Re: httpd-modsec2_debug.log: Operation not permitted
Ian Smith smi...@nimnet.asn.au wrote: Swe, I suspect the reason you can't just delete these files is likely because something has them open for writing, and the system won't let you remove such files, naturally enough. Really? Must be a fairly recent change -- and IMO not necessarily a good one. For one thing, it would break one of the long-standing methods for ensuring that scratch files get cleaned up when a program exits, even under circumstances which don't allow for signal handlers to be run. Last I knew having a file open, even for writing, was no protection against its last link being removed. The _inode_ won't go away until the last handle is closed, but the _directory entry_ can still be removed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Sat, 15 Jan 2011, per...@pluto.rain.com wrote: Ian Smith smi...@nimnet.asn.au wrote: Swe, I suspect the reason you can't just delete these files is likely because something has them open for writing, and the system won't let you remove such files, naturally enough. Really? Must be a fairly recent change -- and IMO not necessarily a good one. For one thing, it would break one of the long-standing methods for ensuring that scratch files get cleaned up when a program exits, even under circumstances which don't allow for signal handlers to be run. Hmm, on reflection you're probably right. I was thinking that removing a file being written by a root-owned process would force that process to fail on write and exit, but maybe that's not what's happening here. Last I knew having a file open, even for writing, was no protection against its last link being removed. The _inode_ won't go away until the last handle is closed, but the _directory entry_ can still be removed. Accepting that, why wouldn't root be permitted to rm these files? It's been shown that they don't have immutable, append-only or other flags set. Clearly the filesystem is writable, if full. I'm still curious about what fstat reveals, and it'd be extra weird if they can't be deleted or truncated in single-user mode, eh? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Sat, 15 Jan 2011, Ian Smith wrote: On Sat, 15 Jan 2011, per...@pluto.rain.com wrote: [..] Last I knew having a file open, even for writing, was no protection against its last link being removed. The _inode_ won't go away until the last handle is closed, but the _directory entry_ can still be removed. Accepting that, why wouldn't root be permitted to rm these files? It's been shown that they don't have immutable, append-only or other flags set. Clearly the filesystem is writable, if full. Still bugging me .. maybe the _directory_ has some system flag/s set? sola# mkdir test sola# cd test sola# touch a b c sola# ls -lao total 14 drwxr-xr-x 2 root wheel - 512 Jan 16 02:31 . drwxr-xr-x 4 root wheel - 11264 Jan 16 02:31 .. -rw-r--r-- 1 root wheel - 0 Jan 16 02:31 a -rw-r--r-- 1 root wheel - 0 Jan 16 02:31 b -rw-r--r-- 1 root wheel - 0 Jan 16 02:31 c sola# chflags schg . sola# ls -lao total 14 drwxr-xr-x 2 root wheel schg 512 Jan 16 02:31 . drwxr-xr-x 4 root wheel -11264 Jan 16 02:31 .. -rw-r--r-- 1 root wheel -0 Jan 16 02:31 a -rw-r--r-- 1 root wheel -0 Jan 16 02:31 b -rw-r--r-- 1 root wheel -0 Jan 16 02:31 c sola# rm c rm: c: Operation not permitted sola# touch d touch: d: Operation not permitted sola# chflags noschg . sola# rm c sola# ls -lao total 14 drwxr-xr-x 2 root wheel - 512 Jan 16 02:32 . drwxr-xr-x 4 root wheel - 11264 Jan 16 02:31 .. -rw-r--r-- 1 root wheel - 0 Jan 16 02:31 a -rw-r--r-- 1 root wheel - 0 Jan 16 02:31 b So on the directory, setting schg achieves Subject behaviour/message, while sappnd permits adding (and truncating!) but not deleting files. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
Swe Gill sweg...@gmail.com writes: Hi Peg Thanks for your help by applying ls -lao. I get following result -rw--- 1 root wheelsappnd 8307655937 Jan 13 10:45 debug.log -rw--- 1 root wheelsappnd 15415 Oct 2 2009 dmesg.today -rw-r--r-- 1 root wheel-0 Oct 2 2009 httpd-access.log -rw-r--r-- 1 root wheel- 271 Oct 2 2009 httpd-error.log -rw-rw 1 root wheel- 53969161077 Jan 13 10:45 httpd-modsec2_audit.log -rw-rw 1 root wheel- 3397158201 Jan 13 10:44 httpd-modsec2_debug.log -rw-r--r-- 1 root wheelsappnd 28056 Oct 2 2009 lastlog -rw-r--r-- 1 root wheelsappnd 66 Oct 1 2009 lpd-errs I just don't understand why I am unable to remove the files... I don't know if you have resolved this yet, but one problem is the sappnd flag on some of the files. That flag means that those file are append-only and can't be deleted or truncated. You need to remove the sappnd flag with the command 'chflags nosappnd' for those files. I don't think that is default, so somebody had to have manually set the flag on those files. Whoever did that should have noted that, or didn't understand what the operation meant. -- Carl Johnsonca...@peak.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
Chris Brennan xa...@xaerolimit.net wrote: ... I believe rm (-f) still requires *SOME* free space on a device to delete something. That being said, do you have more then 50G free elsewhere on the system? Say /home (/usr/home)? If you do, mv the file from /var/log to /usr/home. This would effectively delete it from /var/log and free up it's space ... Er, had you considered that mv, when the target and source are on different filesystems, does a cp followed by an rm? If rm requires free space -- which I very much doubt on UFS unless a snapshot exists -- the rm step of the mv is going to run into exactly the same problem that the standalone rm runs into. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: httpd-modsec2_debug.log: Operation not permitted
... I believe rm (-f) still requires *SOME* free space on a device to delete something. That being said, do you have more then 50G free elsewhere on the system? Say /home (/usr/home)? If you do, mv the file from /var/log to /usr/home. This would effectively delete it from /var/log and free up it's space ... Er, had you considered that mv, when the target and source are on different filesystems, does a cp followed by an rm? If rm requires free space -- which I very much doubt on UFS unless a snapshot exists -- the rm step of the mv is going to run into exactly the same problem that the standalone rm runs into. If this is the case, what about just using truncate to set the file size to zero? truncate -s 0K httpd-modsec2_debug.log Or cat /dev/null httpd-modsec2_debug.log Best regards, Peg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
In freebsd-questions Digest, Vol 345, Issue 9, Message: 10 On Thu, 13 Jan 2011 23:35:26 +0100 Polytropon free...@edvax.de wrote: On Thu, 13 Jan 2011 23:08:33 +0100, Swe Gill sweg...@gmail.com wrote: That is the problem. One file sizes upto 50GB and other 3 GB... 52872944 -rw-rw 1 root wheel 50G Jan 13 22:51 httpd-modsec2_audit.log 3320928 -rw-rw 1 root wheel 3.2G Jan 13 22:51 httpd-modsec2_debug.log I am just standing nowhere to remove the files have tried by setting flags, changing modes all as a root but no luck yet... Any help? Is your system running on a raised securelevel maybe? See in man security where this is mentioned, section SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS. It seems that this could cause different behaviour in relation to flags. That's possible, but perhaps it may be simpler than that? I will _not_ advise you to kill the files per inode (fsdb, clri) because this could cause further filesystem trouble. :-) Indeed it could :) Swe, I suspect the reason you can't just delete these files is likely because something has them open for writing, and the system won't let you remove such files, naturally enough. See what you get by running: # fstat /path/to/httpd-modsec2_*.log If that shows any processes writing to those files, you need to stop that/those processes. From the filenames my guess would be apache, in which case you'd need to stop it, perhaps best by: # /usr/local/etc/rc.d/apache stop # or apache2, whatever it's called. then check again with fstat. If that doesn't work for some reason then: # shutdown now to single-user mode will terminate any process accessing those files. Either way, you can then rm safely, or probably better, truncate each to zero bytes (thus keeping their ownership and permissions intact) by eg: # echo -n '' filename Then restart apache|whatever, or hit ^D or 'exit' to restart multiuser if you had to go that far to stop anything keeping those file/s open. As previously advised, configuring and running newsyslog (or logrotate or suitable others) to manage keeping logs to reasonable sizes is well worth implementing, now that you've been bitten. If you don't want to look at your logs too often or need blow-by-blow details, reducing the logging level to more severe problems may prove more useful longterm. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
Hi Peg Thanks for your help by applying ls -lao. I get following result -rw--- 1 root wheelsappnd 8307655937 Jan 13 10:45 debug.log -rw--- 1 root wheelsappnd 15415 Oct 2 2009 dmesg.today -rw-r--r-- 1 root wheel-0 Oct 2 2009 httpd-access.log -rw-r--r-- 1 root wheel- 271 Oct 2 2009 httpd-error.log -rw-rw 1 root wheel- 53969161077 Jan 13 10:45 httpd-modsec2_audit.log -rw-rw 1 root wheel- 3397158201 Jan 13 10:44 httpd-modsec2_debug.log -rw-r--r-- 1 root wheelsappnd 28056 Oct 2 2009 lastlog -rw-r--r-- 1 root wheelsappnd 66 Oct 1 2009 lpd-errs I just don't understand why I am unable to remove the files... Regards /S On Thu, Jan 13, 2011 at 10:50 AM, Pegasus Mc Cleaft k...@mthelicon.comwrote: -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Swe Gill Sent: 13 January 2011 09:02 To: freebsd-questions@freebsd.org Subject: rm: httpd-modsec2_debug.log: Operation not permitted fbsdserver# rm httpd-modsec2_debug.log rm: httpd-modsec2_debug.log: Operation not permitted Usually when I see that Operation not permitted message, I start to suspect file flags. Try doing a ls -lao in that directory and see if the log files have the immutable flags set on them. You may wish to take a look at chflags(1) for more information. Peg -- With best regards /S ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Thu, Jan 13, 2011 at 5:03 AM, Swe Gill sweg...@gmail.com wrote: I just don't understand why I am unable to remove the files... Pass 'whoami' at the command prompt. Are you root? If not, part of the wheel group? hth/c- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
Hi Chris I am applying these commands as root but no help... Regards /S On Thu, Jan 13, 2011 at 5:44 PM, Chris Brennan xa...@xaerolimit.net wrote: On Thu, Jan 13, 2011 at 5:03 AM, Swe Gill sweg...@gmail.com wrote: I just don't understand why I am unable to remove the files... Pass 'whoami' at the command prompt. Are you root? If not, part of the wheel group? hth/c- -- With best regards /S ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Thu, Jan 13, 2011 at 12:00 PM, Swe Gill sweg...@gmail.com wrote: Hi Chris I am applying these commands as root but no help... What's the size of the log file? ls -lsha /var/log/ | grep modsec2 I'm not sure but I think you need *SOME* free space to delete. If that is the case, move the log to a new device, then delete it from the target device. Alternatively you could compress the log and target it to a new device, giving you at least a backup. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
That is the problem. One file sizes upto 50GB and other 3 GB... 52872944 -rw-rw 1 root wheel 50G Jan 13 22:51 httpd-modsec2_audit.log 3320928 -rw-rw 1 root wheel 3.2G Jan 13 22:51 httpd-modsec2_debug.log I am just standing nowhere to remove the files have tried by setting flags, changing modes all as a root but no luck yet... Any help? /S On Thu, Jan 13, 2011 at 6:20 PM, Chris Brennan xa...@xaerolimit.net wrote: On Thu, Jan 13, 2011 at 12:00 PM, Swe Gill sweg...@gmail.com wrote: Hi Chris I am applying these commands as root but no help... What's the size of the log file? ls -lsha /var/log/ | grep modsec2 I'm not sure but I think you need *SOME* free space to delete. If that is the case, move the log to a new device, then delete it from the target device. Alternatively you could compress the log and target it to a new device, giving you at least a backup. -- With best regards /S ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Thu, Jan 13, 2011 at 5:08 PM, Swe Gill sweg...@gmail.com wrote: That is the problem. One file sizes upto 50GB and other 3 GB... 52872944 -rw-rw 1 root wheel 50G Jan 13 22:51 httpd-modsec2_audit.log 3320928 -rw-rw 1 root wheel 3.2G Jan 13 22:51 httpd-modsec2_debug.log I am just standing nowhere to remove the files have tried by setting flags, changing modes all as a root but no luck yet... Any help? /S Sweet Jebus! Ever hear of logrotate[1]? That would at least have solved this problem in advance. My previous idea still stands. I believe rm (-f) still requires *SOME* free space on a device to delete something. That being said, do you have more then 50G free elsewhere on the system? Say /home (/usr/home)? If you do, mv the file from /var/log to /usr/home. This would effectively delete it from /var/log and free up it's space. Once it's moved to a different location, you should have no problems doing with it as you wish, compress and archive it or just arbitrarily delete it from the new device if no backup is needed. [1] I use a default setup for logrotate, it then archives each file in /var/log, I then just archive /var/log/*.bz2 based on date and delete the old bz2 archives from /var/log. This keeps /var/log pretty trimmed and the only time it runs out of space is when something goes wild and eats up all of it's space before logrotate can clean things up. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: httpd-modsec2_debug.log: Operation not permitted
On Thu, 13 Jan 2011 23:08:33 +0100, Swe Gill sweg...@gmail.com wrote: That is the problem. One file sizes upto 50GB and other 3 GB... 52872944 -rw-rw 1 root wheel 50G Jan 13 22:51 httpd-modsec2_audit.log 3320928 -rw-rw 1 root wheel 3.2G Jan 13 22:51 httpd-modsec2_debug.log I am just standing nowhere to remove the files have tried by setting flags, changing modes all as a root but no luck yet... Any help? Is your system running on a raised securelevel maybe? See in man security where this is mentioned, section SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS. It seems that this could cause different behaviour in relation to flags. I will _not_ advise you to kill the files per inode (fsdb, clri) because this could cause further filesystem trouble. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org