Re: [DNG] lvm2 depends on systemd
Hi, Add --disable-notify-dbus - in my case it looks like to be properly set by the autodetection and it worked. BTW lvm version 2.03.15 and I got a successful sd free build... With best regards, b. On Sat, 2022-02-19 at 22:18 +0100, aitor wrote: > Hi Boian, > On 19/2/22 0:22, Boian Bonev wrote: > What about: > ./configure --disable-systemd-journal --disable-udev-systemd-background-jobs > Thanks for your suggestion, but I run into the same error: > notify/lvmnotify.c:22:10: fatal error: systemd/sd-bus.h: No existe el fichero > o el directorio > 22 | #include > | ^~ > compilation terminated. > Cheers, > Aitor. > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng signature.asc Description: This is a digitally signed message part ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] solved: Re: usb keyboard detection in initramfs
On Fri, Feb 18, 2022 at 02:57:11PM -0700, Gregory Nowak via Dng wrote: > The problem is that my usb keyboard doesn't seem to be detected in the > initramfs. Once I unlock the partition from the serial console, boot > proceeds as expected, and everything is fine. Turns out the problem was that the kernel can't output to multiple consoles. I thought it could output to all consoles specified as console parameters to the kernel. After specifying tty1 as the only console in cmdline.txt, I rebooted, waited a couple of minutes to be sure, and typed in the password to devrypt mmcblk0p2 on the usb keyboard. Lo and behold, about 30 seconds after that I heard orca announce "screen reader on" through the rpi's 3.5M audio jack. For the record, the only usb modules I have in /etc/initramfs-tools/modules at this point are: usbhid, hid, and hid_generic in that order. Thanks for the suggestion anyway Tito. Greg -- web site: http://www.gregn.net gpg public key: http://www.gregn.net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) If we haven't been in touch before, e-mail me before adding me to your contacts. -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On Sat, 19 Feb 2022 23:13:28 +0100 Florian Zieboll wrote: > cum salutis gallicis, PS: Damn, /is/ibus/, I guess... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On 2/19/22 5:13 PM, Florian Zieboll via Dng wrote: On Sat, 19 Feb 2022 23:00:59 +0100 Florian Zieboll via Dng wrote: Popcorn florian@nulldevice:~$ cat .bashrc | grep tmp rm -rf ~/tmp/* Thanks for your attention - I hope you had fun ;-) cum salutis gallicis, Florian Glad I could help. You never know when an opportunity to learn will appear. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On Sat, 19 Feb 2022 17:03:58 -0500 Ken Dibble wrote: > Since you get this in every terminal window, I would look at .bashrc > and .profile, as well as any shortcut that you use to open a terminal. Yeah, thanks, that's how I got it :-) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On Sat, 19 Feb 2022 23:00:59 +0100 Florian Zieboll via Dng wrote: > Popcorn florian@nulldevice:~$ cat .bashrc | grep tmp rm -rf ~/tmp/* Thanks for your attention - I hope you had fun ;-) cum salutis gallicis, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On 2/19/22 5:00 PM, Florian Zieboll via Dng wrote: On Sat, 19 Feb 2022 21:59:59 +0100 Florian Zieboll via Dng wrote: root@nulldevice:~# ls -l /home/florian/tmp/test* -rw-r--r-- 1 florian florian 0 Feb 19 21:11 /home/florian/tmp/test_deletable -rw-r--r-- 1 rootroot0 Feb 19 21:19 /home/florian/tmp/test_root -rw-r--r-- 1 florian florian 0 Feb 19 21:09 /home/florian/tmp/test_undeletable root@nulldevice:~# lsattr /home/florian/tmp/test* --e--- /home/florian/tmp/test_deletable e--- /home/florian/tmp/test_root i-e--- /home/florian/tmp/test_undeletable (...) OTOH, all the files under '/home/florian/tmp/' are still there - at least 'test_deletable' should have been gone by now, if "the issue" still persisted... So I remain wondering (again [1]) if there's some galaxy brain posing with its superpowers by trampling through my tiny digital sandcastle here? (lol, get a life!) But seriously, for the future(tm): Where would this 'chattr +i'-induced "Operation not permitted" error be logged? Update: Now all but the immutable file are gone - and every new terminal windows I open greets me with: || rm: cannot remove '/home/florian/tmp/test_undeletable': Operation not permitted || florian@nulldevice:~$ florian@nulldevice:~$ ls -l ~/tmp/ total 0 -rw-r--r-- 1 florian florian 0 Feb 19 21:09 test_undeletable My bad, I missed to start auditd again, so I can't say, when it happened. Before I set up a clean device (bridge) to tcpdump the network traffic: What else could I check locally? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Since you get this in every terminal window, I would look at .bashrc and .profile, as well as any shortcut that you use to open a terminal. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On Sat, 19 Feb 2022 21:59:59 +0100 Florian Zieboll via Dng wrote: > root@nulldevice:~# ls -l /home/florian/tmp/test* > -rw-r--r-- 1 florian florian 0 Feb 19 21:11 /home/florian/tmp/test_deletable > -rw-r--r-- 1 rootroot0 Feb 19 21:19 /home/florian/tmp/test_root > -rw-r--r-- 1 florian florian 0 Feb 19 21:09 > /home/florian/tmp/test_undeletable > root@nulldevice:~# lsattr /home/florian/tmp/test* > --e--- /home/florian/tmp/test_deletable > e--- /home/florian/tmp/test_root > i-e--- /home/florian/tmp/test_undeletable > > (...) > > OTOH, all the files under '/home/florian/tmp/' are still there - at > least 'test_deletable' should have been gone by now, if "the issue" > still persisted... So I remain wondering (again [1]) if there's some > galaxy brain posing with its superpowers by trampling through my tiny > digital sandcastle here? (lol, get a life!) > > But seriously, for the future(tm): Where would this 'chattr > +i'-induced "Operation not permitted" error be logged? Update: Now all but the immutable file are gone - and every new terminal windows I open greets me with: || rm: cannot remove '/home/florian/tmp/test_undeletable': Operation not permitted || florian@nulldevice:~$ florian@nulldevice:~$ ls -l ~/tmp/ total 0 -rw-r--r-- 1 florian florian 0 Feb 19 21:09 test_undeletable My bad, I missed to start auditd again, so I can't say, when it happened. Before I set up a clean device (bridge) to tcpdump the network traffic: What else could I check locally? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] lvm2 depends on systemd
Hi Boian, On 19/2/22 0:22, Boian Bonev wrote: What about: ./configure --disable-systemd-journal --disable-udev-systemd-background-jobs Thanks for your suggestion, but I run into the same error: notify/lvmnotify.c:22:10: fatal error: systemd/sd-bus.h: No existe el fichero o el directorio 22 | #include | ^~ compilation terminated. Cheers, Aitor. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On Sat, 19 Feb 2022 15:00:11 -0500 Ken Dibble wrote: > I don't know if this error will show up in the logs or not. > > If your filesystem supports extended attributes (i.e. not zfs) > > - > > $ touch cant_delete_me > > $ sudo chattr +i cant_delete_me > > $ rm cant_delete_me > > rm: cannot remove 'cant_delete_me' : Operation not permitted > > $ sudo rm cant_delete_me > > rm: cannot remove 'cant_delete_me' : Operation not permitted > > - > > See if the error message shows up in the logs. Where would this error be logged? I just tested it: florian@nulldevice:~$ touch ~/tmp/test_deletable florian@nulldevice:~$ touch ~/tmp/test_undeletable root@nulldevice:~# touch /home/florian/tmp/test_root root@nulldevice:~# chattr +i /home/florian/tmp/test_undeletable root@nulldevice:~# ls -l /home/florian/tmp/test* -rw-r--r-- 1 florian florian 0 Feb 19 21:11 /home/florian/tmp/test_deletable -rw-r--r-- 1 rootroot0 Feb 19 21:19 /home/florian/tmp/test_root -rw-r--r-- 1 florian florian 0 Feb 19 21:09 /home/florian/tmp/test_undeletable root@nulldevice:~# lsattr /home/florian/tmp/test* --e--- /home/florian/tmp/test_deletable --e--- /home/florian/tmp/test_root i-e--- /home/florian/tmp/test_undeletable root@nulldevice:~# rm /home/florian/tmp/test_undeletable rm: cannot remove '/home/florian/tmp/test_undeletable': Operation not permitted root@nulldevice:~# grep -R -e undeletable /var/log/ [no results] OTOH, all the files under '/home/florian/tmp/' are still there - at least 'test_deletable' should have been gone by now, if "the issue" still persisted... So I remain wondering (again [1]) if there's some galaxy brain posing with its superpowers by trampling through my tiny digital sandcastle here? (lol, get a life!) But seriously, for the future(tm): Where would this 'chattr +i'-induced "Operation not permitted" error be logged? libre Grüße, Florian [1] see the issue with "nonpersistent block device names" in my "kernel-update: initramfs fails to find swap"-thread -- \ \\ \ \ | | / \ | ILS SONT FOUS| |CES ROMAINS!| \__/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On 2/19/22 2:42 PM, Florian Zieboll via Dng wrote: Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl 1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss 1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I don't know if this error will show up in the logs or not. If your filesystem supports extended attributes (i.e. not zfs) - $ touch cant_delete_me $ sudo chattr +i cant_delete_me $ rm cant_delete_me rm: cannot remove 'cant_delete_me' : Operation not permitted $ sudo rm cant_delete_me rm: cannot remove 'cant_delete_me' : Operation not permitted - See if the error message shows up in the logs. and then obviously $ sudo chattr -i cant_delete_me $ rm cant_delete_me Again, probably not helpful, but worth a try. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On Sat, 19 Feb 2022 20:36:29 +0100 Florian Zieboll via Dng wrote: > On Sat, 19 Feb 2022 19:09:15 +0100 > "d...@d404.nl" wrote: > > > > Probably not helpful too but does auth.log show something from the > > use of exec=¨/bin/su" ? > > Yes, as my standard user is not a "sudoer", I use to get a root shell > by 'su'ing into the admin account and then 'sudo su -' from there, so > I have numerous sets like the following in the auth.log: > > # cat /var/log/auth.log | grep -B2 -A5 '/bin/su' Oh, I missed to grep for the "exec=" part! But no results for 'exec="/bin/su"' resp. '\ exec=' at all. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On Sat, 19 Feb 2022 19:09:15 +0100 "d...@d404.nl" wrote: > > Probably not helpful too but does auth.log show something from the > use of exec=¨/bin/su" ? Yes, as my standard user is not a "sudoer", I use to get a root shell by 'su'ing into the admin account and then 'sudo su -' from there, so I have numerous sets like the following in the auth.log: # cat /var/log/auth.log | grep -B2 -A5 '/bin/su' Feb 19 20:15:24 nulldevice su: (to administrator) florian on pts/1 Feb 19 20:15:24 nulldevice su: pam_unix(su:session): session opened for user administrator(uid=1000) by (uid=1001) Feb 19 20:15:30 nulldevice sudo: administrator : TTY=pts/1 ; PWD=/home/florian ; USER=root ; COMMAND=/bin/su - Feb 19 20:15:30 nulldevice sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) Feb 19 20:15:30 nulldevice su: (to root) florian on pts/1 Feb 19 20:15:30 nulldevice su: pam_unix(su-l:session): session opened for user root(uid=0) by (uid=0) Feb 19 20:17:01 nulldevice CRON[4512]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) Feb 19 20:17:01 nulldevice CRON[4512]: pam_unix(cron:session): session closed for user root ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On 19-02-2022 16:25, Florian Zieboll via Dng wrote: Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian Probably not helpful too but does auth.log show something from the use of exec=¨/bin/su" ? Grtz Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On Sat, 19 Feb 2022 12:46:18 -0500 Ken Dibble wrote: > > Probably not helpful but did you check anacrontab? Thank you for the hint, but nothing there but anacronically executed crontab entries... Still helpful, as in the future I will check it earlier :-) libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On Sat, 19 Feb 2022 16:25:54 +0100 Florian Zieboll via Dng wrote: > And here the relevant snippet of 'ps axjf': > > PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND > 1 8287 8286 8286 ? -1 Rl1001 0:01 > /usr/bin/qterminal > 8287 8290 8290 8290 pts/2 8358 Ss1001 0:00 \_ /bin/bash Back to the keyboard, I just discovered, that every (GUI) program I run, is spawned from PID 1. Honestly, I would have expected those to be child processes of e.g. the display manager or the session manager... Nevertheless, where could I start resp. continue to look for the magic that deletes my files under '~/tmp/'? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On 2/19/22 10:25 AM, Florian Zieboll via Dng wrote: Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Probably not helpful but did you check anacrontab? Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] [OT] files disappearing reproducibly
Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
