On Sat, 19 Feb 2022 21:59:59 +0100
Florian Zieboll via Dng <dng@???> wrote:
> root@nulldevice:~# ls -l /home/florian/tmp/test*
> -rw-r--r-- 1 florian florian 0 Feb 19 21:11 /home/florian/tmp/test_deletable
> -rw-r--r-- 1 root root 0 Feb 19 21:19 /home/florian/tmp/test_root
> -rw-r--r-- 1 florian florian 0 Feb 19 21:09 /home/florian/tmp/test_undeletable
> root@nulldevice:~# lsattr /home/florian/tmp/test*
> --------------e------- /home/florian/tmp/test_deletable
> ------------e------- /home/florian/tmp/test_root
> ----i---------e------- /home/florian/tmp/test_undeletable
>
> (...)
>
> OTOH, all the files under '/home/florian/tmp/' are still there - at
> least 'test_deletable' should have been gone by now, if "the issue"
> still persisted... So I remain wondering (again [1]) if there's some
> galaxy brain posing with its superpowers by trampling through my tiny
> digital sandcastle here? (lol, get a life!)
>
> But seriously, for the future(tm): Where would this 'chattr
> +i'-induced "Operation not permitted" error be logged?
Update: Now all but the immutable file are gone - and every new terminal
windows I open greets me with:
|| rm: cannot remove '/home/florian/tmp/test_undeletable': Operation not permitted
|| florian@nulldevice:~$
florian@nulldevice:~$ ls -l ~/tmp/
total 0
-rw-r--r-- 1 florian florian 0 Feb 19 21:09 test_undeletable
My bad, I missed to start auditd again, so I can't say, when it
happened. Before I set up a clean device (bridge) to tcpdump the
network traffic: What else could I check locally?