From owner-freebsd-questions@FreeBSD.ORG Fri Aug 17 12:22:12 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3F5D16A420 for ; Fri, 17 Aug 2007 12:22:12 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id D1EC713C428 for ; Fri, 17 Aug 2007 12:22:09 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from sysadmin.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id l7HBsDpp079699 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Fri, 17 Aug 2007 13:54:13 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown Organization: Health Systems Trust To: freebsd-questions@freebsd.org Date: Fri, 17 Aug 2007 13:59:06 +0200 User-Agent: KMail/1.7.2 References: <20070817101935.GA1064@localhost.gateway.2wire.net> <6.0.0.22.2.20070817063356.026581f8@mail.computinginnovations.com> In-Reply-To: <6.0.0.22.2.20070817063356.026581f8@mail.computinginnovations.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200708171359.06464.jonathan+freebsd-questions@hst.org.za> X-Spam-Score: -3.977 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Subject: Re: curious root find running X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 12:22:12 -0000 On Friday 17 August 2007 13:34, Derek Ragona wrote: > At 05:19 AM 8/17/2007, brad clawsie wrote: > >hi > > > >while sitting at my computer tonight i noticed a great deal of disk > >activity. i found that this process was running: > > > >$ ps -auxwww 1463 > >USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > >root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr > >-xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm > >-u+s -or -perm -g+s ) -print0 > > > >any idea why this is running? is it part of a sanctioned background > >process? > > Check your cron jobs. It is likely part of a rebuild of the locate > database. I don't want to be rude, and this just happens to be the message I'm responding to with a more general gripe, but there does seem to be quite a lot of guessing in answers on this list over the last few days, which isn't perhaps as helpful as it's intended to be. This is nothing to do with locate(1) - it's a find command looking in /usr for executable files (the first set of parens) which have the suid or sgid bits set (the second set of params). It's part of the daily security check carried out by periodic(8), as unexpected suid/sgid executables can be security holes. Jonathan