From owner-freebsd-questions@FreeBSD.ORG Fri Aug 17 13:34:55 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4A1B16A419 for ; Fri, 17 Aug 2007 13:34:55 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (mail.computinginnovations.com [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id 5FBC413C459 for ; Fri, 17 Aug 2007 13:34:55 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.8/8.12.11) with ESMTP id l7HDYbPo008421; Fri, 17 Aug 2007 08:34:38 -0500 (CDT) Message-Id: <6.0.0.22.2.20070817082855.02638ff8@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 17 Aug 2007 08:34:05 -0500 To: Jonathan McKeown , freebsd-questions@freebsd.org From: Derek Ragona In-Reply-To: <200708171359.06464.jonathan+freebsd-questions@hst.org.za> References: <20070817101935.GA1064@localhost.gateway.2wire.net> <6.0.0.22.2.20070817063356.026581f8@mail.computinginnovations.com> <200708171359.06464.jonathan+freebsd-questions@hst.org.za> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: curious root find running X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 13:34:55 -0000 At 06:59 AM 8/17/2007, Jonathan McKeown wrote: >On Friday 17 August 2007 13:34, Derek Ragona wrote: > > At 05:19 AM 8/17/2007, brad clawsie wrote: > > >hi > > > > > >while sitting at my computer tonight i noticed a great deal of disk > > >activity. i found that this process was running: > > > > > >$ ps -auxwww 1463 > > >USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > > >root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr > > >-xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm > > >-u+s -or -perm -g+s ) -print0 > > > > > >any idea why this is running? is it part of a sanctioned background > > >process? > > > > Check your cron jobs. It is likely part of a rebuild of the locate > > database. > >I don't want to be rude, and this just happens to be the message I'm >responding to with a more general gripe, but there does seem to be quite a >lot of guessing in answers on this list over the last few days, which isn't >perhaps as helpful as it's intended to be. > >This is nothing to do with locate(1) - it's a find command looking in /usr >for >executable files (the first set of parens) which have the suid or sgid bits >set (the second set of params). It's part of the daily security check carried >out by periodic(8), as unexpected suid/sgid executables can be security >holes. I hate to be an "I told you so" but if you look in the script that rebuilds the locate database: /usr/libexec/locate.updatedb You will see a number of find commands. In reality, you'd need to do: ps -al and follow the PID and PPID to determine what is running this find command. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.