1LSOF(8)                     System Manager's Manual                    LSOF(8)
2
3
4

NAME

6       lsof - list open files
7

SYNOPSIS

9       lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D
10       D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k
11       ]  [  +|-L  [l]  ]  [  +|-m  m  ]  [  +|-M ] [ -o [o] ] [ -p s ] [ +|-r
12       [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x
13       [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]
14

DESCRIPTION

16       Lsof  revision 4.82 lists on its standard output file information about
17       files opened by processes for the following UNIX dialects:
18
19            AIX 5.3
20            Apple Darwin 9 (Mac OS X 10.5)
21            FreeBSD 4.9 for x86-based systems
22            FreeBSD 7.[012] and 8.0 for AMD64-based systems
23            Linux 2.1.72 and above for x86-based systems
24            Solaris 9 and 10
25
26       (See the DISTRIBUTION section of this manual page  for  information  on
27       how to obtain the latest lsof revision.)
28
29       An  open file may be a regular file, a directory, a block special file,
30       a character special file, an executing text  reference,  a  library,  a
31       stream  or  a  network  file  (Internet socket, NFS file or UNIX domain
32       socket.)  A specific file or all the files in  a  file  system  may  be
33       selected by path.
34
35       Instead  of  a  formatted display, lsof will produce output that can be
36       parsed by other programs.  See the -F, option description, and the OUT‐
37       PUT FOR OTHER PROGRAMS section for more information.
38
39       In  addition to producing a single output list, lsof will run in repeat
40       mode.  In repeat mode it will produce output, delay,  then  repeat  the
41       output  operation  until stopped with an interrupt or quit signal.  See
42       the +|-r [t[m<fmt>]] option description for more information.
43

OPTIONS

45       In the absence of any options, lsof lists all open files  belonging  to
46       all active processes.
47
48       If  any  list  request option is specified, other list requests must be
49       specifically requested - e.g., if -U is specified for  the  listing  of
50       UNIX  socket  files, NFS files won't be listed unless -N is also speci‐
51       fied; or if a user list is specified with the -u  option,  UNIX  domain
52       socket  files,  belonging  to  users  not  in the list, won't be listed
53       unless the -U option is also specified.
54
55       Normally list options that are specifically stated  are  ORed  -  i.e.,
56       specifying  the  -i option without an address and the -ufoo option pro‐
57       duces a listing of all network files OR files  belonging  to  processes
58       owned by user ``foo''.  The exceptions are:
59
60       1) the `^' (negated) login name or user ID (UID), specified with the -u
61          option;
62
63       2) the `^' (negated) process ID (PID), specified with the -p option;
64
65       3) the `^' (negated) process group ID (PGID),  specified  with  the  -g
66          option;
67
68       4) the `^' (negated) command, specified with the -c option;
69
70       5) the  (`^')  negated  TCP or UDP protocol state names, specified with
71          the -s [p:s] option.
72
73       Since they represent exclusions, they are applied without ORing or AND‐
74       ing and take effect before any other selection criteria are applied.
75
76       The -a option may be used to AND the selections.  For example, specify‐
77       ing -a, -U, and -ufoo produces a listing of only UNIX socket files that
78       belong to processes owned by user ``foo''.
79
80       Caution:  the  -a option causes all list selection options to be ANDed;
81       it can't be used to cause ANDing of selected pairs of selection options
82       by  placing it between them, even though its placement there is accept‐
83       able.  Wherever -a is placed, it causes the  ANDing  of  all  selection
84       options.
85
86       Items of the same selection set - command names, file descriptors, net‐
87       work addresses, process  identifiers,  user  identifiers,  zone  names,
88       security  contexts - are joined in a single ORed set and applied before
89       the result participates  in  ANDing.   Thus,  for  example,  specifying
90       -i@aaa.bbb,  -i@ccc.ddd,  -a,  and -ufff,ggg will select the listing of
91       files that belong to either login ``fff'' OR ``ggg'' AND  have  network
92       connections to either host aaa.bbb OR ccc.ddd.
93
94       Options  may be grouped together following a single prefix -- e.g., the
95       option set ``-a -b -C'' may be stated as -abC.  However,  since  values
96       are optional following +|-f, -F, -g, -i, +|-L, -o, +|-r, -s, -S, -T, -x
97       and -z.  when you have no values for them be careful that the following
98       character isn't ambiguous.  For example, -Fn might represent the -F and
99       -n options, or it might represent the n field identifier character fol‐
100       lowing  the  -F option.  When ambiguity is possible, start a new option
101       with a `-' character - e.g., ``-F -n''.  If the next option is  a  file
102       name,  follow the possibly ambiguous option with ``--'' - e.g., ``-F --
103       name''.
104
105       Either the `+' or the `-' prefix may be applied to a group of  options.
106       Options that don't take on separate meanings for each prefix - e.g., -i
107       - may be grouped under either prefix.  Thus, for example, ``+M -i'' may
108       be  stated  as  ``+Mi''  and  the  group means the same as the separate
109       options.  Be careful of prefix grouping when one or more options in the
110       group  does  take on separate meanings under different prefixes - e.g.,
111       +|-M; ``-iM'' is not the same request as ``-i +M''.  When in doubt, use
112       separate options with appropriate prefixes.
113
114       -? -h    These  two  equivalent  options  select  a usage (help) output
115                list.  Lsof displays a shortened form of this output  when  it
116                detects  an  error in the options supplied to it, after it has
117                displayed messages explaining each  error.   (Escape  the  `?'
118                character as your shell requires.)
119
120       -a       This  option  causes  list  selection  options to be ANDed, as
121                described above.
122
123       -A A     This option is available on systems configured for  AFS  whose
124                AFS kernel code is implemented via dynamic modules.  It allows
125                the lsof user to specify A as  an  alternate  name  list  file
126                where  the  kernel  addresses  of the dynamic modules might be
127                found.  See the lsof FAQ (The FAQ section gives its location.)
128                for more information about dynamic modules, their symbols, and
129                how they affect lsof.
130
131       -b       This option causes lsof to avoid kernel functions  that  might
132                block - lstat(2), readlink(2), and stat(2).
133
134                See  the  BLOCKS  AND TIMEOUTS and AVOIDING KERNEL BLOCKS sec‐
135                tions for information on using this option.
136
137       -c c     This option selects the listing of files for processes execut‐
138                ing  the command that begins with the characters of c.  Multi‐
139                ple commands may be  specified,  using  multiple  -c  options.
140                They  are  joined in a single ORed set before participating in
141                AND option selection.
142
143                If c begins with a `^', then the following characters  specify
144                a command name whose processes are to be ignored (excluded.)
145
146                If  c  begins  and  ends  with  a  slash ('/'), the characters
147                between the slashes are interpreted as a  regular  expression.
148                Shell meta-characters in the regular expression must be quoted
149                to prevent their interpretation by  the  shell.   The  closing
150                slash may be followed by these modifiers:
151
152                     b    the regular expression is a basic one.
153                     i    ignore the case of letters.
154                     x    the regular expression is an extended one
155                          (default).
156
157                See  the  lsof  FAQ (The FAQ section gives its location.)  for
158                more information on basic and extended regular expressions.
159
160                The simple command specification is  tested  first.   If  that
161                test fails, the command regular expression is applied.  If the
162                simple command test succeeds, the command  regular  expression
163                test  isn't  made.   This may result in ``no command found for
164                regex:'' messages when lsof's -V option is specified.
165
166       +c w     This option defines the maximum number of  initial  characters
167                of the name, supplied by the UNIX dialect, of the UNIX command
168                associated with a process to be printed in the COMMAND column.
169                (The lsof default is nine.)
170
171                Note  that  many  UNIX dialects do not supply all command name
172                characters to lsof in the files and structures from which lsof
173                obtains  command  name.   Often  dialects  limit the number of
174                characters supplied in  those  sources.   For  example,  Linux
175                2.4.27  and  Solaris  9  both  limit command name length to 16
176                characters.
177
178                If w is zero ('0'), all command characters supplied to lsof by
179                the UNIX dialect will be printed.
180
181                If w is less than the length of the column title, ``COMMAND'',
182                it will be raised to that length.
183
184       -C       This option disables the reporting of any path name components
185                from  the kernel's name cache.  See the KERNEL NAME CACHE sec‐
186                tion for more information.
187
188       +d s     This option causes lsof to search for all  open  instances  of
189                directory  s  and the files and directories it contains at its
190                top level.  This option does NOT descend the  directory  tree,
191                rooted  at  s.   The  +D  D  option  may  be used to request a
192                full-descent directory tree search, rooted at directory D.
193
194                Processing of the +d option does  not  follow  symbolic  links
195                within s unless the -x or -x  l option is also specified.  Nor
196                does it search for open files on file system mount  points  on
197                subdirectories  of  s  unless  the  -x or -x  f option is also
198                specified.
199
200                Note: the authority of the user of this option  limits  it  to
201                searching  for  files  that the user has permission to examine
202                with the system stat(2) function.
203
204       -d s     This option specifies a list  of  file  descriptors  (FDs)  to
205                exclude  from  or  include  in  the  output listing.  The file
206                descriptors are specified in the comma-separated set s - e.g.,
207                ``cwd,1,3'',  ``^6,^2''.   (There  should  be no spaces in the
208                set.)
209
210                The list is an exclusion list if all entries of the set  begin
211                with  `^'.   It  is  an inclusion list if no entry begins with
212                `^'.  Mixed lists are not permitted.
213
214                A file descriptor number range may be in the set  as  long  as
215                neither  member  is  empty,  both members are numbers, and the
216                ending member is larger than the starting one - e.g.,  ``0-7''
217                or  ``3-10''.   Ranges  may be specified for exclusion if they
218                have the  `^'  prefix  -  e.g.,  ``^0-7''  excludes  all  file
219                descriptors 0 through 7.
220
221                Multiple  file  descriptor numbers are joined in a single ORed
222                set before participating in AND option selection.
223
224                When there are exclusion and inclusion  members  in  the  set,
225                lsof  reports  them as errors and exits with a non-zero return
226                code.
227
228                See the description of File Descriptor (FD) output  values  in
229                the  OUTPUT  section  for  more information on file descriptor
230                names.
231
232       +D D     This option causes lsof to search for all  open  instances  of
233                directory  D  and all the files and directories it contains to
234                its complete depth.
235
236                Processing of the +D option does  not  follow  symbolic  links
237                within D unless the -x or -x  l option is also specified.  Nor
238                does it search for open files on file system mount  points  on
239                subdirectories  of  D  unless  the  -x or -x  f option is also
240                specified.
241
242                Note: the authority of the user of this option  limits  it  to
243                searching  for  files  that the user has permission to examine
244                with the system stat(2) function.
245
246                Further note: lsof may process this option slowly and  require
247                a large amount of dynamic memory to do it.  This is because it
248                must descend the entire directory tree, rooted at  D,  calling
249                stat(2)  for  each  file and directory, building a list of all
250                the files it finds, and searching that list for a  match  with
251                every  open  file.  When directory D is large, these steps can
252                take a long time, so use this option prudently.
253
254       -D D     This option directs lsof's use of the device cache file.   The
255                use  of  this  option is sometimes restricted.  See the DEVICE
256                CACHE FILE section and the sections that follow  it  for  more
257                information on this option.
258
259                -D  must be followed by a function letter; the function letter
260                may optionally be followed by a path  name.   Lsof  recognizes
261                these function letters:
262
263                     ? - report device cache file paths
264                     b - build the device cache file
265                     i - ignore the device cache file
266                     r - read the device cache file
267                     u - read and update the device cache file
268
269                The  b,  r,  and  u functions, accompanied by a path name, are
270                sometimes restricted.  When these  functions  are  restricted,
271                they  will not appear in the description of the -D option that
272                accompanies -h or -?  option output.   See  the  DEVICE  CACHE
273                FILE section and the sections that follow it for more informa‐
274                tion on these functions and when they're restricted.
275
276                The ?  function reports the read-only  and  write  paths  that
277                lsof can use for the device cache file, the names of any envi‐
278                ronment variables whose values lsof will examine when  forming
279                the  device  cache  file path, and the format for the personal
280                device cache file path.  (Escape the  `?'  character  as  your
281                shell requires.)
282
283                When  available,  the b, r, and u functions may be followed by
284                the  device  cache  file's  path.   The  standard  default  is
285                .lsof_hostname  in the home directory of the real user ID that
286                executes lsof, but this could have been changed when lsof  was
287                configured  and  compiled.   (The  output  of  the  -h  and -?
288                options show the current default prefix  -  e.g.,  ``.lsof''.)
289                The  suffix,  hostname,  is  the first component of the host's
290                name returned by gethostname(2).
291
292                When available, the b function directs lsof  to  build  a  new
293                device cache file at the default or specified path.
294
295                The i function directs lsof to ignore the default device cache
296                file and obtain its information about devices via direct calls
297                to the kernel.
298
299                The  r  function  directs lsof to read the device cache at the
300                default or specified path, but prevents it from creating a new
301                device  cache  file  when  none  exists or the existing one is
302                improperly structured.  The r function, when specified without
303                a  path name, prevents lsof from updating an incorrect or out‐
304                dated device cache file, or creating a new one in  its  place.
305                The  r function is always available when it is specified with‐
306                out a path name argument; it may be restricted by the  permis‐
307                sions of the lsof process.
308
309                When available, the u function directs lsof to read the device
310                cache file at the default or specified path, if possible,  and
311                to rebuild it, if necessary.  This is the default device cache
312                file function when no -D option has been specified.
313
314       +|-e s   exempts the file system whose path name is s from  being  sub‐
315                jected  to  kernel  function  calls  that might block.  The +e
316                option exempts stat(2), lstat(2) and most  readlink(2)  kernel
317                function  calls.   The  -e  option  exempts  only  stat(2) and
318                lstat(2) kernel function calls.  Multiple file systems may  be
319                specified  with separate +|-e specifications and each may have
320                readlink(2) calls exempted or not.
321
322                This option is currently implemented only for Linux.
323
324                CAUTION: this option can easily be mis-applied to  other  than
325                the  file system of interest, because it uses path name rather
326                than the more reliable device and inode numbers.  (Device  and
327                inode  numbers  are  acquired  via  the  potentially  blocking
328                stat(2) kernel call and are thus not available,  but  see  the
329                +|-m  m  option as a possible alternative way to supply device
330                numbers.)
331
332                Use this option with great care and  fully  specify  the  path
333                name  of  the file system to be exempted.  Consider, for exam‐
334                ple, that specifying ``-e /'' would exempt all  file  systems,
335                since all their paths begin with a `/'.
336
337                When  open  files on exempted file systems are reported, it is
338                not possible to obtain all their information.  Therefore, some
339                information  columns  will  be  blank, the characters ``UNKN''
340                preface the values in the  TYPE  column,  and  the  applicable
341                exemption  option  is  added  in parentheses to the end of the
342                NAME column.  Some device number  information  might  be  made
343                available via the +|-m m option.
344
345       +|-f [cfgGn]
346                f by itself clarifies how path name arguments are to be inter‐
347                preted.  When followed by c, f, g, G, or n in any  combination
348                it  specifies that the listing of kernel file structure infor‐
349                mation is to be enabled (`+') or inhibited (`-').
350
351                Normally a path name argument is taken to  be  a  file  system
352                name  if  it  matches  a mounted-on directory name reported by
353                mount(8), or if it represents a block  device,  named  in  the
354                mount  output  and  associated  with a mounted directory name.
355                When +f is specified, all path name arguments will be taken to
356                be  file  system names, and lsof will complain if any are not.
357                This can be useful, for example, when  the  file  system  name
358                (mounted-on  device)  isn't  a block device.  This happens for
359                some CD-ROM file systems.
360
361                When -f is specified by itself, all path name  arguments  will
362                be  taken  to be simple files.  Thus, for example, the ``-f --
363                /'' arguments direct lsof to search for open files with a  `/'
364                path name, not all open files in the `/' (root) file system.
365
366                Be  careful to make sure +f and -f are properly terminated and
367                aren't followed by a character (e.g., of the file or file sys‐
368                tem  name)  that  might be taken as a parameter.  For example,
369                use ``--'' after +f and -f as in these examples.
370
371                     $ lsof +f -- /file/system/name
372                     $ lsof -f -- /file/name
373
374                The  listing  of  information  from  kernel  file  structures,
375                requested  with the +f [cfgGn] option form, is normally inhib‐
376                ited, and is not available in whole or part for some  dialects
377                - e.g., /proc-based Linux kernels below 2.6.22.  When the pre‐
378                fix to f is a plus sign (`+'), these characters  request  file
379                structure information:
380
381                     c    file structure use count (not Linux)
382                     f    file structure address (not Linux)
383                     g    file flag abbreviations (Linux 2.6.22 and up)
384                     G    file flags in hexadecimal (Linux 2.6.22 and up)
385                     n    file structure node address (not Linux)
386
387                When the prefix is minus (`-') the same characters disable the
388                listing of the indicated values.
389
390                File  structure  addresses,  use  counts,  flags,   and   node
391                addresses  may  be used to detect more readily identical files
392                inherited by child processes and identical  files  in  use  by
393                different processes.  Lsof column output can be sorted by out‐
394                put columns holding the values and listed to identify  identi‐
395                cal  file use, or lsof field output can be parsed by an AWK or
396                Perl post-filter script, or by a C program.
397
398       -F f     This option specifies a character list, f,  that  selects  the
399                fields to be output for processing by another program, and the
400                character that terminates each output field.  Each field to be
401                output  is  specified with a single character in f.  The field
402                terminator defaults to NL, but may be changed  to  NUL  (000).
403                See the OUTPUT FOR OTHER PROGRAMS section for a description of
404                the field  identification  characters  and  the  field  output
405                process.
406
407                When the field selection character list is empty, all standard
408                fields are selected (except the  raw  device  field,  security
409                context  and  zone field for compatibility reasons) and the NL
410                field terminator is used.
411
412                When the field selection character list contains only  a  zero
413                (`0'),  all  fields  are selected (except the raw device field
414                for compatibility reasons) and the NUL terminator character is
415                used.
416
417                Other combinations of fields and their associated field termi‐
418                nator character must be set with explicit  entries  in  f,  as
419                described in the OUTPUT FOR OTHER PROGRAMS section.
420
421                When  a field selection character identifies an item lsof does
422                not normally list - e.g., PPID, selected with -R -  specifica‐
423                tion of the field character - e.g., ``-FR'' - also selects the
424                listing of the item.
425
426                When the field selection character list  contains  the  single
427                character  `?',  lsof  will  display  a help list of the field
428                identification characters.  (Escape the `?' character as  your
429                shell requires.)
430
431       -g [s]   This  option  excludes or selects the listing of files for the
432                processes whose optional process group  IDentification  (PGID)
433                numbers  are  in  the comma-separated set s - e.g., ``123'' or
434                ``123,^456''.  (There should be no spaces in the set.)
435
436                PGID numbers that begin with `^' (negation)  represent  exclu‐
437                sions.
438
439                Multiple  PGID  numbers are joined in a single ORed set before
440                participating in AND option selection.  However,  PGID  exclu‐
441                sions  are  applied  without  ORing  or ANDing and take effect
442                before other selection criteria are applied.
443
444                The -g option also enables the output display of PGID numbers.
445                When specified without a PGID set that's all it does.
446
447       -i [i]   This option selects the listing of files any of whose Internet
448                address matches the address specified in i.  If no address  is
449                specified, this option selects the listing of all Internet and
450                x.25 (HP-UX) network files.
451
452                If -i4 or -i6 is specified with  no  following  address,  only
453                files  of  the  indicated  IP  version, IPv4 or IPv6, are dis‐
454                played.  (An IPv6  specification  may  be  used  only  if  the
455                dialects   supports   IPv6,   as  indicated  by  ``[46]''  and
456                ``IPv[46]'' in lsof's -h or -?  output.)  Sequentially  speci‐
457                fying  -i4,  followed by -i6 is the same as specifying -i, and
458                vice-versa.  Specifying -i4, or -i6 after -i is  the  same  as
459                specifying -i4 or -i6 by itself.
460
461                Multiple  addresses  (up  to  a limit of 100) may be specified
462                with multiple -i options.  (A  port  number  or  service  name
463                range is counted as one address.)  They are joined in a single
464                ORed set before participating in AND option selection.
465
466                An Internet address is specified in the form (Items in  square
467                brackets are optional.):
468
469                [46][protocol][@hostname|hostaddr][:service|port]
470
471                where:
472                     46 specifies the IP version, IPv4 or IPv6
473                          that applies to the following address.
474                          '6' may be be specified only if the UNIX
475                          dialect supports IPv6.  If neither '4' nor
476                          '6' is specified, the following address
477                          applies to all IP versions.
478                     protocol is a protocol name - TCP, UDP
479                     hostname is an Internet host name.  Unless a
480                          specific IP version is specified, open
481                          network files associated with host names
482                          of all versions will be selected.
483                     hostaddr is a numeric Internet IPv4 address in
484                          dot form; or an IPv6 numeric address in
485                          colon form, enclosed in brackets, if the
486                          UNIX dialect supports IPv6.  When an IP
487                          version is selected, only its numeric
488                          addresses may be specified.
489                     service is an /etc/services name - e.g., smtp -
490                          or a list of them.
491                     port is a port number, or a list of them.
492
493                IPv6  options  may  be  used only if the UNIX dialect supports
494                IPv6.  To see if the dialect supports IPv6, run lsof and spec‐
495                ify the -h or -?  (help) option.  If the displayed description
496                of the -i option contains ``[46]'' and  ``IPv[46]'',  IPv6  is
497                supported.
498
499                IPv4  host names and addresses may not be specified if network
500                file selection is limited to IPv6 with -i 6.  IPv6 host  names
501                and  addresses  may not be specified if network file selection
502                is limited to IPv4 with -i  4.   When  an  open  IPv4  network
503                file's  address  is mapped in an IPv6 address, the open file's
504                type will be IPv6, not IPv4, and its display will be  selected
505                by '6', not '4'.
506
507                At  least one address component - 4, 6, protocol, ,IR hostname
508                , hostaddr, or service - must be supplied.  The `@' character,
509                leading  the host specification, is always required; as is the
510                `:', leading the port specification.  Specify either  hostname
511                or  hostaddr.  Specify either service name list or port number
512                list.  If a service name list is specified, the  protocol  may
513                also  need  to  be  specified if the TCP, UDP and UDPLITE port
514                numbers for the service name are different.  Use  any  case  -
515                lower or upper - for protocol.
516
517                Service names and port numbers may be combined in a list whose
518                entries are  separated  by  commas  and  whose  numeric  range
519                entries  are separated by minus signs.  There may be no embed‐
520                ded spaces, and all service names must belong to the specified
521                protocol.   Since  service  names  may  contain embedded minus
522                signs, the starting entry of a range can't be a service  name;
523                it can be a port number, however.
524
525                Here are some sample addresses:
526
527                     -i6 - IPv6 only
528                     TCP:25 - TCP and port 25
529                     @1.2.3.4 - Internet IPv4 host address 1.2.3.4
530                     @[3ffe:1ebc::1]:1234 - Internet IPv6 host address
531                          3ffe:1ebc::1, port 1234
532                     UDP:who - UDP who service port
533                     TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
534                     tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10,
535                          service name smtp, port 99, host name foo
536                     tcp@bar:1-smtp - TCP, ports 1 through smtp, host bar
537                     :time - either TCP, UDP or UDPLITE time service port
538
539       -k k     This  option specifies a kernel name list file, k, in place of
540                /vmunix, /mach, etc.  This option is not available  under  AIX
541                on the IBM RISC/System 6000.
542
543       -l       This  option  inhibits  the  conversion  of user ID numbers to
544                login names.  It is also useful  when  login  name  lookup  is
545                working improperly or slowly.
546
547       +|-L [l] This  option  enables  (`+')  or disables (`-') the listing of
548                file link counts, where they are available - e.g., they aren't
549                available for sockets, or most FIFOs and pipes.
550
551                When  +L  is  specified  without  a following number, all link
552                counts will be listed.  When -L is specified (the default), no
553                link counts will be listed.
554
555                When  +L  is  followed  by  a number, only files having a link
556                count less than that number will be listed.   (No  number  may
557                follow  -L.)   A specification of the form ``+L1'' will select
558                open files that have been unlinked.  A  specification  of  the
559                form ``+aL1 <file_system>'' will select unlinked open files on
560                the specified file system.
561
562                For other link count comparisons, use field output (-F) and  a
563                post-processing script or program.
564
565       +|-m m   This option specifies an alternate kernel memory file or acti‐
566                vates mount table supplement processing.
567
568                The option form -m m specifies a kernel  memory  file,  m,  in
569                place of /dev/kmem or /dev/mem - e.g., a crash dump file.
570
571                The  option  form  +m requests that a mount supplement file be
572                written to the standard output file.  All  other  options  are
573                silently ignored.
574
575                There  will  be  a  line in the mount supplement file for each
576                mounted file system, containing the mounted file system direc‐
577                tory,  followed by a single space, followed by the device num‐
578                ber in hexadecimal "0x" format - e.g.,
579
580                     / 0x801
581
582                Lsof can use the mount supplement file to get  device  numbers
583                for  file  systems  when  it  can't  get  them  via stat(2) or
584                lstat(2).
585
586                The option form +m m identifies m as a mount supplement file.
587
588                Note: the +m and +m m options are not available for  all  sup‐
589                ported dialects.  Check the output of lsof's -h or -?  options
590                to see if the +m and +m m options are available.
591
592       +|-M     Enables (+) or disables (-) the reporting of portmapper regis‐
593                trations  for  local  TCP, UDP and UDPLITE ports.  The default
594                reporting mode is set by the lsof builder with the  HASPMAPEN‐
595                ABLED  #define in the dialect's machine.h header file; lsof is
596                distributed with the HASPMAPENABLED  #define  deactivated,  so
597                portmapper  reporting  is  disabled  by  default  and  must be
598                requested with +M.  Specifying lsof's -h or  -?   option  will
599                report  the  default  mode.  Disabling portmapper registration
600                when it is  already  disabled  or  enabling  it  when  already
601                enabled is acceptable.
602
603                When  portmapper  registration reporting is enabled, lsof dis‐
604                plays the portmapper registration (if any) for local TCP,  UDP
605                or  UDPLITE ports in square brackets immediately following the
606                port numbers or  service  names  -  e.g.,  ``:1234[name]''  or
607                ``:name[100083]''.  The registration information may be a name
608                or number, depending on what the registering program  supplied
609                to the portmapper when it registered the port.
610
611                When  portmapper  registration  reporting is enabled, lsof may
612                run a little more slowly or even become blocked when access to
613                the  portmapper  becomes  congested  or  stopped.  Reverse the
614                reporting mode to determine if portmapper registration report‐
615                ing is slowing or blocking lsof.
616
617                For purposes of portmapper registration reporting lsof consid‐
618                ers a TCP, UDP or UDPLITE port local if: it is  found  in  the
619                local  part  of  its  containing kernel structure; or if it is
620                located in the foreign part of its containing kernel structure
621                and  the local and foreign Internet addresses are the same; or
622                if it is located in the foreign part of its containing  kernel
623                structure  and the foreign Internet address is INADDR_LOOPBACK
624                (127.0.0.1).  This rule may  make  lsof  ignore  some  foreign
625                ports  on  machines  with multiple interfaces when the foreign
626                Internet address is on a different interface  from  the  local
627                one.
628
629                See  the  lsof  FAQ (The FAQ section gives its location.)  for
630                further  discussion  of  portmapper   registration   reporting
631                issues.
632
633       -n       This option inhibits the conversion of network numbers to host
634                names for network files.  Inhibiting conversion may make  lsof
635                run  faster.   It  is also useful when host name lookup is not
636                working properly.
637
638       -N       This option selects the listing of NFS files.
639
640       -o       This option directs lsof to display file offset at all  times.
641                It  causes  the  SIZE/OFF output column title to be changed to
642                OFFSET.  Note: on some UNIX dialects lsof can't  obtain  accu‐
643                rate  or  consistent  file  offset information from its kernel
644                data sources, sometimes just for  particular  kinds  of  files
645                (e.g.,  socket  files.)  Consult the lsof FAQ (The FAQ section
646                gives its location.)  for more information.
647
648                The -o and -s options are mutually exclusive; they can't  both
649                be  specified.  When neither is specified, lsof displays what‐
650                ever value - size or offset - is appropriate and available for
651                the type of the file.
652
653       -o o     This  option  defines  the  number of decimal digits (o) to be
654                printed after the ``0t'' for a file offset before the form  is
655                switched to ``0x...''.  An o value of zero (unlimited) directs
656                lsof to use the ``0t'' form for all offset output.
657
658                This option does NOT direct lsof  to  display  offset  at  all
659                times;  specify  -o  (without  a  trailing number) to do that.
660                This option only specifies the number of digits  after  ``0t''
661                in  either mixed size and offset or offset-only output.  Thus,
662                for example, to direct lsof to display  offset  at  all  times
663                with a decimal digit count of 10, use:
664
665                     -o -o 10
666                or
667                     -oo10
668
669                The  default number of digits allowed after ``0t'' is normally
670                8, but may have been changed by the lsof builder.  Consult the
671                description  of  the -o o option in the output of the -h or -?
672                option to determine the default that is in effect.
673
674       -O       This option directs lsof to bypass the  strategy  it  uses  to
675                avoid  being  blocked  by some kernel operations - i.e., doing
676                them in forked child processes.  See the BLOCKS  AND  TIMEOUTS
677                and  AVOIDING  KERNEL  BLOCKS sections for more information on
678                kernel operations that may block lsof.
679
680                While use of this option will reduce lsof startup overhead, it
681                may also cause lsof to hang when the kernel doesn't respond to
682                a function.  Use this option cautiously.
683
684       -p s     This option excludes or selects the listing of files  for  the
685                processes  whose optional process IDentification (PID) numbers
686                are  in  the  comma-separated  set  s  -  e.g.,   ``123''   or
687                ``123,^456''.  (There should be no spaces in the set.)
688
689                PID  numbers  that  begin with `^' (negation) represent exclu‐
690                sions.
691
692                Multiple process ID numbers are joined in a  single  ORed  set
693                before  participating  in  AND option selection.  However, PID
694                exclusions are applied without ORing or ANDing and take effect
695                before other selection criteria are applied.
696
697       -P       This  option  inhibits  the conversion of port numbers to port
698                names for network files.  Inhibiting the conversion  may  make
699                lsof  run  a  little faster.  It is also useful when port name
700                lookup is not working properly.
701
702       +|-r [t[m<fmt>]]
703                This option puts lsof in repeat mode.  There lsof  lists  open
704                files  as selected by other options, delays t seconds (default
705                fifteen), then  repeats  the  listing,  delaying  and  listing
706                repetitively  until stopped by a condition defined by the pre‐
707                fix to the option.
708
709                If the prefix is a `-', repeat mode is endless.  Lsof must  be
710                terminated with an interrupt or quit signal.
711
712                If  the prefix is `+', repeat mode will end the first cycle no
713                open files are listed - and of course  when  lsof  is  stopped
714                with  an  interrupt  or  quit  signal.   When repeat mode ends
715                because no files are listed, the process  exit  code  will  be
716                zero  if  any  open  files were ever listed; one, if none were
717                ever listed.
718
719                Lsof marks the end of each listing:  if  field  output  is  in
720                progress  (the  -F,  option  has  been specified), the default
721                marker is `m'; otherwise the default marker  is  ``========''.
722                The marker is followed by a NL character.
723
724                The  optional  "m<fmt>"  argument  specifies  a format for the
725                marker line.  The <fmt> characters following  `m'  are  inter‐
726                preted  as a format specification to the strftime(3) function,
727                when both it and the localtime(3) function  are  available  in
728                the  dialect's  C library.  Consult the strftime(3) documenta‐
729                tion for what may appear in its  format  specification.   Note
730                that  when field output is requested with the -F option, <fmt>
731                cannot contain the NL format, ``%n''.   Note  also  that  when
732                <fmt>  contains  spaces  or  other  characters that affect the
733                shell's interpretation of  arguments,  <fmt>  must  be  quoted
734                appropriately.
735
736                Repeat mode reduces lsof startup overhead, so it is more effi‐
737                cient to use this mode than to call lsof repetitively  from  a
738                shell script, for example.
739
740                To use repeat mode most efficiently, accompany +|-r with spec‐
741                ification of other lsof selection options, so  the  amount  of
742                kernel  memory  access  lsof  does  will be kept to a minimum.
743                Options that filter at the process level - e.g., -c,  -g,  -p,
744                -u - are the most efficient selectors.
745
746                Repeat  mode is useful when coupled with field output (see the
747                -F, option description) and a supervising awk or Perl  script,
748                or a C program.
749
750       -R       This  option directs lsof to list the Parent Process IDentifi‐
751                cation number in the PPID column.
752
753       -s [p:s] s alone directs lsof to display file size at  all  times.   It
754                causes the SIZE/OFF output column title to be changed to SIZE.
755                If the file does not have a size, nothing is displayed.
756
757                When followed by a protocol name (p), either  TCP  or  UDP,  a
758                colon  (`:')  and  a comma-separated protocol state name list,
759                the option causes open TCP and UDP files  to  be  excluded  if
760                their  state name(s) are in the list (s) preceded by a `^'; or
761                included if their name(s) are not preceded by a `^'.
762
763                When an inclusion list is defined,  only  network  files  with
764                state  names  in  the list will be present in the lsof output.
765                Thus, specifying one state name means that only network  files
766                with that lone state name will be listed.
767
768                Case  is unimportant in the protocol or state names, but there
769                may be no spaces and the colon (`:') separating  the  protocol
770                name (p) and the state name list (s) is required.
771
772                If  only  TCP and UDP files are to be listed, as controlled by
773                the specified exclusions and inclusions, the -i option must be
774                specified,  too.   If only a single protocol's files are to be
775                listed, add its name as an argument to the -i option.
776
777                For example, to list only network files with TCP state LISTEN,
778                use:
779
780                     -iTCP -sTCP:LISTEN
781
782                Or,  for  example,  to  list network files with all UDP states
783                except Idle, use:
784
785                     -iUDP -sUDP:Idle
786
787                State names vary with UNIX dialects, so it's not  possible  to
788                provide  a  complete  list.   Some common TCP state names are:
789                CLOSED, IDLE, BOUND, LISTEN, ESTABLISHED, SYN_SENT,  SYN_RCDV,
790                ESTABLISHED,   CLOSE_WAIT,   FIN_WAIT1,   CLOSING,   LAST_ACK,
791                FIN_WAIT_2, and TIME_WAIT.  Two common  UDP  state  names  are
792                Unbound and Idle.
793
794                See  the  lsof  FAQ (The FAQ section gives its location.)  for
795                more information on how to use protocol  state  exclusion  and
796                inclusion, including examples.
797
798                The -o (without a following decimal digit count) and -s option
799                (without a following protocol and state name list)  are  mutu‐
800                ally exclusive; they can't both be specified.  When neither is
801                specified, lsof displays whatever value - size or offset -  is
802                appropriate and available for the type of file.
803
804                Since  some  types  of  files don't have true sizes - sockets,
805                FIFOs, pipes, etc. - lsof displays for their sizes the content
806                amounts in their associated kernel buffers, if possible.
807
808       -S [t]   This  option  specifies an optional time-out seconds value for
809                kernel functions - lstat(2), readlink(2), and stat(2)  -  that
810                might  otherwise  deadlock.   The  minimum  for  t is two; the
811                default, fifteen; when no value is specified, the  default  is
812                used.
813
814                See the BLOCKS AND TIMEOUTS section for more information.
815
816       -T [t]   This  option  controls  the reporting of some TCP/TPI informa‐
817                tion, also  reported  by  netstat(1),  following  the  network
818                addresses.  In normal output the information appears in paren‐
819                theses, each item except TCP or TPI state name identified by a
820                keyword,  followed  by  `=', separated from others by a single
821                space:
822
823                     <TCP or TPI state name>
824                     QR=<read queue length>
825                     QS=<send queue length>
826                     SO=<socket options and values>
827                     SS=<socket states>
828                     TF=<TCP flags and values>
829                     WR=<window read length>
830                     WW=<window write length>
831
832                Not all values are reported for all UNIX dialects.  Items val‐
833                ues (when available) are reported after the item name and '='.
834
835                When  the field output mode is in effect (See OUTPUT FOR OTHER
836                PROGRAMS.)  each item appears as a field with  a  `T'  leading
837                character.
838
839                -T  with no following key characters disables TCP/TPI informa‐
840                tion reporting.
841
842                -T with following characters selects the reporting of specific
843                TCP/TPI information:
844
845                     f    selects reporting of socket options,
846                          states and values, and TCP flags and
847                          values.
848                     q    selects queue length reporting.
849                     s    selects connection state reporting.
850                     w    selects window size reporting.
851
852                Not  all selections are enabled for some UNIX dialects.  State
853                may be selected for all dialects and is reported  by  default.
854                The  -h  or  -?   help output for the -T option will show what
855                selections may be used with the UNIX dialect.
856
857                When -T is used to select information - i.e., it  is  followed
858                by  one or more selection characters - the displaying of state
859                is disabled by default, and it  must  be  explicitly  selected
860                again  in  the characters following -T.  (In effect, then, the
861                default is equivalent to -Ts.)  For example, if queue  lengths
862                and state are desired, use -Tqs.
863
864                Socket  options,  socket states, some socket values, TCP flags
865                and one TCP value may be reported (when available in the  UNIX
866                dialect)  in  the form of the names that commonly appear after
867                SO_, so_, SS_, TCP_  and TF_ in the dialect's header  files  -
868                most     often     <sys/socket.h>,    <sys/socketvar.h>    and
869                <netinet/tcp_var.h>.  Consult those header files for the mean‐
870                ing of the flags, options, states and values.
871
872                ``SO=''  precedes  socket  options and values; ``SS='', socket
873                states; and ``TF='', TCP flags and values.
874
875                If a flag or option has a value, the value will follow an  '='
876                and   the   name   --  e.g.,  ``SO=LINGER=5'',  ``SO=QLIM=5'',
877                ``TF=MSS=512''.  The following seven values may be reported:
878
879                     Name
880                     Reported  Description (Common Symbol)
881
882                     KEEPALIVE keep alive time (SO_KEEPALIVE)
883                     LINGER    linger time (SO_LINGER)
884                     MSS       maximum segment size (TCP_MAXSEG)
885                     PQLEN     partial listen queue connections
886                     QLEN      established listen queue connections
887                     QLIM      established listen queue limit
888                     RCVBUF    receive buffer length (SO_RCVBUF)
889                     SNDBUF    send buffer length (SO_SNDBUF)
890
891                Details on what socket options and values, socket states,  and
892                TCP  flags  and  values  may  be displayed for particular UNIX
893                dialects may be found in the answer to the ``Why doesn't  lsof
894                report socket options, socket states, and TCP flags and values
895                for my dialect?'' and ``Why doesn't lsof  report  the  partial
896                listen  queue connection count for my dialect?''  questions in
897                the lsof FAQ (The FAQ section gives its location.)
898
899       -t       This option specifies that lsof should  produce  terse  output
900                with  process  identifiers  only and no header - e.g., so that
901                the output may be piped to kill(1).  This option  selects  the
902                -w option.
903
904       -u s     This  option  selects  the listing of files for the user whose
905                login names or user ID numbers are in the comma-separated  set
906                s  - e.g., ``abe'', or ``548,root''.  (There should be no spa‐
907                ces in the set.)
908
909                Multiple login names or user ID numbers are joined in a single
910                ORed set before participating in AND option selection.
911
912                If  a login name or user ID is preceded by a `^', it becomes a
913                negation - i.e., files of processes owned by the login name or
914                user ID will never be listed.  A negated login name or user ID
915                selection is neither ANDed nor ORed with other selections;  it
916                is applied before all other selections and absolutely excludes
917                the listing of the files of  the  process.   For  example,  to
918                direct  lsof to exclude the listing of files belonging to root
919                processes, specify ``-u^root'' or ``-u^0''.
920
921       -U       This option selects the listing of UNIX domain socket files.
922
923       -v       This option selects the listing of lsof  version  information,
924                including:  revision  number;  when  the  lsof binary was con‐
925                structed; who constructed the binary and where;  the  name  of
926                the  compiler  used  to construct the lsof binary; the version
927                number of the compiler when readily  available;  the  compiler
928                and loader flags used to construct the lsof binary; and system
929                information, typically the output of uname's -a option.
930
931       -V       This option directs lsof to indicate the items it was asked to
932                list  and failed to find - command names, file names, Internet
933                addresses or files, login names, NFS files, PIDs,  PGIDs,  and
934                UIDs.
935
936                When  other  options  are  ANDed  to  search  options, or com‐
937                pile-time options restrict the listing of some files, lsof may
938                not  report that it failed to find a search item when an ANDed
939                option or compile-time option prevents the listing of the open
940                file containing the located search item.
941
942                For example, ``lsof -V -iTCP@foobar -a -d 999'' may not report
943                a failure to locate open files at ``TCP@foobar'' and  may  not
944                list  any,  if  none  have a file descriptor number of 999.  A
945                similar situation arises when HASSECURITY  and  HASNOSOCKSECU‐
946                RITY  are defined at compile time and they prevent the listing
947                of open files.
948
949       +|-w     Enables (+) or disables (-) the suppression  of  warning  mes‐
950                sages.
951
952                The  lsof builder may choose to have warning messages disabled
953                or enabled by default.  The default warning message  state  is
954                indicated  in  the  output of the -h or -?  option.  Disabling
955                warning messages when they are already  disabled  or  enabling
956                them when already enabled is acceptable.
957
958                The -t option selects the -w option.
959
960       -x  [fl] This  option  may  accompany  the  +d and +D options to direct
961                their processing to cross over symbolic links and|or file sys‐
962                tem  mount points encountered when scanning the directory (+d)
963                or directory tree (+D).
964
965                If -x is specified by itself without  a  following  parameter,
966                cross-over  processing  of both symbolic links and file system
967                mount points is enabled.  Note that when -x is specified with‐
968                out a parameter, the next argument must begin with '-' or '+'.
969
970                The  optional  'f'  parameter  enables file system mount point
971                cross-over processing; 'l', symbolic link cross-over  process‐
972                ing.
973
974                The  -x option may not be supplied without also supplying a +d
975                or +D option.
976
977       -X       This is a dialect-specific option.
978
979           AIX:
980                This IBM AIX RISC/System 6000 option requests the reporting of
981                executed text file and shared library references.
982
983                WARNING: because this option uses the kernel readx() function,
984                its use on a  busy  AIX  system  might  cause  an  application
985                process  to  hang  so completely that it can neither be killed
986                nor stopped.  I have never seen this happen or had a report of
987                its  happening,  but  I think there is a remote possibility it
988                could happen.
989
990                By default use of readx() is disabled.  On AIX  5L  and  above
991                lsof  may  need  setuid-root permission to perform the actions
992                this option requests.
993
994                The lsof builder may specify that the -X option be  restricted
995                to  processes  whose real UID is root.  If that has been done,
996                the -X option will not appear in the -h  or  -?   help  output
997                unless  the real UID of the lsof process is root.  The default
998                lsof distribution allows any UID to specify -X, so by  default
999                it will appear in the help output.
1000
1001                When  AIX  readx()  use  is  disabled, lsof may not be able to
1002                report information for all text and  loader  file  references,
1003                but  it  may  also  avoid exacerbating an AIX kernel directory
1004                search kernel error, known as the Stale Segment ID bug.
1005
1006                The readx() function, used by lsof or  any  other  program  to
1007                access some sections of kernel virtual memory, can trigger the
1008                Stale Segment ID bug.  It can cause the kernel's  dir_search()
1009                function to believe erroneously that part of an in-memory copy
1010                of a file system directory has been zeroed.  Another  applica‐
1011                tion  process, distinct from lsof, asking the kernel to search
1012                the  directory  -  e.g.,  by  using  open(2)   -   can   cause
1013                dir_search()  to  loop  forever,  thus hanging the application
1014                process.
1015
1016                Consult the lsof FAQ (The FAQ  section  gives  its  location.)
1017                and the 00README file of the lsof distribution for a more com‐
1018                plete description of the Stale Segment ID bug, its  APAR,  and
1019                methods for defining readx() use when compiling lsof.
1020
1021           Linux:
1022                This  Linux  option  requests  that lsof skip the reporting of
1023                information on all open TCP, UDP and  UDPLITE  IPv4  and  IPv6
1024                files.
1025
1026                This  Linux  option  is  most  useful  when  the system has an
1027                extremely large number of open TCP, UDP and UDPLITE files, the
1028                processing  of  whose  information  in  the /proc/net/tcp* and
1029                /proc/net/udp* files would take lsof a long  time,  and  whose
1030                reporting is not of interest.
1031
1032                Use  this option with care and only when you are sure that the
1033                information you want lsof to  display  isn't  associated  with
1034                open TCP, UDP or UDPLITE socket files.
1035
1036           Solaris 10 and above:
1037                This  Solaris  10  and  above option requests the reporting of
1038                cached paths for files that have been deleted - i.e.,  removed
1039                with rm(1) or unlink(2).
1040
1041                The  cached  path  is followed by the string `` (deleted)'' to
1042                indicate that the path by which the file was opened  has  been
1043                deleted.
1044
1045                Because  intervening  changes made to the path - i.e., renames
1046                with mv(1) or rename(2) - are not recorded in the cached path,
1047                what  lsof  reports  is  only  the  path by which the file was
1048                opened, not its possibly different final path.
1049
1050       -z [z]   specifies how Solaris 10 and higher zone information is to  be
1051                handled.
1052
1053                Without  a following argument - e.g., NO z - the option speci‐
1054                fies that zone names are to be listed in the ZONE output  col‐
1055                umn.
1056
1057                The  -z option may be followed by a zone name, z.  That causes
1058                lsof to list only open files for processes in that zone.  Mul‐
1059                tiple  -z z option and argument pairs may be specified to form
1060                a list of named zones.  Any open file of any process in any of
1061                the  zones  will be listed, subject to other conditions speci‐
1062                fied by other options and arguments.
1063
1064       -Z [Z]   specifies how SELinux security contexts  are  to  be  handled.
1065                This  option and 'Z' field output character support are inhib‐
1066                ited when SELinux is disabled in  the  running  Linux  kernel.
1067                See  OUTPUT FOR OTHER PROGRAMS for more information on the 'Z'
1068                field output character.
1069
1070                Without a following argument - e.g., NO Z - the option  speci‐
1071                fies  that  security  contexts  are  to be listed in the SECU‐
1072                RITY-CONTEXT output column.
1073
1074                The -Z option may be followed by a wildcard  security  context
1075                name,  Z.   That  causes lsof to list only open files for pro‐
1076                cesses in that security context.  Multiple  -Z  Z  option  and
1077                argument  pairs  may  be  specified to form a list of security
1078                contexts.  Any open file of any process in any of the security
1079                contexts will be listed, subject to other conditions specified
1080                by other options and arguments.  Note that Z can be  A:B:C  or
1081                *:B:C or A:B:* or *:*:C to match against the A:B:C context.
1082
1083       --       The  double minus sign option is a marker that signals the end
1084                of the keyed options.  It may be used, for example,  when  the
1085                first file name begins with a minus sign.  It may also be used
1086                when the absence of a value for the last keyed option must  be
1087                signified  by  the  presence  of a minus sign in the following
1088                option and before the start of the file names.
1089
1090       names    These are path names of  specific  files  to  list.   Symbolic
1091                links  are  resolved  before use.  The first name may be sepa‐
1092                rated from the preceding options with the ``--'' option.
1093
1094                If a name is the mounted-on directory of a file system or  the
1095                device  of  the file system, lsof will list all the files open
1096                on the file system.  To be considered a file system, the  name
1097                must  match a mounted-on directory name in mount(8) output, or
1098                match the name of a block device associated with a  mounted-on
1099                directory  name.  The +|-f option may be used to force lsof to
1100                consider a name a file system identifier (+f) or a simple file
1101                (-f).
1102
1103                If  name  is  a path to a directory that is not the mounted-on
1104                directory name of a file system, it is treated just as a regu‐
1105                lar  file is treated - i.e., its listing is restricted to pro‐
1106                cesses that have it open as a file or  as  a  process-specific
1107                directory,  such as the root or current working directory.  To
1108                request that lsof look for open files inside a directory name,
1109                use the +d s and +D D options.
1110
1111                If  a name is the base name of a family of multiplexed files -
1112                e. g, AIX's /dev/pt[cs] - lsof will list  all  the  associated
1113                multiplexed  files  on  the  device  that  are  open  -  e.g.,
1114                /dev/pt[cs]/1, /dev/pt[cs]/2, etc.
1115
1116                If a name is a UNIX domain  socket  name,  lsof  will  usually
1117                search for it by the characters of the name alone - exactly as
1118                it is specified and is recorded in the  kernel  socket  struc‐
1119                ture.   (See  the next paragraph for an exception to that rule
1120                for Linux.)  Specifying a relative path - e.g.,  ./file  -  in
1121                place  of  the  file's absolute path - e.g., /tmp/file - won't
1122                work because lsof must match the characters you  specify  with
1123                what it finds in the kernel UNIX domain socket structures.
1124
1125                If a name is a Linux UNIX domain socket name, in one case lsof
1126                is able to search for it  by  its  device  and  inode  number,
1127                allowing  name  to be a relative path.  The case requires that
1128                the absolute path -- i.e., one beginning with a slash ('/') be
1129                used  by  the  process  that  created the socket, and hence be
1130                stored in the /proc/net/unix file; and it requires  that  lsof
1131                be  able  to  obtain  the  device and node numbers of both the
1132                absolute  path  in  /proc/net/unix  and  name  via  successful
1133                stat(2)  system  calls.   When  those conditions are met, lsof
1134                will be able to search for the UNIX domain  socket  when  some
1135                path to it is is specified in name.  Thus, for example, if the
1136                path is /dev/log, and an lsof search  is  initiated  when  the
1137                working directory is /dev, then name could be ./log.
1138
1139                If  a name is none of the above, lsof will list any open files
1140                whose device and inode match that of the specified path name.
1141
1142                If you have also specified the -b option, the only  names  you
1143                may safely specify are file systems for which your mount table
1144                supplies alternate device numbers.  See  the  AVOIDING  KERNEL
1145                BLOCKS and ALTERNATE DEVICE NUMBERS sections for more informa‐
1146                tion.
1147
1148                Multiple file names are joined in a  single  ORed  set  before
1149                participating in AND option selection.
1150

AFS

1152       Lsof  supports the recognition of AFS files for these dialects (and AFS
1153       versions):
1154
1155            AIX 4.1.4 (AFS 3.4a)
1156            HP-UX 9.0.5 (AFS 3.4a)
1157            Linux 1.2.13 (AFS 3.3)
1158            Solaris 2.[56] (AFS 3.4a)
1159
1160       It may recognize AFS files on other versions of these dialects, but has
1161       not  been  tested there.  Depending on how AFS is implemented, lsof may
1162       recognize AFS files in other dialects, or may have difficulties  recog‐
1163       nizing AFS files in the supported dialects.
1164
1165       Lsof may have trouble identifying all aspects of AFS files in supported
1166       dialects when AFS kernel support is  implemented  via  dynamic  modules
1167       whose  addresses  do not appear in the kernel's variable name list.  In
1168       that case, lsof may have to guess at the identity  of  AFS  files,  and
1169       might  not be able to obtain volume information from the kernel that is
1170       needed for calculating AFS volume node numbers.  When lsof  can't  com‐
1171       pute volume node numbers, it reports blank in the NODE column.
1172
1173       The  -A  A  option is available in some dialect implementations of lsof
1174       for specifying the name list file where dynamic module kernel addresses
1175       may  be found.  When this option is available, it will be listed in the
1176       lsof help output, presented in response to the -h or -?
1177
1178       See the lsof FAQ (The FAQ section gives its location.)  for more infor‐
1179       mation  about  dynamic modules, their symbols, and how they affect lsof
1180       options.
1181
1182       Because AFS path lookups don't seem to participate in the kernel's name
1183       cache  operations,  lsof  can't  identify  path name components for AFS
1184       files.
1185

SECURITY

1187       Lsof has three features that may cause security concerns.   First,  its
1188       default  compilation mode allows anyone to list all open files with it.
1189       Second, by default it creates a user-readable and user-writable  device
1190       cache  file  in  the  home  directory of the real user ID that executes
1191       lsof.  (The list-all-open-files and device cache features may  be  dis‐
1192       abled when lsof is compiled.)  Third, its -k and -m options name alter‐
1193       nate kernel name list or memory files.
1194
1195       Restricting the listing of all open files is  controlled  by  the  com‐
1196       pile-time  HASSECURITY and HASNOSOCKSECURITY options.  When HASSECURITY
1197       is defined, lsof will allow only the root user to list all open  files.
1198       The  non-root  user may list only open files of processes with the same
1199       user IDentification number as the real  user  ID  number  of  the  lsof
1200       process (the one that its user logged on with).
1201
1202       However,  if HASSECURITY and HASNOSOCKSECURITY are both defined, anyone
1203       may list open socket files, provided they  are  selected  with  the  -i
1204       option.
1205
1206       When HASSECURITY is not defined, anyone may list all open files.
1207
1208       Help  output,  presented in response to the -h or -?  option, gives the
1209       status of the HASSECURITY and HASNOSOCKSECURITY definitions.
1210
1211       See the Security section of the 00README file of the lsof  distribution
1212       for  information on building lsof with the HASSECURITY and HASNOSOCKSE‐
1213       CURITY options enabled.
1214
1215       Creation and use of a user-readable and user-writable device cache file
1216       is  controlled  by  the  compile-time HASDCACHE option.  See the DEVICE
1217       CACHE FILE section and the sections that follow it for details  on  how
1218       its  path  is  formed.   For security considerations it is important to
1219       note that in the default lsof distribution, if the real user  ID  under
1220       which  lsof  is executed is root, the device cache file will be written
1221       in root's home directory - e.g., / or /root.   When  HASDCACHE  is  not
1222       defined, lsof does not write or attempt to read a device cache file.
1223
1224       When  HASDCACHE is defined, the lsof help output, presented in response
1225       to the -h, -D?, or -?  options, will provide device cache file handling
1226       information.   When HASDCACHE is not defined, the -h or -?  output will
1227       have no -D option description.
1228
1229       Before you decide to disable the device cache file feature  -  enabling
1230       it improves the performance of lsof by reducing the startup overhead of
1231       examining all the nodes in /dev (or /devices) - read the discussion  of
1232       it  in the 00DCACHE file of the lsof distribution and the lsof FAQ (The
1233       FAQ section gives its location.)
1234
1235       WHEN IN DOUBT, YOU CAN TEMPORARILY DISABLE THE USE OF THE DEVICE  CACHE
1236       FILE WITH THE -Di OPTION.
1237
1238       When lsof user declares alternate kernel name list or memory files with
1239       the -k and -m options, lsof checks the user's authority  to  read  them
1240       with  access(2).   This  is  intended to prevent whatever special power
1241       lsof's modes might confer on it from letting it read files not normally
1242       accessible via the authority of the real user ID.
1243

OUTPUT

1245       This  section  describes the information lsof lists for each open file.
1246       See the OUTPUT FOR OTHER PROGRAMS section for additional information on
1247       output that can be processed by another program.
1248
1249       Lsof  only  outputs printable (declared so by isprint(3)) 8 bit charac‐
1250       ters.  Non-printable characters are printed in one of three forms:  the
1251       C  ``\[bfrnt]'' form; the control character `^' form (e.g., ``^@''); or
1252       hexadecimal leading ``\x'' form (e.g., ``\xab'').  Space is  non-print‐
1253       able in the COMMAND column (``\x20'') and printable elsewhere.
1254
1255       For  some  dialects  -  if  HASSETLOCALE  is  defined  in the dialect's
1256       machine.h header file - lsof will print the extended 8  bit  characters
1257       of  a  language  locale.   The lsof process must be supplied a language
1258       locale environment variable (e.g., LANG) whose value represents a known
1259       language  locale in which the extended characters are considered print‐
1260       able by isprint(3).  Otherwise lsof considers the  extended  characters
1261       non-printable  and prints them according to its rules for non-printable
1262       characters, stated above.  Consult your dialect's setlocale(3) man page
1263       for  the names of other environment variables that may be used in place
1264       of LANG - e.g., LC_ALL, LC_CTYPE, etc.
1265
1266       Lsof's language locale support for a dialect also covers  wide  charac‐
1267       ters  -  e.g., UTF-8 - when HASSETLOCALE and HASWIDECHAR are defined in
1268       the dialect's machine.h header  file,  and  when  a  suitable  language
1269       locale has been defined in the appropriate environment variable for the
1270       lsof process.  Wide characters are printable under those conditions  if
1271       iswprint(3)  reports  them  to  be.  If HASSETLOCALE, HASWIDECHAR and a
1272       suitable language locale aren't defined, or if iswprint(3) reports wide
1273       characters  that  aren't  printable, lsof considers the wide characters
1274       non-printable and prints each of their 8 bits according  to  its  rules
1275       for non-printable characters, stated above.
1276
1277       Consult  the  answers to the "Language locale support" questions in the
1278       lsof FAQ (The FAQ section gives its location.) for more information.
1279
1280       Lsof dynamically sizes the output columns each time it runs, guarantee‐
1281       ing  that  each column is a minimum size.  It also guarantees that each
1282       column is separated from its predecessor by at least one space.
1283
1284       COMMAND    contains the first nine characters of the name of  the  UNIX
1285                  command  associated with the process.  If a non-zero w value
1286                  is specified to the +c w option,  the  column  contains  the
1287                  first  w  characters of the name of the UNIX command associ‐
1288                  ated with the process up to the limit of characters supplied
1289                  to lsof by the UNIX dialect.  (See the description of the +c
1290                  w command or the lsof FAQ for  more  information.   The  FAQ
1291                  section gives its location.)
1292
1293                  If  w  is  less  than the length of the column title, ``COM‐
1294                  MAND'', it will be raised to that length.
1295
1296                  If a zero w value is specified to the +c w option, the  col‐
1297                  umn contains all the characters of the name of the UNIX com‐
1298                  mand associated with the process.
1299
1300                  All command name characters maintained by the kernel in  its
1301                  structures  are  displayed  in field output when the command
1302                  name descriptor (`c') is  specified.   See  the  OUTPUT  FOR
1303                  OTHER  COMMANDS  section  for information on selecting field
1304                  output and the associated command name descriptor.
1305
1306       PID        is the Process IDentification number of the process.
1307
1308       ZONE       is the Solaris 10 and higher zone name.  This column must be
1309                  selected with the -z option.
1310
1311       SECURITY-CONTEXT
1312                  is  the  SELinux  security  context.   This  column  must be
1313                  selected with the -Z option.  Note that  the  -Z  option  is
1314                  inhibited when SELinux is disabled in the running Linux ker‐
1315                  nel.
1316
1317       PPID       is the Parent Process IDentification number of the  process.
1318                  It is only displayed when the -R option has been specified.
1319
1320       PGID       is  the  process group IDentification number associated with
1321                  the process.  It is only displayed when the  -g  option  has
1322                  been specified.
1323
1324       USER       is  the user ID number or login name of the user to whom the
1325                  process belongs, usually the  same  as  reported  by  ps(1).
1326                  However,  on  Linux USER is the user ID number or login that
1327                  owns the directory in /proc  where  lsof  finds  information
1328                  about  the process.  Usually that is the same value reported
1329                  by ps(1), but may differ when the process  has  changed  its
1330                  effective  user  ID.   (See  the  -l  option description for
1331                  information on when a user ID number or login name  is  dis‐
1332                  played.)
1333
1334       FD         is the File Descriptor number of the file or:
1335
1336                       cwd  current working directory;
1337                       Lnn  library references (AIX);
1338                       err  FD information error (see NAME column);
1339                       jld  jail directory (FreeBSD);
1340                       ltx  shared library text (code and data);
1341                       Mxx  hex memory-mapped type number xx.
1342                       m86  DOS Merge mapped file;
1343                       mem  memory-mapped file;
1344                       mmap memory-mapped device;
1345                       pd   parent directory;
1346                       rtd  root directory;
1347                       tr   kernel trace file (OpenBSD);
1348                       txt  program text (code and data);
1349                       v86  VP/ix mapped file;
1350
1351                  FD  is  followed  by one of these characters, describing the
1352                  mode under which the file is open:
1353
1354                       r for read access;
1355                       w for write access;
1356                       u for read and write access;
1357                       space if mode unknown and no lock
1358                            character follows;
1359                       `-' if mode unknown and lock
1360                            character follows.
1361
1362                  The mode character is followed by one of these lock  charac‐
1363                  ters, describing the type of lock applied to the file:
1364
1365                       N for a Solaris NFS lock of unknown type;
1366                       r for read lock on part of the file;
1367                       R for a read lock on the entire file;
1368                       w for a write lock on part of the file;
1369                       W for a write lock on the entire file;
1370                       u for a read and write lock of any length;
1371                       U for a lock of unknown type;
1372                       x  for an SCO OpenServer Xenix lock on part      of the
1373                  file;
1374                       X for an SCO OpenServer Xenix lock on  the       entire
1375                  file;
1376                       space if there is no lock.
1377
1378                  See  the  LOCKS  section  for  more  information on the lock
1379                  information character.
1380
1381                  The FD column contents constitutes a single field for  pars‐
1382                  ing in post-processing scripts.
1383
1384       TYPE       is  the  type  of  the node associated with the file - e.g.,
1385                  GDIR, GREG, VDIR, VREG, etc.
1386
1387                  or ``IPv4'' for an IPv4 socket;
1388
1389                  or ``IPv6'' for an open IPv6 network  file  -  even  if  its
1390                  address is IPv4, mapped in an IPv6 address;
1391
1392                  or ``ax25'' for a Linux AX.25 socket;
1393
1394                  or ``inet'' for an Internet domain socket;
1395
1396                  or ``lla'' for a HP-UX link level access file;
1397
1398                  or ``rte'' for an AF_ROUTE socket;
1399
1400                  or ``sock'' for a socket of unknown domain;
1401
1402                  or ``unix'' for a UNIX domain socket;
1403
1404                  or ``x.25'' for an HP-UX x.25 socket;
1405
1406                  or ``BLK'' for a block special file;
1407
1408                  or ``CHR'' for a character special file;
1409
1410                  or ``DEL'' for a Linux map file that has been deleted;
1411
1412                  or ``DIR'' for a directory;
1413
1414                  or ``DOOR'' for a VDOOR file;
1415
1416                  or ``FIFO'' for a FIFO special file;
1417
1418                  or ``KQUEUE'' for a BSD style kernel event queue file;
1419
1420                  or ``LINK'' for a symbolic link file;
1421
1422                  or ``MPB'' for a multiplexed block file;
1423
1424                  or ``MPC'' for a multiplexed character file;
1425
1426                  or  ``NOFD'' for a Linux /proc/<PID>/fd directory that can't
1427                  be opened -- the directory path appears in the NAME  column,
1428                  followed by an error message;
1429
1430                  or ``PAS'' for a /proc/as file;
1431
1432                  or ``PAXV'' for a /proc/auxv file;
1433
1434                  or ``PCRE'' for a /proc/cred file;
1435
1436                  or ``PCTL'' for a /proc control file;
1437
1438                  or ``PCUR'' for the current /proc process;
1439
1440                  or ``PCWD'' for a /proc current working directory;
1441
1442                  or ``PDIR'' for a /proc directory;
1443
1444                  or ``PETY'' for a /proc executable type (etype);
1445
1446                  or ``PFD'' for a /proc file descriptor;
1447
1448                  or ``PFDR'' for a /proc file descriptor directory;
1449
1450                  or ``PFIL'' for an executable /proc file;
1451
1452                  or ``PFPR'' for a /proc FP register set;
1453
1454                  or ``PGD'' for a /proc/pagedata file;
1455
1456                  or ``PGID'' for a /proc group notifier file;
1457
1458                  or ``PIPE'' for pipes;
1459
1460                  or ``PLC'' for a /proc/lwpctl file;
1461
1462                  or ``PLDR'' for a /proc/lpw directory;
1463
1464                  or ``PLDT'' for a /proc/ldt file;
1465
1466                  or ``PLPI'' for a /proc/lpsinfo file;
1467
1468                  or ``PLST'' for a /proc/lstatus file;
1469
1470                  or ``PLU'' for a /proc/lusage file;
1471
1472                  or ``PLWG'' for a /proc/gwindows file;
1473
1474                  or ``PLWI'' for a /proc/lwpsinfo file;
1475
1476                  or ``PLWS'' for a /proc/lwpstatus file;
1477
1478                  or ``PLWU'' for a /proc/lwpusage file;
1479
1480                  or ``PLWX'' for a /proc/xregs file'
1481
1482                  or ``PMAP'' for a /proc map file (map);
1483
1484                  or ``PMEM'' for a /proc memory image file;
1485
1486                  or ``PNTF'' for a /proc process notifier file;
1487
1488                  or ``POBJ'' for a /proc/object file;
1489
1490                  or ``PODR'' for a /proc/object directory;
1491
1492                  or  ``POLP''  for  an  old format /proc light weight process
1493                  file;
1494
1495                  or ``POPF'' for an old format /proc PID file;
1496
1497                  or ``POPG'' for an old format /proc page data file;
1498
1499                  or ``PORT'' for a SYSV named pipe;
1500
1501                  or ``PREG'' for a /proc register file;
1502
1503                  or ``PRMP'' for a /proc/rmap file;
1504
1505                  or ``PRTD'' for a /proc root directory;
1506
1507                  or ``PSGA'' for a /proc/sigact file;
1508
1509                  or ``PSIN'' for a /proc/psinfo file;
1510
1511                  or ``PSTA'' for a /proc status file;
1512
1513                  or ``PSXSEM'' for a POSIX semaphore file;
1514
1515                  or ``PSXSHM'' for a POSIX shared memory file;
1516
1517                  or ``PUSG'' for a /proc/usage file;
1518
1519                  or ``PW'' for a /proc/watch file;
1520
1521                  or ``PXMP'' for a /proc/xmap file;
1522
1523                  or ``REG'' for a regular file;
1524
1525                  or ``SMT'' for a shared memory transport file;
1526
1527                  or ``STSO'' for a stream socket;
1528
1529                  or ``UNNM'' for an unnamed type file;
1530
1531                  or ``XNAM'' for an OpenServer Xenix special file of  unknown
1532                  type;
1533
1534                  or ``XSEM'' for an OpenServer Xenix semaphore file;
1535
1536                  or ``XSD'' for an OpenServer Xenix shared data file;
1537
1538                  or  the  four  type  number octets if the corresponding name
1539                  isn't known.
1540
1541       FILE-ADDR  contains the kernel file structure address when f  has  been
1542                  specified to +f;
1543
1544       FCT        contains  the  file  reference  count  from  the kernel file
1545                  structure when c has been specified to +f;
1546
1547       FILE-FLAG  when g or G has been specified to +f,  this  field  contains
1548                  the  contents  of  the  f_flag[s]  member of the kernel file
1549                  structure and the kernel's per-process open file  flags  (if
1550                  available);  `G' causes them to be displayed in hexadecimal;
1551                  `g', as short-hand names; two lists may  be  displayed  with
1552                  entries  separated by commas, the lists separated by a semi‐
1553                  colon (`;'); the first list may contain short-hand names for
1554                  f_flag[s] values from the following table:
1555
1556                       AIO       asynchronous I/O (e.g., FAIO)
1557                       AP        append
1558                       ASYN      asynchronous I/O (e.g., FASYNC)
1559                       BAS       block, test, and set in use
1560                       BKIU      block if in use
1561                       BL        use block offsets
1562                       BSK       block seek
1563                       CA        copy avoid
1564                       CIO       concurrent I/O
1565                       CLON      clone
1566                       CLRD      CL read
1567                       CR        create
1568                       DF        defer
1569                       DFI       defer IND
1570                       DFLU      data flush
1571                       DIR       direct
1572                       DLY       delay
1573                       DOCL      do clone
1574                       DSYN      data-only integrity
1575                       DTY       must be a directory
1576                       EVO       event only
1577                       EX        open for exec
1578                       EXCL      exclusive open
1579                       FSYN      synchronous writes
1580                       GCDF      defer during unp_gc() (AIX)
1581                       GCMK      mark during unp_gc() (AIX)
1582                       GTTY      accessed via /dev/tty
1583                       HUP       HUP in progress
1584                       KERN      kernel
1585                       KIOC      kernel-issued ioctl
1586                       LCK       has lock
1587                       LG        large file
1588                       MBLK      stream message block
1589                       MK        mark
1590                       MNT       mount
1591                       MSYN      multiplex synchronization
1592                       NATM      don't update atime
1593                       NB        non-blocking I/O
1594                       NBDR      no BDRM check
1595                       NBIO      SYSV non-blocking I/O
1596                       NBF       n-buffering in effect
1597                       NC        no cache
1598                       ND        no delay
1599                       NDSY      no data synchronization
1600                       NET       network
1601                       NFLK      don't follow links
1602                       NMFS      NM file system
1603                       NOTO      disable background stop
1604                       NSH       no share
1605                       NTTY      no controlling TTY
1606                       OLRM      OLR mirror
1607                       PAIO      POSIX asynchronous I/O
1608                       PP        POSIX pipe
1609                       R         read
1610                       RC        file and record locking cache
1611                       REV       revoked
1612                       RSH       shared read
1613                       RSYN      read synchronization
1614                       RW        read and write access
1615                       SL        shared lock
1616                       SNAP      cooked snapshot
1617                       SOCK      socket
1618                       SQSH      Sequent shared set on open
1619                       SQSV      Sequent SVM set on open
1620                       SQR       Sequent set repair on open
1621                       SQS1      Sequent full shared open
1622                       SQS2      Sequent partial shared open
1623                       STPI      stop I/O
1624                       SWR       synchronous read
1625                       SYN       file integrity while writing
1626                       TCPM      avoid TCP collision
1627                       TR        truncate
1628                       W         write
1629                       WKUP      parallel I/O synchronization
1630                       WTG       parallel I/O synchronization
1631                       VH        vhangup pending
1632                       VTXT      virtual text
1633                       XL        exclusive lock
1634
1635                  this  list of names was derived from F* #define's in dialect
1636                  header  files   <fcntl.h>,   <linux</fs.h>,   <sys/fcntl.c>,
1637                  <sys/fcntlcom.h>,  and  <sys/file.h>;  see the lsof.h header
1638                  file for a list showing the correspondence between the above
1639                  short-hand names and the header file definitions;
1640
1641                  the second list (after the semicolon) may contain short-hand
1642                  names for kernel per-process open file flags from  this  ta‐
1643                  ble:
1644
1645                       ALLC      allocated
1646                       BR        the file has been read
1647                       BHUP      activity stopped by SIGHUP
1648                       BW        the file has been written
1649                       CLSG      closing
1650                       CX        close-on-exec (see fcntl(F_SETFD))
1651                       LCK       lock was applied
1652                       MP        memory-mapped
1653                       OPIP      open pending - in progress
1654                       RSVW      reserved wait
1655                       SHMT      UF_FSHMAT set (AIX)
1656                       USE       in use (multi-threaded)
1657
1658       NODE-ID    (or  INODE-ADDR for some dialects) contains a unique identi‐
1659                  fier for the file node (usually the kernel  vnode  or  inode
1660                  address, but also occasionally a concatenation of device and
1661                  node number) when n has been specified to +f;
1662
1663       DEVICE     contains the device numbers,  separated  by  commas,  for  a
1664                  character  special, block special, regular, directory or NFS
1665                  file;
1666
1667                  or ``memory'' for a memory  file  system  node  under  Tru64
1668                  UNIX;
1669
1670                  or  the address of the private data area of a Solaris socket
1671                  stream;
1672
1673                  or a kernel reference address that identifies the file  (The
1674                  kernel  reference  address may be used for FIFO's, for exam‐
1675                  ple.);
1676
1677                  or the base address or device name of a Linux  AX.25  socket
1678                  device.
1679
1680                  Usually  only the lower thirty two bits of Tru64 UNIX kernel
1681                  addresses are displayed.
1682
1683       SIZE, SIZE/OFF, or OFFSET
1684                  is the size of the file or the  file  offset  in  bytes.   A
1685                  value  is  displayed in this column only if it is available.
1686                  Lsof displays whatever value - size or offset - is appropri‐
1687                  ate for the type of the file and the version of lsof.
1688
1689                  On  some UNIX dialects lsof can't obtain accurate or consis‐
1690                  tent file offset information from its kernel  data  sources,
1691                  sometimes  just  for particular kinds of files (e.g., socket
1692                  files.)  In other cases, files don't have true sizes - e.g.,
1693                  sockets, FIFOs, pipes - so lsof displays for their sizes the
1694                  content amounts it finds in their kernel buffer  descriptors
1695                  (e.g.,  socket  buffer  size counts or TCP/IP window sizes.)
1696                  Consult the lsof FAQ (The FAQ section gives  its  location.)
1697                  for more information.
1698
1699                  The  file  size  is displayed in decimal; the offset is nor‐
1700                  mally displayed in decimal with a leading ``0t'' if it  con‐
1701                  tains 8 digits or less; in hexadecimal with a leading ``0x''
1702                  if it is longer than 8 digits.  (Consult  the  -o  o  option
1703                  description  for information on when 8 might default to some
1704                  other value.)
1705
1706                  Thus the leading ``0t'' and ``0x'' identify an  offset  when
1707                  the  column may contain both a size and an offset (i.e., its
1708                  title is SIZE/OFF).
1709
1710                  If the -o option is specified, lsof always displays the file
1711                  offset (or nothing if no offset is available) and labels the
1712                  column OFFSET.  The offset  always  begins  with  ``0t''  or
1713                  ``0x'' as described above.
1714
1715                  The  lsof  user can control the switch from ``0t'' to ``0x''
1716                  with the -o o option.   Consult  its  description  for  more
1717                  information.
1718
1719                  If the -s option is specified, lsof always displays the file
1720                  size (or nothing if no size is  available)  and  labels  the
1721                  column  SIZE.  The -o and -s options are mutually exclusive;
1722                  they can't both be specified.
1723
1724                  For files that don't have a fixed size - e.g., don't  reside
1725                  on a disk device - lsof will display appropriate information
1726                  about the current size or position of  the  file  if  it  is
1727                  available in the kernel structures that define the file.
1728
1729       NLINK      contains the file link count when +L has been specified;
1730
1731       NODE       is the node number of a local file;
1732
1733                  or the inode number of an NFS file in the server host;
1734
1735                  or the Internet protocol type - e. g, ``TCP'';
1736
1737                  or ``STR'' for a stream;
1738
1739                  or ``CCITT'' for an HP-UX x.25 socket;
1740
1741                  or the IRQ or inode number of a Linux AX.25 socket device.
1742
1743       NAME       is  the name of the mount point and file system on which the
1744                  file resides;
1745
1746                  or the name of a file specified in the names  option  (after
1747                  any symbolic links have been resolved);
1748
1749                  or the name of a character special or block special device;
1750
1751                  or  the  local  and  remote  Internet addresses of a network
1752                  file; the local host name or IP  number  is  followed  by  a
1753                  colon  (':'),  the  port,  ``->'',  and  the two-part remote
1754                  address; IP addresses may be reported as numbers  or  names,
1755                  depending  on  the +|-M, -n, and -P options; colon-separated
1756                  IPv6  numbers  are  enclosed  in   square   brackets;   IPv4
1757                  INADDR_ANY  and  IPv6 IN6_IS_ADDR_UNSPECIFIED addresses, and
1758                  zero port numbers are represented by an  asterisk  ('*');  a
1759                  UDP  destination  address  may  be followed by the amount of
1760                  time elapsed since the last packet was sent to the  destina‐
1761                  tion;  TCP, UDP and UDPLITE remote addresses may be followed
1762                  by  TCP/TPI  information  in  parentheses  -  state   (e.g.,
1763                  ``(ESTABLISHED)'',  ``(Unbound)''),  queue sizes, and window
1764                  sizes (not all dialects) - in a fashion similar to what net‐
1765                  stat(1)  reports;  see  the  -T  option  description  or the
1766                  description of the TCP/TPI field in OUTPUT  FOR  OTHER  PRO‐
1767                  GRAMS  for more information on state, queue size, and window
1768                  size;
1769
1770                  or the address or name of a  UNIX  domain  socket,  possibly
1771                  including a stream clone device name, a file system object's
1772                  path name, local and foreign kernel addresses,  socket  pair
1773                  information, and a bound vnode address;
1774
1775                  or the local and remote mount point names of an NFS file;
1776
1777                  or ``STR'', followed by the stream name;
1778
1779                  or  a  stream  character device name, followed by ``->'' and
1780                  the stream name or a list of stream module names,  separated
1781                  by ``->'';
1782
1783                  or ``STR:'' followed by the SCO OpenServer stream device and
1784                  module names, separated by ``->'';
1785
1786                  or system directory name, `` -- '', and as  many  components
1787                  of the path name as lsof can find in the kernel's name cache
1788                  for selected dialects (See the KERNEL NAME CACHE section for
1789                  more information.);
1790
1791                  or ``PIPE->'', followed by a Solaris kernel pipe destination
1792                  address;
1793
1794                  or ``COMMON:'', followed by  the  vnode  device  information
1795                  structure's device name, for a Solaris common vnode;
1796
1797                  or  the  address family, followed by a slash (`/'), followed
1798                  by fourteen comma-separated  bytes  of  a  non-Internet  raw
1799                  socket address;
1800
1801                  or  the  HP-UX  x.25  local address, followed by the virtual
1802                  connection number (if any), followed by the  remote  address
1803                  (if any);
1804
1805                  or ``(dead)'' for disassociated Tru64 UNIX files - typically
1806                  terminal files that have been  flagged  with  the  TIOCNOTTY
1807                  ioctl and closed by daemons;
1808
1809                  or ``rd=<offset>'' and ``wr=<offset>'' for the values of the
1810                  read and write offsets of a FIFO;
1811
1812                  or ``clone n:/dev/event'' for SCO OpenServer file clones  of
1813                  the /dev/event device, where n is the minor device number of
1814                  the file;
1815
1816                  or ``(socketpair: n)'' for a Solaris 2.6, 8, 9  or  10  UNIX
1817                  domain  socket,  created by the socketpair(3N) network func‐
1818                  tion;
1819
1820                  or ``no PCB'' for socket files that do not have  a  protocol
1821                  block  associated  with  them,  optionally  followed  by ``,
1822                  CANTSENDMORE'' if sending on the socket has  been  disabled,
1823                  or  ``,  CANTRCVMORE''  if  receiving on the socket has been
1824                  disabled (e.g., by the shutdown(2) function);
1825
1826                  or the local and remote addresses of a Linux IPX socket file
1827                  in  the  form <net>:[<node>:]<port>, followed in parentheses
1828                  by the transmit and receive queue sizes, and the  connection
1829                  state;
1830
1831                  or  ``dgram''  or ``stream'' for the type UnixWare 7.1.1 and
1832                  above in-kernel UNIX domain sockets,  followed  by  a  colon
1833                  (':')  and  the  local path name when available, followed by
1834                  ``->'' and the remote path name or kernel socket address  in
1835                  hexadecimal when available;
1836
1837                  or the association value, association index, endpoint value,
1838                  local address, local port, remote address  and  remote  port
1839                  for Linux SCTP sockets.
1840
1841       For  dialects  that support a ``namefs'' file system, allowing one file
1842       to  be  attached  to  another   with   fattach(3C),   lsof   will   add
1843       ``(FA:<address1><direction><address2>)''    to    the    NAME   column.
1844       <address1> and <address2> are hexadecimal vnode addresses.  <direction>
1845       will  be  ``<-''  if <address2> has been fattach'ed to this vnode whose
1846       address is <address1>; and ``->'' if <address1>, the vnode  address  of
1847       this vnode, has been fattach'ed to <address2>.  <address1> may be omit‐
1848       ted if it already appears in the DEVICE column.
1849
1850       Lsof may add two parenthetical  notes  to  the  NAME  column  for  open
1851       Solaris  10 files: ``(?)'' if lsof considers the path name of question‐
1852       able accuracy; and ``(deleted)'' if the -X option  has  been  specified
1853       and  lsof  detects the open file's path name has been deleted.  Consult
1854       the lsof FAQ (The FAQ section gives its location.)  for  more  informa‐
1855       tion on these NAME column additions.
1856

LOCKS

1858       Lsof  can't  adequately  report  the  wide variety of UNIX dialect file
1859       locks in a single character.  What it reports in a single character  is
1860       a  compromise  between  the  information it finds in the kernel and the
1861       limitations of the reporting format.
1862
1863       Moreover, when a process holds several byte level locks on a file, lsof
1864       only  reports  the  status of the first lock it encounters.  If it is a
1865       byte level lock, then the lock character will be reported in lower case
1866       -  i.e.,  `r',  `w',  or  `x'  -  rather than the upper case equivalent
1867       reported for a full file lock.
1868
1869       Generally lsof can only report on locks  held  by  local  processes  on
1870       local  files.   When  a local process sets a lock on a remotely mounted
1871       (e.g., NFS) file, the remote  server  host  usually  records  the  lock
1872       state.   One exception is Solaris - at some patch levels of 2.3, and in
1873       all versions above 2.4,  the  Solaris  kernel  records  information  on
1874       remote locks in local structures.
1875
1876       Lsof  has  trouble reporting locks for some UNIX dialects.  Consult the
1877       BUGS section of this manual page or the lsof FAQ (The FAQ section gives
1878       its location.)  for more information.
1879

OUTPUT FOR OTHER PROGRAMS

1881       When  the -F option is specified, lsof produces output that is suitable
1882       for processing by another program - e.g, an awk or Perl script, or a  C
1883       program.
1884
1885       Each unit of information is output in a field that is identified with a
1886       leading character and terminated by a NL (012) (or a NUL (000) if the 0
1887       (zero) field identifier character is specified.)  The data of the field
1888       follows  immediately  after  the  field  identification  character  and
1889       extends to the field terminator.
1890
1891       It  is  possible  to think of field output as process and file sets.  A
1892       process set begins with a field whose identifier is  `p'  (for  process
1893       IDentifier  (PID)).   It extends to the beginning of the next PID field
1894       or the beginning of the first file set of the process, whichever  comes
1895       first.   Included  in the process set are fields that identify the com‐
1896       mand, the process group IDentification (PGID) number, and the  user  ID
1897       (UID) number or login name.
1898
1899       A  file  set  begins  with  a  field  whose identifier is `f' (for file
1900       descriptor).  It is followed by lines that describe the  file's  access
1901       mode, lock state, type, device, size, offset, inode, protocol, name and
1902       stream module names.  It extends to the beginning of the next  file  or
1903       process set, whichever comes first.
1904
1905       When the NUL (000) field terminator has been selected with the 0 (zero)
1906       field identifier character, lsof ends each process and file set with  a
1907       NL (012) character.
1908
1909       Lsof  always produces one field, the PID (`p') field.  All other fields
1910       may be declared optionally in the field identifier character list  that
1911       follows  the -F option.  When a field selection character identifies an
1912       item lsof does not normally list - e.g., PPID, selected with -R - spec‐
1913       ification  of  the  field  character - e.g., ``-FR'' - also selects the
1914       listing of the item.
1915
1916       It is entirely possible to select a set of fields that cannot easily be
1917       parsed - e.g., if the field descriptor field is not selected, it may be
1918       difficult to identify file sets.  To help you  avoid  this  difficulty,
1919       lsof  supports  the -F option; it selects the output of all fields with
1920       NL terminators (the -F0 option pair selects the output  of  all  fields
1921       with  NUL  terminators).   For compatibility reasons neither -F nor -F0
1922       select the raw device field.
1923
1924       These are the fields that lsof  will  produce.   The  single  character
1925       listed first is the field identifier.
1926
1927            a    file access mode
1928            c    process command name (all characters from proc or
1929                 user structure)
1930            C    file structure share count
1931            d    file's device character code
1932            D    file's major/minor device number (0x<hexadecimal>)
1933            f    file descriptor
1934            F    file structure address (0x<hexadecimal>)
1935            G    file flaGs (0x<hexadecimal>; names if +fg follows)
1936            i    file's inode number
1937            k    link count
1938            l    file's lock status
1939            L    process login name
1940            m    marker between repeated output
1941            n    file name, comment, Internet address
1942            N    node identifier (ox<hexadecimal>
1943            o    file's offset (decimal)
1944            p    process ID (always selected)
1945            g    process group ID
1946            P    protocol name
1947            r    raw device number (0x<hexadecimal>)
1948            R    parent process ID
1949            s    file's size (decimal)
1950            S    file's stream identification
1951            t    file's type
1952            T    TCP/TPI information, identified by prefixes (the
1953                 `=' is part of the prefix):
1954                     QR=<read queue size>
1955                     QS=<send queue size>
1956                     SO=<socket options and values> (not all dialects)
1957                     SS=<socket states> (not all dialects)
1958                     ST=<connection state>
1959                     TF=<TCP flags and values> (not all dialects)
1960                     WR=<window read size>  (not all dialects)
1961                     WW=<window write size>  (not all dialects)
1962                 (TCP/TPI information isn't reported for all supported
1963                   UNIX dialects. The -h or -? help output for the
1964                   -T option will show what TCP/TPI reporting can be
1965                   requested.)
1966            u    process user ID
1967            z    Solaris 10 and higher zone name
1968            Z    SELinux security context (inhibited when SELinux is disabled)
1969            0    use NUL field terminator character in place of NL
1970            1-9  dialect-specific field identifiers (The output
1971                 of -F? identifies the information to be found
1972                 in dialect-specific fields.)
1973
1974       You  can  get  on-line  help  information on these characters and their
1975       descriptions by specifying the -F?  option pair.  (Escape the `?' char‐
1976       acter as your shell requires.)  Additional information on field content
1977       can be found in the OUTPUT section.
1978
1979       As an example, ``-F pcfn'' will select the process  ID  (`p'),  command
1980       name (`c'), file descriptor (`f') and file name (`n') fields with an NL
1981       field terminator character; ``-F pcfn0'' selects the same output with a
1982       NUL (000) field terminator character.
1983
1984       Lsof  doesn't  produce  all  fields for every process or file set, only
1985       those that are available.  Some fields  are  mutually  exclusive:  file
1986       device  characters and file major/minor device numbers; file inode num‐
1987       ber and protocol name; file name and stream identification;  file  size
1988       and  offset.   One or the other member of these mutually exclusive sets
1989       will appear in field output, but not both.
1990
1991       Normally lsof ends each field with a NL (012) character.  The 0  (zero)
1992       field  identifier character may be specified to change the field termi‐
1993       nator character to a NUL (000).  A NUL  terminator  may  be  easier  to
1994       process  with  xargs  (1),  for example, or with programs whose quoting
1995       mechanisms may not easily cope with the  range  of  characters  in  the
1996       field  output.  When the NUL field terminator is in use, lsof ends each
1997       process and file set with a NL (012).
1998
1999       Three aids to producing programs that can process lsof field output are
2000       included  in  the  lsof  distribution.   The  first is a C header file,
2001       lsof_fields.h, that contains symbols for the field identification char‐
2002       acters,  indexes  for  storing them in a table, and explanation strings
2003       that may be compiled into programs.  Lsof uses this header file.
2004
2005       The second aid is a set of sample scripts that  process  field  output,
2006       written  in  awk,  Perl  4, and Perl 5.  They're located in the scripts
2007       subdirectory of the lsof distribution.
2008
2009       The third aid is the C library used for the lsof test suite.  The  test
2010       suite  is  written  in  C and uses field output to validate the correct
2011       operation of lsof.  The library can be found in the tests/LTlib.c  file
2012       of  the  lsof  distribution.   The  library  uses  the  first  aid, the
2013       lsof_fields.h header file.
2014

BLOCKS AND TIMEOUTS

2016       Lsof can be blocked by some kernel functions that it uses  -  lstat(2),
2017       readlink(2),  and  stat(2).  These functions are stalled in the kernel,
2018       for example, when the hosts  where  mounted  NFS  file  systems  reside
2019       become inaccessible.
2020
2021       Lsof  attempts  to  break these blocks with timers and child processes,
2022       but the techniques are not wholly reliable.  When lsof does  manage  to
2023       break  a  block,  it  will report the break with an error message.  The
2024       messages may be suppressed with the -t and -w options.
2025
2026       The default timeout value may be displayed with the -h or  -?   option,
2027       and it may be changed with the -S [t] option.  The minimum for t is two
2028       seconds, but you should avoid small values, since slow  system  respon‐
2029       siveness  can  cause  short timeouts to expire unexpectedly and perhaps
2030       stop lsof before it can produce any output.
2031
2032       When lsof has to break a block during its access of mounted file system
2033       information,  it  normally  continues,  although  with less information
2034       available to display about open files.
2035
2036       Lsof can also be directed to avoid the protection of timers  and  child
2037       processes  when using the kernel functions that might block by specify‐
2038       ing the -O option.  While this will allow lsof to start  up  with  less
2039       overhead,  it  exposes  lsof  completely  to the kernel situations that
2040       might block it.  Use this option cautiously.
2041

AVOIDING KERNEL BLOCKS

2043       You can use the -b option to tell lsof to avoid using kernel  functions
2044       that would block.  Some cautions apply.
2045
2046       First,  using  this  option  usually  requires  that your system supply
2047       alternate device numbers in place of the device numbers that lsof would
2048       normally  obtain  with  the lstat(2) and stat(2) kernel functions.  See
2049       the ALTERNATE DEVICE NUMBERS section for more information on  alternate
2050       device numbers.
2051
2052       Second,  you can't specify names for lsof to locate unless they're file
2053       system names.  This is because lsof needs to know the device and  inode
2054       numbers  of  files  listed  with  names in the lsof options, and the -b
2055       option prevents lsof from obtaining them.  Moreover,  since  lsof  only
2056       has device numbers for the file systems that have alternates, its abil‐
2057       ity to locate files on file systems depends completely  on  the  avail‐
2058       ability  and  accuracy  of the alternates.  If no alternates are avail‐
2059       able, or if they're incorrect, lsof won't be able to  locate  files  on
2060       the named file systems.
2061
2062       Third,  if  the names of your file system directories that lsof obtains
2063       from your system's mount table are symbolic links, lsof won't  be  able
2064       to  resolve  the  links.   This is because the -b option causes lsof to
2065       avoid the kernel readlink(2)  function  it  uses  to  resolve  symbolic
2066       links.
2067
2068       Finally, using the -b option causes lsof to issue warning messages when
2069       it needs to use the kernel functions that the -b option directs  it  to
2070       avoid.   You  can  suppress these messages by specifying the -w option,
2071       but if you do, you won't see the alternate device numbers  reported  in
2072       the warning messages.
2073

ALTERNATE DEVICE NUMBERS

2075       On  some  dialects, when lsof has to break a block because it can't get
2076       information about a mounted file system via the  lstat(2)  and  stat(2)
2077       kernel  functions,  or  because  you  specified the -b option, lsof can
2078       obtain some of the information it needs - the device number and  possi‐
2079       bly  the  file system type - from the system mount table.  When that is
2080       possible, lsof will report the device number  it  obtained.   (You  can
2081       suppress the report by specifying the -w option.)
2082
2083       You  can  assist  this process if your mount table is supported with an
2084       /etc/mtab or /etc/mnttab file that contains an options field by  adding
2085       a  ``dev=xxxx''  field  for  mount points that do not have one in their
2086       options strings.  Note: you must be able to edit the file - i.e.,  some
2087       mount  tables like recent Solaris /etc/mnttab or Linux /proc/mounts are
2088       read-only and can't be modified.
2089
2090       You may also be able to supply device numbers using the  +m  and  +m  m
2091       options, provided they are supported by your dialect.  Check the output
2092       of lsof's -h or -?  options to see if the  +m  and  +m  m  options  are
2093       available.
2094
2095       The  ``xxxx'' portion of the field is the hexadecimal value of the file
2096       system's device number.  (Consult the st_dev field of the output of the
2097       lstat(2) and stat(2) functions for the appropriate values for your file
2098       systems.)  Here's an example from a Sun Solaris 2.6 /etc/mnttab  for  a
2099       file system remotely mounted via NFS:
2100
2101            nfs  ignore,noquota,dev=2a40001
2102
2103       There's an advantage to having ``dev=xxxx'' entries in your mount table
2104       file, especially for file systems that  are  mounted  from  remote  NFS
2105       servers.   When  a  remote  server crashes and you want to identify its
2106       users by running lsof on one of its clients,  lsof  probably  won't  be
2107       able to get output from the lstat(2) and stat(2) functions for the file
2108       system.  If it can obtain the file  system's  device  number  from  the
2109       mount  table,  it will be able to display the files open on the crashed
2110       NFS server.
2111
2112       Some dialects that do not use an ASCII /etc/mtab  or  /etc/mnttab  file
2113       for  the  mount table may still provide an alternative device number in
2114       their internal mount tables.  This includes AIX, Apple Darwin, FreeBSD,
2115       NetBSD, OpenBSD, and Tru64 UNIX.  Lsof knows how to obtain the alterna‐
2116       tive device number for these dialects and uses it when its  attempt  to
2117       lstat(2) or stat(2) the file system is blocked.
2118
2119       If  you're  not sure your dialect supplies alternate device numbers for
2120       file systems from its mount table, use this lsof incantation to see  if
2121       it reports any alternate device numbers:
2122
2123              lsof -b
2124
2125       Look  for  standard  error  file warning messages that begin ``assuming
2126       "dev=xxxx" from ...''.
2127

KERNEL NAME CACHE

2129       Lsof is able to examine the kernel's name cache  or  use  other  kernel
2130       facilities  (e.g.,  the  ADVFS  4.x  tag_to_path() function under Tru64
2131       UNIX) on some dialects for most file system types, excluding  AFS,  and
2132       extract  recently  used path name components from it.  (AFS file system
2133       path lookups don't use the kernel's name cache; some Solaris VxFS  file
2134       system operations apparently don't use it, either.)
2135
2136       Lsof  reports  the complete paths it finds in the NAME column.  If lsof
2137       can't report all components in a path, it reports in  the  NAME  column
2138       the  file system name, followed by a space, two `-' characters, another
2139       space, and the name components it has located,  separated  by  the  `/'
2140       character.
2141
2142       When  lsof is run in repeat mode - i.e., with the -r option specified -
2143       the extent to which it can report path name  components  for  the  same
2144       file  may  vary from cycle to cycle.  That's because other running pro‐
2145       cesses can cause the kernel to remove entries from its name  cache  and
2146       replace them with others.
2147
2148       Lsof's  use of the kernel name cache to identify the paths of files can
2149       lead it to report incorrect components under some circumstances.   This
2150       can  happen when the kernel name cache uses device and node number as a
2151       key (e.g., SCO OpenServer) and a key on a rapidly changing file  system
2152       is  reused.   If the UNIX dialect's kernel doesn't purge the name cache
2153       entry for a file when it is unlinked, lsof may find a reference to  the
2154       wrong  entry  in  the  cache.   The lsof FAQ (The FAQ section gives its
2155       location.)  has more information on this situation.
2156
2157       Lsof can report path name components for these dialects:
2158
2159            FreeBSD
2160            HP-UX
2161            Linux
2162            NetBSD
2163            NEXTSTEP
2164            OpenBSD
2165            OPENSTEP
2166            SCO OpenServer
2167            SCO|Caldera UnixWare
2168            Solaris
2169            Tru64 UNIX
2170
2171       Lsof can't report path name components for these dialects:
2172
2173            AIX
2174
2175       If you want to know why lsof can't report path name components for some
2176       dialects, see the lsof FAQ (The FAQ section gives its location.)
2177

DEVICE CACHE FILE

2179       Examining  all members of the /dev (or /devices) node tree with stat(2)
2180       functions can be time consuming.  What's  more,  the  information  that
2181       lsof needs - device number, inode number, and path - rarely changes.
2182
2183       Consequently, lsof normally maintains an ASCII text file of cached /dev
2184       (or /devices) information (exception: the /proc-based Linux lsof  where
2185       it's  not  needed.)  The local system administrator who builds lsof can
2186       control the way the device cache file path is  formed,  selecting  from
2187       these options:
2188
2189            Path from the -D option;
2190            Path from an environment variable;
2191            System-wide path;
2192            Personal path (the default);
2193            Personal path, modified by an environment variable.
2194
2195       Consult the output of the -h, -D? , or -?  help options for the current
2196       state of device cache support.   The  help  output  lists  the  default
2197       read-mode  device  cache  file  path  that is in effect for the current
2198       invocation of lsof.  The -D?  option output  lists  the  read-only  and
2199       write  device cache file paths, the names of any applicable environment
2200       variables, and the personal device cache path format.
2201
2202       Lsof can detect that the current device cache file  has  been  acciden‐
2203       tally or maliciously modified by integrity checks, including the compu‐
2204       tation and verification of a sixteen bit Cyclic Redundancy Check  (CRC)
2205       sum  on the file's contents.  When lsof senses something wrong with the
2206       file, it issues a warning and attempts to remove the current cache file
2207       and  create a new copy, but only to a path that the process can legiti‐
2208       mately write.
2209
2210       The path from which a lsof process may attempt to read a  device  cache
2211       file  may  not  be  the  same  as the path to which it can legitimately
2212       write.  Thus when lsof senses that it needs to update the device  cache
2213       file,  it may choose a different path for writing it from the path from
2214       which it read an incorrect or outdated version.
2215
2216       If available, the -Dr option will inhibit the writing of a  new  device
2217       cache  file.  (It's always available when specified without a path name
2218       argument.)
2219
2220       When a new device is added to the system, the  device  cache  file  may
2221       need  to  be  recreated.   Since  lsof compares the mtime of the device
2222       cache file with the mtime and ctime of the /dev  (or  /devices)  direc‐
2223       tory, it usually detects that a new device has been added; in that case
2224       lsof issues a warning message and attempts to rebuild the device  cache
2225       file.
2226
2227       Whenever  lsof writes a device cache file, it sets its ownership to the
2228       real UID of the executing process, and its permission  modes  to  0600,
2229       this restricting its reading and writing to the file's owner.
2230

LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS

2232       Two  permissions  of  the  lsof executable affect its ability to access
2233       device cache files.  The permissions are set by the local system admin‐
2234       istrator when lsof is installed.
2235
2236       The  first  and  rarer permission is setuid-root.  It comes into effect
2237       when lsof is executed; its effective UID is then root, while  its  real
2238       (i.e.,  that  of the logged-on user) UID is not.  The lsof distribution
2239       recommends that versions for these dialects run setuid-root.
2240
2241            HP-UX 11.11 and 11.23
2242            Linux
2243
2244       The second and more common permission is setgid.  It comes into  effect
2245       when  the  effective  group  IDentification  number  (GID)  of the lsof
2246       process is set to one that can access kernel  memory  devices  -  e.g.,
2247       ``kmem'', ``sys'', or ``system''.
2248
2249       An  lsof process that has setgid permission usually surrenders the per‐
2250       mission after it has accessed the kernel memory devices.  When it  does
2251       that,  lsof  can  allow more liberal device cache path formations.  The
2252       lsof distribution recommends that versions for these dialects run  set‐
2253       gid and be allowed to surrender setgid permission.
2254
2255            AIX 5.[12] and 5.3-ML1
2256            Apple Darwin 7.x Power Macintosh systems
2257            FreeBSD 4.x, 4.1x, 5.x and [67].x for x86-based systems
2258            FreeBSD 5.x and [67].x for Alpha, AMD64 and Sparc64-based
2259                systems
2260            HP-UX 11.00
2261            NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based
2262                systems
2263            NEXTSTEP 3.[13] for NEXTSTEP architectures
2264            OpenBSD 2.[89] and 3.[0-9] for x86-based systems
2265            OPENSTEP 4.x
2266            SCO OpenServer Release 5.0.6 for x86-based systems
2267            SCO|Caldera UnixWare 7.1.4 for x86-based systems
2268            Solaris 2.6, 8, 9 and 10
2269            Tru64 UNIX 5.1
2270
2271       (Note: lsof for AIX 5L and above needs setuid-root permission if its -X
2272       option is used.)
2273
2274       Lsof for these dialects does not support a device cache, so the permis‐
2275       sions given to the executable don't apply to the device cache file.
2276
2277            Linux
2278

DEVICE CACHE FILE PATH FROM THE -D OPTION

2280       The  -D  option  provides limited means for specifying the device cache
2281       file path.  Its ?  function will report the read-only and write  device
2282       cache file paths that lsof will use.
2283
2284       When  the  -D  b, r, and u functions are available, you can use them to
2285       request that the cache file be built in a specific location  (b[path]);
2286       read  but not rebuilt (r[path]); or read and rebuilt (u[path]).  The b,
2287       r, and u functions are restricted  under  some  conditions.   They  are
2288       restricted  when  the  lsof process is setuid-root.  The path specified
2289       with the r function is always read-only, even when it is available.
2290
2291       The b, r, and u functions are also restricted  when  the  lsof  process
2292       runs setgid and lsof doesn't surrender the setgid permission.  (See the
2293       LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE  ACCESS  section  for  a
2294       list of implementations that normally don't surrender their setgid per‐
2295       mission.)
2296
2297       A further -D function, i (for ignore), is always available.
2298
2299       When available, the b function tells lsof to  read  device  information
2300       from the kernel with the stat(2) function and build a device cache file
2301       at the indicated path.
2302
2303       When available, the r function tells lsof  to  read  the  device  cache
2304       file,  but  not  update  it.   When a path argument accompanies -Dr, it
2305       names the device cache file path.  The r function is  always  available
2306       when it is specified without a path name argument.  If lsof is not run‐
2307       ning setuid-root and surrenders its  setgid  permission,  a  path  name
2308       argument may accompany the r function.
2309
2310       When  available,  the  u function tells lsof to attempt to read and use
2311       the device cache file.  If it can't read the file, or if it  finds  the
2312       contents  of  the  file incorrect or outdated, it will read information
2313       from the kernel, and attempt to write an updated version of the  device
2314       cache  file,  but  only  to a path it considers legitimate for the lsof
2315       process effective and real UIDs.
2316

DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE

2318       Lsof's second choice for the device cache file is the contents  of  the
2319       LSOFDEVCACHE  environment  variable.  It avoids this choice if the lsof
2320       process is setuid-root, or the real UID of the process is root.
2321
2322       A further restriction applies to a device cache file  path  taken  from
2323       the  LSOFDEVCACHE  environment  variable:  lsof will not write a device
2324       cache file to the path if the lsof process doesn't surrender its setgid
2325       permission.   (See  the  LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE
2326       ACCESS section for information on implementations that don't  surrender
2327       their setgid permission.)
2328
2329       The  local system administrator can disable the use of the LSOFDEVCACHE
2330       environment variable or change its name when  building  lsof.   Consult
2331       the output of -D?  for the environment variable's name.
2332