Bash, Ksh and Bourne shell syntax:
INSTALL_LOG=log_file LD_PRELOAD=/usr/lib/logwrites.so command SAVE_ DO_BACKUPS=1 INSTALL_LOG=log_file LD_PRELOAD=/usr/lib/logwrites.so command
C Shell syntax:
env INSTALL_LOG=log_file LD_PRELOAD=/usr/lib/logwrites.so shell_command env DO_BACKUPS=1 INSTALL_LOG=log_file LD_PRELOAD=/usr/lib/logwrites.so shell_command
logwrites is a library that intercepts the open(2), link(2), rename(2), symlink(2), unlink(2), mkdir(2), mknod(2), and truncate(2) system calls and records these events in a file after successful execution of the system call. It can also optionally save a backup copy of any file that would otherwise have been overwritten by open(2).
Logwrites does not currently intercept the system calls that merely change a file's inode information. It also does not do log, make backups, or do any other special processing for open() system calls that do not truncate the file on opening, or for truncate(2) calls that truncate the file length to something other than zero. It is unclear exactly what to do in these cases because this may be the case of a few bytes being modified in a large database, and making backup files every time this happens may not be a good idea.
Logwrites uses the ELF shared library mechanism to intercept system calls. As a result, it cannot trace the actions of statically linked executables, non-ELF executables, setuid executables, or executables that make system calls directly with the system call trap or through the syscall() routine.
There is hope for one other problem, though. There is currently no way of stacking "filter libraries" like logwrites. You can only have one such library preloaded. For example, you cannot use logwrites in conjunction with zlibc (a library that implements transparent decompression by intercepting the open(2) system call). The solution to this problem is to add a new symbol type to ELF that *only* for external references that were unresolved when the library was loaded, similar to the "weak" attribute in ELF. This would allow logwrites to use different names internally to refer the routines that implement open(2), symlink(2), etc., and then make calls references to routines named open(), symlink(), etc., that are resolved by the regular C library or the next "filter library."
logwrites and its documentation may be freely copied under the terms and conditions of version 2 of the GNU General Public License, as published by the Free Software Foundation (Cambridge, Massachusetts, United States of America).