:: Re: [DNG] [OT] files disappearing r…
Kezdőlap
Delete this message
Reply to this message
Szerző: Ken Dibble
Dátum:  
Címzett: dng
Tárgy: Re: [DNG] [OT] files disappearing reproducibly
On 2/19/22 2:42 PM, Florian Zieboll via Dng wrote:
>
>> Hallo list,
>>
>> may I ask for help narrowing down a strange phenomenon?
>>
>> Any files in my personal '~/tmp/' directory just disappear after a
>> couple of minutes. I was able to catch the event with 'auditd' - I seems
>> to be executed in a bash within a qterminal, running as child of PID 1:
>>
>> The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first
>> line, caught with
>>
>> # auditctl -w /home/florian/tmp/test -p wa ; tail -f
>> /var/log/audit/audit.log
>>
>> type=SYSCALL msg=audit(1645279145.766:65): arch=c000003e syscall=263
>> success=yes exit=0 a0=ffffff9c a1=5604372f44d0 a2=0
>> a3=fffffffffffff2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001
>> gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001
>> fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined
>> key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian"
>> GID="florian" EUID="florian" SUID="florian" FSUID="florian"
>> EGID="florian" SGID="florian" FSGID="florian"
>> type=CWD msg=audit(1645279145.766:65): cwd="/home/florian"
>> type=PATH msg=audit(1645279145.766:65): item=0
>> name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755
>> ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0
>> cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
>> type=PATH msg=audit(1645279145.766:65): item=1
>> name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644
>> ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0
>> cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
>> type=PROCTITLE msg=audit(1645279145.766:65):
>> proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374
>> type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001
>> auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication
>> grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su"
>> hostname=nulldevice.lan addr=? terminal=pts/2
>> res=success'UID="florian" AUID="florian"
>> type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001
>> auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting
>> grantors=pam_permit acct="administrator" exe="/bin/su"
>> hostname=nulldevice.lan addr=? terminal=pts/2
>> res=success'UID="florian" AUID="florian"
>> type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001
>> auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred
>> grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su"
>> hostname=nulldevice.lan addr=? terminal=pts/2
>> res=success'UID="florian" AUID="florian"
>> type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001
>> auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open
>> grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind
>> acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=?
>> terminal=pts/2 res=success'UID="florian" AUID="florian"
>>
>>
>> And here the relevant snippet of 'ps axjf':
>>
>>   PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
>>      1  8287  8286  8286 ?           -1 Rl    1001   0:01
>> /usr/bin/qterminal
>>   8287  8290  8290  8290 pts/2     8358 Ss    1001   0:00  \_ /bin/bash
>>
>>
>> As I suspect that I might have installed a routine that regularly
>> deletes
>> the content of ~/tmp, I checked for crontab entries, but neither of the
>> two follwing commands return a result:
>>
>> # grep -re tmp /etc/cron*
>> # grep -re tmp /var/spool/cron/
>>
>> Besides that: Wouldn't a cronjob have 'crond' as parent?
>>
>> Thank you very much for any hints leading to more insight!
>>
>> Libre Grüße,
>> Florian
>> _______________________________________________
>> Dng mailing list
>> Dng@???
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


I don't know if this error will show up in the logs or not.

If your filesystem supports extended attributes (i.e. not zfs)

-----

$ touch cant_delete_me

$ sudo chattr +i cant_delete_me

$ rm cant_delete_me

rm: cannot remove 'cant_delete_me' : Operation not permitted

$ sudo rm cant_delete_me

rm: cannot remove 'cant_delete_me' : Operation not permitted

---------

See if the error message shows up in the logs.


and then obviously

$ sudo chattr -i cant_delete_me

$ rm cant_delete_me

Again, probably not helpful, but worth a try.

Regards,

Ken