curious root find running
hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? thanks! brad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? thanks! brad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] man periodic Hugo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
At 05:19 AM 8/17/2007, brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? Check your cron jobs. It is likely part of a rebuild of the locate database. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
On Friday 17 August 2007 13:34, Derek Ragona wrote: At 05:19 AM 8/17/2007, brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? Check your cron jobs. It is likely part of a rebuild of the locate database. I don't want to be rude, and this just happens to be the message I'm responding to with a more general gripe, but there does seem to be quite a lot of guessing in answers on this list over the last few days, which isn't perhaps as helpful as it's intended to be. This is nothing to do with locate(1) - it's a find command looking in /usr for executable files (the first set of parens) which have the suid or sgid bits set (the second set of params). It's part of the daily security check carried out by periodic(8), as unexpected suid/sgid executables can be security holes. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
At 06:59 AM 8/17/2007, Jonathan McKeown wrote: On Friday 17 August 2007 13:34, Derek Ragona wrote: At 05:19 AM 8/17/2007, brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? Check your cron jobs. It is likely part of a rebuild of the locate database. I don't want to be rude, and this just happens to be the message I'm responding to with a more general gripe, but there does seem to be quite a lot of guessing in answers on this list over the last few days, which isn't perhaps as helpful as it's intended to be. This is nothing to do with locate(1) - it's a find command looking in /usr for executable files (the first set of parens) which have the suid or sgid bits set (the second set of params). It's part of the daily security check carried out by periodic(8), as unexpected suid/sgid executables can be security holes. I hate to be an I told you so but if you look in the script that rebuilds the locate database: /usr/libexec/locate.updatedb You will see a number of find commands. In reality, you'd need to do: ps -al and follow the PID and PPID to determine what is running this find command. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? thanks! brad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] It's part of the nightly security check. Check out the periodic(8) man page and the scripts in the subdirectories of /etc/periodic. The command you had running is in /etc/periodic/security/100.chksetuid. -- Sincerly, Rolf Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: curious root find running
On Friday 17 August 2007 15:34, Derek Ragona wrote: At 06:59 AM 8/17/2007, Jonathan McKeown wrote: On Friday 17 August 2007 13:34, Derek Ragona wrote: At 05:19 AM 8/17/2007, brad clawsie wrote: hi while sitting at my computer tonight i noticed a great deal of disk activity. i found that this process was running: $ ps -auxwww 1463 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr -xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm -u+s -or -perm -g+s ) -print0 any idea why this is running? is it part of a sanctioned background process? Check your cron jobs. It is likely part of a rebuild of the locate database. I don't want to be rude, and this just happens to be the message I'm responding to with a more general gripe, but there does seem to be quite a lot of guessing in answers on this list over the last few days, which isn't perhaps as helpful as it's intended to be. This is nothing to do with locate(1) - it's a find command looking in /usr for executable files (the first set of parens) which have the suid or sgid bits set (the second set of params). It's part of the daily security check carried out by periodic(8), as unexpected suid/sgid executables can be security holes. I hate to be an I told you so but if you look in the script that rebuilds the locate database: /usr/libexec/locate.updatedb You will see a number of find commands. In reality, you'd need to do: ps -al and follow the PID and PPID to determine what is running this find command. There has been some discussion off-list, but just for the archives, the find command in question is indeed part of the daily checks by periodic(8). Off-topic, on the subject of replies helpful or otherwise (I tried to be polite originally - I'm not trying as hard now): The original poster had a reasonable question, and got two correct answers, from Hugo Silva (who said ``man periodic'') and me. He also got one wrong answer from Derek Ragona, who then replied to one of the correct answers with the above I told you so, although in fact, looking at /usr/libexec/locate.updatedb as suggested would have made it immediately clear that this was the wrong answer (the command flags listed for the find command in the output of ps don't appear on any of the find commands in that script), and looking at /etc/crontab to check cronjobs (as originally suggested) around the start time of the command as listed in the OP's output (3:01am) would have suggested periodic daily (run at 0300 daily) as the culprit. grep -r find /etc/periodic/* would have shown one find command using the -xdev flag, in /etc/periodic/security/100.chksetuid which indeed turns out to invoke find with all the flags of the OP's mystery command. People come to this list for help: I know, because I'm often one of them. It would have taken a few seconds to verify the answer to this question rather than guess (the use of /likely/ in ``It is likely part of a rebuild'' is what made me suspect this was a guess), and certainly less time than it took to type a follow-up to a correct answer putting the OP back on the wrong track. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
