Date: Fri, 17 Aug 2007 17:01:39 +0200 From: Jonathan McKeown <jonathan@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: curious root find running Message-ID: <200708171701.40073.jonathan@hst.org.za> In-Reply-To: <6.0.0.22.2.20070817082855.02638ff8@mail.computinginnovations.com> References: <20070817101935.GA1064@localhost.gateway.2wire.net> <200708171359.06464.jonathan%2Bfreebsd-questions@hst.org.za> <6.0.0.22.2.20070817082855.02638ff8@mail.computinginnovations.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 17 August 2007 15:34, Derek Ragona wrote: > At 06:59 AM 8/17/2007, Jonathan McKeown wrote: > >On Friday 17 August 2007 13:34, Derek Ragona wrote: > > > At 05:19 AM 8/17/2007, brad clawsie wrote: > > > >hi > > > > > > > >while sitting at my computer tonight i noticed a great deal of disk > > > >activity. i found that this process was running: > > > > > > > >$ ps -auxwww 1463 > > > >USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > > > >root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr > > > >-xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm > > > >-u+s -or -perm -g+s ) -print0 > > > > > > > >any idea why this is running? is it part of a sanctioned background > > > >process? > > > > > > Check your cron jobs. It is likely part of a rebuild of the locate > > > database. > > > >I don't want to be rude, and this just happens to be the message I'm > >responding to with a more general gripe, but there does seem to be quite a > >lot of guessing in answers on this list over the last few days, which > > isn't perhaps as helpful as it's intended to be. > > > >This is nothing to do with locate(1) - it's a find command looking in /usr > >for > >executable files (the first set of parens) which have the suid or sgid > > bits set (the second set of params). It's part of the daily security > > check carried out by periodic(8), as unexpected suid/sgid executables can > > be security holes. > > I hate to be an "I told you so" but if you look in the script that rebuilds > the locate database: > /usr/libexec/locate.updatedb > You will see a number of find commands. > > In reality, you'd need to do: > ps -al > and follow the PID and PPID to determine what is running this find command. There has been some discussion off-list, but just for the archives, the find command in question is indeed part of the daily checks by periodic(8). Off-topic, on the subject of replies helpful or otherwise (I tried to be polite originally - I'm not trying as hard now): The original poster had a reasonable question, and got two correct answers, from Hugo Silva (who said ``man periodic'') and me. He also got one wrong answer from Derek Ragona, who then replied to one of the correct answers with the above "I told you so", although in fact, looking at /usr/libexec/locate.updatedb as suggested would have made it immediately clear that this was the wrong answer (the command flags listed for the find command in the output of ps don't appear on any of the find commands in that script), and looking at /etc/crontab to check cronjobs (as originally suggested) around the start time of the command as listed in the OP's output (3:01am) would have suggested periodic daily (run at 0300 daily) as the culprit. grep -r find /etc/periodic/* would have shown one find command using the -xdev flag, in /etc/periodic/security/100.chksetuid which indeed turns out to invoke find with all the flags of the OP's mystery command. People come to this list for help: I know, because I'm often one of them. It would have taken a few seconds to verify the answer to this question rather than guess (the use of /likely/ in ``It is likely part of a rebuild....'' is what made me suspect this was a guess), and certainly less time than it took to type a follow-up to a correct answer putting the OP back on the wrong track. Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708171701.40073.jonathan>