How do I know what files are executed when I open an application?
Use strace
!
Example: List all files opened by Firefox during a session:
strace -f firefox 2>&1 | grep 'open('
Results in something like this if you open a second instance of FireFox: http://pastebin.com/iRqxgiWN (The '-f' option just makes strace follow process forks.)
Example 2: List all processes executed by FireFox:
strace -f firefox 2>&1 | grep -P 'exec[vlpe]*\('
Results in something like this when visiting YouTube:
[pid 25020] execve("/usr/lib/firefox/plugin-container", ["/usr/lib/firefox/plugin-containe"..., "/usr/lib/adobe-flashplugin/libfl"..., "-greomni", "/usr/lib/firefox/omni.ja", "-appomni", "/usr/lib/firefox/browser/omni.ja", "-appdir", "/usr/lib/firefox/browser", "15198", "false", "plugin"], [/* 57 vars */]) = 0
[pid 25024] execve("/bin/sh", ["sh", "-c", "ps x | grep netscape"], [/* 57 vars */]) = 0
[pid 25025] execve("/bin/ps", ["ps", "x"], [/* 57 vars */] <unfinished ...>
[pid 25026] execve("/bin/grep", ["grep", "netscape"], [/* 57 vars */]) = 0
You can do this with many other system calls as well...
By matching the parameters of open()
in your grep
search you can also find out in which mode the file has been opened:
Just add | grep -P 'O_RDONLY|O_RDWR'
(the leading pipe character is important!) to filter read access or | grep -P 'O_WRONLY|O_RDWR'
for write access to your command...
EDIT:
As was mentioned in the comments you can also use strace -fe open firefox
to list all files opened by FireFox. You can also use strace -fe trace=file firefox
to list all file operations done by FireFox that have a file path as an argument (open, stat, lstat, chmod, access, ...).
Many more are available! Check out the strace(1) manual page.