Posts Topics Forums Images
Search videos from message boards Videos Search messages from microblogs Microblogs Search messages from imdb.com Imdb Search messages from yuku.com Yuku Search messages from lefora.com (free forums) Lefora
My account: Login | Sign Up
Loading... 

Thread: What's touching this file?
Started 3 months, 1 week ago by minnmass
At some point in the past, I started a process which (a) survives reboots, (b) touches the file ~/1, and (c) has no adverse effects of which I am aware. I do not, however, have any idea what is touching ~/1 any longer, and it's starting to annoy me, much like a single mosquito in the room. Neither my account's crontab nor root's has any obvious redirects to this file, nor anything that would ...
Site: Ars OpenForum 3.0b  Ars OpenForum 3.0b - site profile
Forum: Linux Kung Fu  Linux Kung Fu - forum profile
Total authors: 8 authors
Total thread posts: 12 posts
Thread activity: no new posts during last week
Domain info for: arstechnica.com

Other posts in this thread:

Biff replied 3 months, 1 week ago
I'm guessing lsof isn't showing anything holding onto the file?
Size: 63 bytes
Customize:  Customize "<b>Reply 1</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

minnmass replied 3 months, 1 week ago
lsof | grep '/1' doesn't show any processes holding it open, and the file is empty, per 'file'. That would be far too easy, after all.
Size: 282 bytes
Customize:  Customize "<b>Reply 2</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

norton_I replied 3 months, 1 week ago
First thing I would do is: find /etc -type f -print0 | xargs -0 grep /home/me/1 and a couple variants. See if that file is mentioned anywhere in your startup scripts or configuration files. Then install inotify-tools and use inotifywatch to see what does it.
Size: 286 bytes
Customize:  Customize "<b>Reply 3</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

The Shadow replied 3 months, 1 week ago
Show it a doll, and ask it to use the doll to show you.
Size: 55 bytes
Customize:  Customize "<b>Reply 4</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

minnmass replied 3 months, 1 week ago
quote: Originally posted by norton_I: First thing I would do is: find /etc -type f -print0 | xargs -0 grep /home/me/1 and a couple variants. See if that file is mentioned anywhere in your startup scripts or configuration files. I ran that with no results. I'm running it on a slightly larger search space, but results will take a while. quote: Then install inotify-tools and use ...
Size: 1,218 bytes
Customize:  Customize "<b>Reply 5</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

norton_I replied 3 months, 1 week ago
Hmm... I thought inotifywatch had a way to record PIDs of the offending process, but I guess not. Your plan looks good, though if the file is just being touched, it may be too fast to see. The other thing that comes to mind is to create a tarpit by symlinking /home/me/1 to something that will block. You could use a broken network mount, I can't think of anything less hacktastic
Size: 530 bytes
Customize:  Customize "<b>Reply 6</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

bombcar replied 3 months, 1 week ago
It's in your home directory, so it's probably one of your processes, not root's. It's called 1 so it's probably a typo in a bash script somewhere - something like "- 1" instead of "-1" or something.
Size: 207 bytes
Customize:  Customize "<b>Reply 7</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

euzeka replied 3 months, 1 week ago
quote: Originally posted by bombcar: It's called 1 so it's probably a typo in a bash script somewhere - something like "- 1" instead of "-1" or something. Quite likely. I get '1' files every now and then from mistyped stdout redirects or using syntax for the wrong type of shell. Might be worth looking into (eg. it could be a cron job after all).
Size: 492 bytes
Customize:  Customize "<b>Reply 8</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

Otterz replied 3 months ago
It should work to add that file to the list of files for auditd, and then look at the audit log. It's been forever since I messed with auditd, so I don't remember the syntax.
Size: 174 bytes
Customize:  Customize "<b>Reply 9</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

minnmass replied 3 months ago
Sorry for the long delay in updating (over 24 hours!? Outrageous!). I'm giving auditd a chance; inotify fired off once or twice, but the output from ps aux was ... inconclusive. Thanks!
Size: 203 bytes
Customize:  Customize "<b>Reply 10</b>: What's touching this file? :: Linux Kung Fu :: Ars OpenForum 3.0b"

 

Top contributing authors

Name
Posts
minnmass
4
user's latest post:
What's touching this file?
Published (2009-09-14 20:22:00)
Sorry for the long delay in updating (over 24 hours!? Outrageous!). I'm giving auditd a chance; inotify fired off once or twice, but the output from ps aux was ... inconclusive. Thanks!
norton_I
2
user's latest post:
What's touching this file?
Published (2009-09-10 15:31:00)
Hmm... I thought inotifywatch had a way to record PIDs of the offending process, but I guess not. Your plan looks good, though if the file is just being touched, it may be too fast to see. The other thing that comes to mind is to create a tarpit by symlinking /home/me/1 to something that will block. You could use a broken network mount, I can't think of anything less hacktastic
M. Jones
1
user's latest post:
What's touching this file?
Published (2009-09-14 21:18:00)
quote: Originally posted by euzeka: Quite likely. I get '1' files every now and then from mistyped stdout redirects or using syntax for the wrong type of shell. Might be worth looking into (eg. it could be a cron job after all). This. The likely syntax should look like this: job &gt; /dev/null 2&gt;&1 But you would have an output file "1", that could be size zero depending on output, if you used this incorrect...
Biff
1
user's latest post:
What's touching this file?
Published (2009-09-10 13:44:00)
I'm guessing lsof isn't showing anything holding onto the file?
The Shadow
1
user's latest post:
What's touching this file?
Published (2009-09-10 14:04:00)
Show it a doll, and ask it to use the doll to show you.
bombcar
1
user's latest post:
What's touching this file?
Published (2009-09-11 01:12:00)
It's in your home directory, so it's probably one of your processes, not root's. It's called 1 so it's probably a typo in a bash script somewhere - something like "- 1" instead of "-1" or something.
euzeka
1
user's latest post:
What's touching this file?
Published (2009-09-11 22:17:00)
quote: Originally posted by bombcar: It's called 1 so it's probably a typo in a bash script somewhere - something like "- 1" instead of "-1" or something. Quite likely. I get '1' files every now and then from mistyped stdout redirects or using syntax for the wrong type of shell. Might be worth looking into (eg. it could be a cron job after all).
Otterz
1
user's latest post:
What's touching this file?
Published (2009-09-13 15:08:00)
It should work to add that file to the list of files for auditd, and then look at the audit log. It's been forever since I messed with auditd, so I don't remember the syntax.

Related threads on "Ars OpenForum 3.0b":

What the heck? (File copy in Vista)  Ars OpenForum 3.0b - site profile Microsoft OS & Software Colloquium - forum profile What the heck? (File copy in Vista)
What the heck? (File copy in Vista)
What does this file belong to?  Ars OpenForum 3.0b - site profile NT, Win2K, & XP Technical Mojo - forum profile What does this file belong to?
What does this file belong to?
What file system do you use?  Ars OpenForum 3.0b - site profile Linux Kung Fu - forum profile What file system do you use?
What file system do you use?
IPod mp3 and video file recovery to a PC: What is the...  Ars OpenForum 3.0b - site profile Audio/Visual Club - forum profile IPod mp3 and video file recovery to a PC: What is the best approach?
IPod mp3 and video file recovery to a PC: What is the best approach?
Gnome file finder sucks, what am I doing wrong?  Ars OpenForum 3.0b - site profile Linux Kung Fu - forum profile Gnome file finder sucks, what am I doing wrong?
Gnome file finder sucks, what am I doing wrong?
Ubuntu: the file system went read only... What gives??  Ars OpenForum 3.0b - site profile Linux Kung Fu - forum profile Ubuntu: the file system went read only... What gives??
Ubuntu: the file system went read only... What gives??
What the crap is this file? [VMWare Fusion-related,...  Ars OpenForum 3.0b - site profile Macintoshian Achaia - forum profile What the crap is this file? [VMWare Fusion-related, methinks]
What the crap is this file? [VMWare Fusion-related, methinks]
I need to log who does what (create/move/delete) in a...  Ars OpenForum 3.0b - site profile NT, Win2K, & XP Technical Mojo - forum profile I need to log who does what (create/move/delete) in a windows file share -how?
I need to log who does what (create/move/delete) in a windows file share -how?
What tool do you use to shrink image file sizes?  Ars OpenForum 3.0b - site profile Macintoshian Achaia - forum profile What tool do you use to shrink image file sizes?
What tool do you use to shrink image file sizes?
Windows File Server - What Flavor of Windows?  Ars OpenForum 3.0b - site profile NT, Win2K, & XP Technical Mojo - forum profile Windows File Server - What Flavor of Windows?
Windows File Server - What Flavor of Windows?

Related threads on other sites:

@ brittwhitmire I was able to upload a long MP3 file ok....  Twitter / michaelest - site profile michaelest - forum profile @ brittwhitmire I was able to upload a long MP3 file ok. What type of file are you uploading? @ michaelest twithear developer about 11 hours ago from web
@ brittwhitmire I was able to upload a long MP3 file ok. What type of file are you uploading? @ michaelest twithear developer about 11 hours ago from web
Touching a file which contains slash char  The UNIX Forums - the Top UNIX & Linux Q&A on the Web - site profile C Programming in the UNIX Environment - forum profile Touching a file which contains slash char
Touching a file which contains slash char
@ zarathos getting images from posts, default user...  Twitter / dnnsldr - site profile dnnsldr - forum profile @ zarathos getting images from posts, default user functions for themes that can take away meta data for pages without touching theme file 7:54 AM Dec 22nd, 2008 from TweetDeck
@ zarathos getting images from posts, default user functions for themes that can take away meta data for pages without touching theme file 7:54 AM Dec 22nd, 2008 from TweetDeck
What game file type does the M1 use??  SprintUsers.com Message Forum - site profile Sanyo M1 Temporary Discussion - forum profile What game file type does the M1 use??
What game file type does the M1 use??
What is a Z01 file ?  Cubase.net - site profile WaveLab - forum profile What is a Z01 file ?
What is a Z01 file ?
What is with file search on XP? It seems like it searches...  A Windows XP help forum - PCbanter - site profile General XP issues or comments - forum profile What is with file search on XP? It seems like it searches all types offiles, has no sense about what is searches first, takes FOREVER, on windows98 a file search took about 1/1000 the time.
What is with file search on XP? It seems like it searches all types offiles, has no sense about what is searches first, takes FOREVER, on windows98 a file search took about 1/1000 the time.
What type of file formats can you use with windows 7? Can...  Microsoft Answers Forums - site profile Windows 7 Forums Files, folders and search - forum profile What type of file formats can you use with windows 7? Can windows 7 read Macintosh file formats??? (File Extensions, .exe or garageband files (Apple Program))????
What type of file formats can you use with windows 7? Can windows 7 read Macintosh file formats??? (File Extensions, .exe or garageband files (Apple Program))????
What type of file is the Windows XP Cover File? Is the...  Computers & Internet - Yahoo! Answers - site profile Computers & Internet - forum profile What type of file is the Windows XP Cover File? Is the Windows XP Cover file stored on Drive A? - Yahoo! Answers
What type of file is the Windows XP Cover File? Is the Windows XP Cover file stored on Drive A? - Yahoo! Answers
The obamas what? "touching, kissing, even...  Twitter / karenism - site profile karenism - forum profile The obamas what? "touching, kissing, even fisting" http://bit.ly/wtffisting 11:40 AM Jan 22nd from web
The obamas what? "touching, kissing, even fisting" http://bit.ly/wtffisting 11:40 AM Jan 22nd from web
@ BenWilkins let me try that again. What is the file...  Twitter / Rick_Proctor - site profile Rick Proctor - forum profile @ BenWilkins let me try that again. What is the file supposed to contain? There are a couple of different sdb file types about 18 hours ago from twhirl
@ BenWilkins let me try that again. What is the file supposed to contain? There are a couple of different sdb file types about 18 hours ago from twhirl
Thread profile page for "What's touching this file?" on http://www.arstechnica.com. This report page is a snippet summary view from a single thread "What's touching this file?", located on the Message Board at http://www.arstechnica.com. This thread profile page shows the thread statistics for: Total Authors, Total Thread Posts, and Thread Activity
 1   2   Next »