	local exclude="${2:-}"

	if [ ! -r /proc/$pid/maps ]; then
		echo "$PROGNAME: could not read /proc/$pid/maps" >&2
		return 2
	fi

	cat /proc/$pid/maps \
		| sed -En 's|^([a-f0-9-]+) .* {4,}(/.*) \(deleted\)$|\1 \2|p' \
		| grep -v '[[:cntrl:]"$\`]' \
		| sort -k 2 \
		| uniq -f 1 \
		| while read maddr filepath; do
			map_file="/proc/$pid/map_files/$maddr"

			# Skip excluded path.
			case_match "$filepath" "$exclude" && continue

			# Skip path that is not a file.
			[ -e "$filepath" ] && [ -f "$filepath" ] || continue

			# Don't compare file's content if /proc/$pid/map_files
			# is not accessible (i.e. on Grsecurity kernel).
			if [ -x "${map_file%/*}" ]; then
				[ -e "$map_file" ] || continue

				# Skip file which content has not been changed.
				[ -e "$filepath" ] \
					&& ! cmp -s "$map_file" "$filepath" 2>/dev/null \
					|| continue
			fi

			echo "$filepath"
		done | grep .
}

# Prints executable of the process with PID $1.
proc_exe() {
	local exe
	exe=$(readlink /proc/$1/exe)
	exe=${exe% (deleted)}
	exe=${exe%.apk-new}  # special case for apk (Alpine Linux)

	printf '%s\n' "$exe"
}


exclude_maps=''
print_header='no'
verbosity=0

while getopts ':e:Hhv' OPTION; do
	case "$OPTION" in
		H) print_header='yes';;
		e) exclude_maps="${exclude_maps:+"$exclude_maps|"}$OPTARG";;
		v) verbosity=$(( $verbosity + 1 ));;
		h) echo "Usage: $0 [-H] [-v] [-h]" >&2; exit 0;;
		\?) echo "$PROGNAME: unrecognized option -$OPTARG" >&2; exit 100;;
	esac
done

# Sanitize exclude pattern.
if [ "$exclude_maps" ]; then
	exclude_maps=$(printf %s "$exclude_maps" | sed 's|[();]|\\&|g')
fi

if [ "$print_header" = yes ]; then
	printf 'PID'
	[ $verbosity -ge 1 ] && printf '\tEXE\tCMDLINE'
	[ $verbosity -ge 2 ] && printf '\tMAPPED FILES'
	printf '\n'
fi

for proc in /proc/[0-9]*; do
	pid=${proc#/proc/}

	# Skip kernel threads.
	[ -e $proc/exe ] || continue

	if files=$(changed_map_files $pid "$exclude_maps"); then
		if [ $verbosity -ge 0 ]; then
			printf '%d' $pid
		fi
		if [ $verbosity -ge 1 ]; then
			printf '\t%s\t%s' \
				"$(proc_exe $pid)" \
				"$(cat $proc/cmdline | tr '\0\t' '  ')"
		fi
		if [ $verbosity -ge 2 ]; then
			printf '\t'
			printf '%s ' $files
		fi
		printf '\n'
	fi
done
	#!/bin/sh
	#---help---
	# Usage: procs-using-deleted-files [options]
	#
	# Find processes that use (maps into memory) files which have been deleted
	# or replaced on disk. If /proc/$PID/map_files is accessible, then it omits
	# files that have been replaced by the same files (i.e. content is the same).
	#
	# Options:
	# -e PATT... Case pattern (POSIX shell's "case") specifying paths to exclude
	# when looking for modified mapped files.
	# -H Print heading.
	# -v... Verbosity (may be repeated up to 3 times).
	# -h Show this message and exit.
	#
	# Source: <https://gist.github.com/jirutka/9f7624a54b6f44b31c1dce3bea11708f>
	#---help---
	set -eu

	# Set pipefail if supported.
	if ( set -o pipefail 2>/dev/null ); then
	set -o pipefail
	fi

	PROGNAME='procs-using-deleted-files'


	help() {
	sed -En '/^#---help---/,/^#---help---/p' "$0" \| sed -E 's/^# ?//; 1d;$d;'
	exit ${1:-0}
	}

	# Returns 0 if $1 matches "case" pattern $2, otherwise returns 1.
	case_match() {
	[ "$2" ] \|\| return 1
	eval "case \"$1\" in $2) return 0;; *) return 1;; esac"
	}

	# Prints paths of files mapped by the process with PID $1 that have been
	# deleted or replaced. You may specify "case" pattern $2 to exclude certain
	# paths (e.g. "/dev/\|/home/"). Returns 1 if no files was found.
	changed_map_files() {
	local pid="$1"
	local exclude="${2:-}"

	if [ ! -r /proc/$pid/maps ]; then
	echo "$PROGNAME: could not read /proc/$pid/maps" >&2
	return 2
	fi

	cat /proc/$pid/maps \
	\| sed -En 's\|^([a-f0-9-]+) .* {4,}(/.*) \(deleted\)$\|\1 \2\|p' \
	\| grep -v '[[:cntrl:]"$\`]' \
	\| sort -k 2 \
	\| uniq -f 1 \
	\| while read maddr filepath; do
	map_file="/proc/$pid/map_files/$maddr"

	# Skip excluded path.
	case_match "$filepath" "$exclude" && continue

	# Skip path that is not a file.
	[ -e "$filepath" ] && [ -f "$filepath" ] \|\| continue

	# Don't compare file's content if /proc/$pid/map_files
	# is not accessible (i.e. on Grsecurity kernel).
	if [ -x "${map_file%/*}" ]; then
	[ -e "$map_file" ] \|\| continue

	# Skip file which content has not been changed.
	[ -e "$filepath" ] \
	&& ! cmp -s "$map_file" "$filepath" 2>/dev/null \
	\|\| continue
	fi

	echo "$filepath"
	done \| grep .
	}

	# Prints executable of the process with PID $1.
	proc_exe() {
	local exe
	exe=$(readlink /proc/$1/exe)
	exe=${exe% (deleted)}
	exe=${exe%.apk-new} # special case for apk (Alpine Linux)

	printf '%s\n' "$exe"
	}


	exclude_maps=''
	print_header='no'
	verbosity=0

	while getopts ':e:Hhv' OPTION; do
	case "$OPTION" in
	H) print_header='yes';;
	e) exclude_maps="${exclude_maps:+"$exclude_maps\|"}$OPTARG";;
	v) verbosity=$(( $verbosity + 1 ));;
	h) echo "Usage: $0 [-H] [-v] [-h]" >&2; exit 0;;
	\?) echo "$PROGNAME: unrecognized option -$OPTARG" >&2; exit 100;;
	esac
	done

	# Sanitize exclude pattern.
	if [ "$exclude_maps" ]; then
	exclude_maps=$(printf %s "$exclude_maps" \| sed 's\|[();]\|\\&\|g')
	fi

	if [ "$print_header" = yes ]; then
	printf 'PID'
	[ $verbosity -ge 1 ] && printf '\tEXE\tCMDLINE'
	[ $verbosity -ge 2 ] && printf '\tMAPPED FILES'
	printf '\n'
	fi

	for proc in /proc/[0-9]*; do
	pid=${proc#/proc/}

	# Skip kernel threads.
	[ -e $proc/exe ] \|\| continue

	if files=$(changed_map_files $pid "$exclude_maps"); then
	if [ $verbosity -ge 0 ]; then
	printf '%d' $pid
	fi
	if [ $verbosity -ge 1 ]; then
	printf '\t%s\t%s' \
	"$(proc_exe $pid)" \
	"$(cat $proc/cmdline \| tr '\0\t' ' ')"
	fi
	if [ $verbosity -ge 2 ]; then
	printf '\t'
	printf '%s ' $files
	fi
	printf '\n'
	fi
	done