[DNG] [OT] files disappearing reproducibly

Skribent: Florian Zieboll
Dato:
Til: [DNG]
Emne: [DNG] [OT] files disappearing reproducibly

Hallo list,

may I ask for help narrowing down a strange phenomenon?

Any files in my personal '~/tmp/' directory just disappear after a
couple of minutes. I was able to catch the event with 'auditd' - I seems
to be executed in a bash within a qterminal, running as child of PID 1:

The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first
line, caught with

# auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log

type=SYSCALL msg=audit(1645279145.766:65): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5604372f44d0 a2=0 a3=fffffffffffff2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian"
type=CWD msg=audit(1645279145.766:65): cwd="/home/florian"
type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374
type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"

And here the relevant snippet of 'ps axjf':

 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
    1  8287  8286  8286 ?           -1 Rl    1001   0:01 /usr/bin/qterminal
 8287  8290  8290  8290 pts/2     8358 Ss    1001   0:00  \_ /bin/bash

As I suspect that I might have installed a routine that regularly deletes
the content of ~/tmp, I checked for crontab entries, but neither of the
two follwing commands return a result:

# grep -re tmp /etc/cron*
# grep -re tmp /var/spool/cron/

Besides that: Wouldn't a cronjob have 'crond' as parent?

Thank you very much for any hints leading to more insight!

Libre Grüße,
Florian

Dette indlæg hører under følgende tråd:
	Det komplette tråd-træ sorteret efter dato

	Ken Dibble den

Donate to Dyne.org