From owner-freebsd-current@FreeBSD.ORG  Sun Jan 29 08:07:31 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: current@freebsd.org
Delivered-To: freebsd-current@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 171BC16A420
	for <current@freebsd.org>; Sun, 29 Jan 2006 08:07:31 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D18A343D46
	for <current@freebsd.org>; Sun, 29 Jan 2006 08:07:30 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from unknown (HELO [192.168.2.10]) ([10.251.60.23])
	by a50.ironport.com with ESMTP; 29 Jan 2006 00:07:29 -0800
Message-ID: <43DC77C1.8060308@elischer.org>
Date: Sun, 29 Jan 2006 00:07:29 -0800
From: Julian Elischer <julian@elischer.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
	rv:1.7.11) Gecko/20050727
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Peter Jeremy <peterjeremy@optushome.com.au>
References: <20060126195647.GA2559@turion.vk2pj.dyndns.org>
	<20060128134625.GA2384@turion.vk2pj.dyndns.org>
In-Reply-To: <20060128134625.GA2384@turion.vk2pj.dyndns.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: current@freebsd.org
Subject: Re: Unreferenced files not being deleted
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2006 08:07:31 -0000

Peter Jeremy wrote:

>On Fri, 2006-Jan-27 06:56:47 +1100, Peter Jeremy wrote:
>  
>
>>On my recent -current, I've noticed that /var is filling up with
>>unreferenced files.
>>    
>>
>
>Updated data point:  The files do disappear on a clean shutdown
>so the kernel seems to be aware that they have no name but
>neither fstat nor lsof can find any processes holding them open.
>I have a core dump demonstrating the problem and will poke around
>in it as a background task.
>
>  
>
You know it occured to me that a process that is not in the process list 
would still work..

could be an easy way to effect a rootkit if one had root access.
wouldn't show up in ps, fstat etc.

it could be another answer to your mystery.. :-/