>> Is there a method of determining which process it may be?
>
>Not easily. However, you can pretty easily figure it out if you can
>afford to nuke the machine. Just kill processes one by one until df
>goes down.

it can be done though.  it just requires a little trickery.  lsof can
do most of the tricks.

(1) figure out the major and minor numbers of the device that's
"losing".  here, you can see that /usr is 4,4.

   % df /usr
   Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
   /dev/sd0e     1014881   746882   217254    77%    /usr
   % ls -al /dev/sd0e
   brw-r-----  1 root  operator    4,   4 Feb 16  1997 /dev/sd0e

(2) find all open files on that filesystem.

   % lsof -n | grep ' VREG * 4,4 ' > openfiles

(3) the inodes of all the open files are in the eighth column of
output.

   % awk '{print $8}' openfiles | sort -u > inodes

(4) find each file by inode

   % foreach i (`cat inodes`)
   > echo $i
   > find -x /usr -inum $i -ls
   > end

(5) for all inode numbers echo'ed but without a listed file, you have
your answer.  for process names/ids, grep the inode numbers from the
openfiles file.

this process will take a while, depending on the size of the
filesystem in question, since find is called once for each listed
inode.  you could improve this by trying to find all the inodes at
once, or doing a find -ls once and then searching through the output
for the inodes that you're interested in.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."