[lug] ls -l /var/tmp = drwxrwxrwt 16 root root 1478656 Mar 19 10:38tmp

Bob Collins bcollins at fpcc.net
Mon Mar 19 18:10:18 MST 2001


"D. Stimits" wrote:
> 

[snip]

Thanks for all the constructive ideas.  I will not rush into
anything because my machine is working fine and I suspect
this has been going on for a long time.  

I want to understand why they files  being written and why
they are not being pruned.  

> That sounds entirely too long. A misbehaved app can do that, or problems
> with the window manager, or even malicious intent. Try instead of
> listing all things, list them in groups, e.g.:
> ls -ald [a-d]*
> ls -ald [e-l]*
> ls -ald [m-r]*
> ls -ald [s-t]*
> ls -adl [u-z]*
> 
> Use rm -Rf on groups that you don't think are a problem. With that many
> temp files, I'd be willing to say "this shouldn't be", and wipe them. Or
> maybe better yet, create a directory: /tmp2, then use mv, and do for
> example:
> mv [a-d]* /tmp2/
> 
> Then examine them. It isn't necessarily something malicious going on,
> but you need to find out why this is happening. I would be at least
> somewhat suspicious. It probably isn't SuperForker, since it doesn't
> pile lots of files in one directory, it instead creates subdirectory
> after subdirectory as one deep subdirectory. Find out who owns those
> files, and what group they are when you find something obviously wrong.
> Look for dates as well, try to find a pattern. If necessary, use rm -f
> on a group, you can't let that many files sit in tmp, it isn't "right".
> 
> >
> > >  10:38 ectories are in /tmp/? Most X related ones can be removed
> > > (probably best while X isn't running, init to non-X runlevel if it
> > > automatically runs X at startup). Some of those are:
> > > .ICE-unix
> > > .X11-unix
> > > .esd
> > > .gnome
> > > .xf86config*
> > > .kfm-cache-*
> > > nscomm*
> > > orbit-*
> > >
> > > There are in fact annoyance programs that take advantage of filling up a
> > > partition through tmp entries. The one that I've helped others fix in
> > > the past is "SuperForker", a fork bomb that builds subdirectories,
> > > recursively, in /tmp/ where anyone has permission. It grows until the
> > > system is out of resources, and uses directory names that can't be typed
> > > in at the keyboard without special escape sequences. What does it show
> > > if you type from /tmp/ "ls -ald *"?

-- 
   Regards, Bob Collins
People often find it easier to be a result of the past than
a 
cause of the future.




More information about the LUG mailing list