On Wed, May 05, 2021 at 03:11:53AM +0200, Emanuel Berg wrote: > Kushal Kumaran wrote: > > The manpage at > > https://manpages.debian.org/buster/iwatch/iwatch.1.en.html > > shows log output similar to what you see. Check your iwatch > > configuration and see what it is doing. > > Thanks, but I've never heard of iwatch, so I haven't mucked > around with its config file. But OK, here it is > > <watchlist> > <path type="single">/etc</path>
> Does that say anything to you? It says that it's watching /etc. Which is where your file is. No surprises here so far. What you really should be asking is, "What process is using this file, and why don't I know about it?" Googling for the file name turns up this: https://lists.debian.org/debian-user/2005/07/msg02949.html The lckpwdf() and ulckpwdf() functions enable modification access to the password databases through the lock file. A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to modify the /etc/passwd or /etc/shadow password database. (See "passwd" and "shadow" man pages.) Upon completing modifications, a process should release the lock on the lock file using ulckpwdf(). This mechanism prevents simultaneous modification of the password databases. The lock file, /etc/.pwd.lock, is used to coordinate modification access to the password databases /etc/passwd and /etc/shadow. So, as one might expect just from the file name, it's a lock file for the passwd file. Again, the real question is: What process is touching your passwd file at this time, and why don't you know about it?