[lug] ls -l /var/tmp = drwxrwxrwt 16 root root 1478656 Mar 19 10:38tmp
D. Stimits
stimits at idcomm.com
Mon Mar 19 17:54:13 MST 2001
Bob Collins wrote:
>
> "D. Stimits" wrote:
> >
>
> [snip]
>
> Thanks for all the constructive ideas. I will not rush into
> anything because my machine is working fine and I suspect
> this has been going on for a long time.
>
> I want to understand why they files being written and why
> they are not being pruned.
Getting an idea of just what file or subdirectory of /tmp/ is actually
building up so large is necessary to know that. The sticky bit makes it
so normally no user can delete a file unless they own it; though I think
root won't care about that (if it does matter and it stops root, then
root can always chmod or chattr it).
>
> > That sounds entirely too long. A misbehaved app can do that, or problems
> > with the window manager, or even malicious intent. Try instead of
> > listing all things, list them in groups, e.g.:
> > ls -ald [a-d]*
> > ls -ald [e-l]*
> > ls -ald [m-r]*
> > ls -ald [s-t]*
> > ls -adl [u-z]*
> >
> > Use rm -Rf on groups that you don't think are a problem. With that many
> > temp files, I'd be willing to say "this shouldn't be", and wipe them. Or
> > maybe better yet, create a directory: /tmp2, then use mv, and do for
> > example:
> > mv [a-d]* /tmp2/
> >
> > Then examine them. It isn't necessarily something malicious going on,
> > but you need to find out why this is happening. I would be at least
> > somewhat suspicious. It probably isn't SuperForker, since it doesn't
> > pile lots of files in one directory, it instead creates subdirectory
> > after subdirectory as one deep subdirectory. Find out who owns those
> > files, and what group they are when you find something obviously wrong.
> > Look for dates as well, try to find a pattern. If necessary, use rm -f
> > on a group, you can't let that many files sit in tmp, it isn't "right".
> >
> > >
> > > > 10:38 ectories are in /tmp/? Most X related ones can be removed
> > > > (probably best while X isn't running, init to non-X runlevel if it
> > > > automatically runs X at startup). Some of those are:
> > > > .ICE-unix
> > > > .X11-unix
> > > > .esd
> > > > .gnome
> > > > .xf86config*
> > > > .kfm-cache-*
> > > > nscomm*
> > > > orbit-*
> > > >
> > > > There are in fact annoyance programs that take advantage of filling up a
> > > > partition through tmp entries. The one that I've helped others fix in
> > > > the past is "SuperForker", a fork bomb that builds subdirectories,
> > > > recursively, in /tmp/ where anyone has permission. It grows until the
> > > > system is out of resources, and uses directory names that can't be typed
> > > > in at the keyboard without special escape sequences. What does it show
> > > > if you type from /tmp/ "ls -ald *"?
>
> --
> Regards, Bob Collins
> People often find it easier to be a result of the past than
> a
> cause of the future.
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list