From owner-freebsd-questions@FreeBSD.ORG Fri Jan 14 14:14:14 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80A30106564A for ; Fri, 14 Jan 2011 14:14:14 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id D17BA8FC0C for ; Fri, 14 Jan 2011 14:14:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p0EEE84e040000; Sat, 15 Jan 2011 01:14:09 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 15 Jan 2011 01:14:08 +1100 (EST) From: Ian Smith To: Polytropon In-Reply-To: <20110114032629.8042C1065782@hub.freebsd.org> Message-ID: <20110115003107.O62193@sola.nimnet.asn.au> References: <20110114032629.8042C1065782@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Swe Gill , freebsd-questions@freebsd.org Subject: Re: httpd-modsec2_debug.log: Operation not permitted X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 14:14:14 -0000 In freebsd-questions Digest, Vol 345, Issue 9, Message: 10 On Thu, 13 Jan 2011 23:35:26 +0100 Polytropon wrote: > On Thu, 13 Jan 2011 23:08:33 +0100, Swe Gill wrote: > > That is the problem. One file sizes upto 50GB and other 3 GB... > > > > 52872944 -rw-rw---- 1 root wheel 50G Jan 13 22:51 > > httpd-modsec2_audit.log > > 3320928 -rw-rw---- 1 root wheel 3.2G Jan 13 22:51 > > httpd-modsec2_debug.log > > > > I am just standing nowhere to remove the files.... > > > > have tried by setting flags, changing modes.... all as a root but no luck > > yet... > > > > Any help? > > Is your system running on a raised securelevel maybe? See > in "man security" where this is mentioned, section "SECURING > THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS". It seems > that this could cause different behaviour in relation to flags. That's possible, but perhaps it may be simpler than that? > I will _not_ advise you to kill the files per inode (fsdb, > clri) because this could cause further filesystem trouble. :-) Indeed it could :) Swe, I suspect the reason you can't just delete these files is likely because something has them open for writing, and the system won't let you remove such files, naturally enough. See what you get by running: # fstat /path/to/httpd-modsec2_*.log If that shows any processes writing to those files, you need to stop that/those processes. From the filenames my guess would be apache, in which case you'd need to stop it, perhaps best by: # /usr/local/etc/rc.d/apache stop # or apache2, whatever it's called. then check again with fstat. If that doesn't work for some reason then: # shutdown now to single-user mode will terminate any process accessing those files. Either way, you can then rm safely, or probably better, truncate each to zero bytes (thus keeping their ownership and permissions intact) by eg: # echo -n '' > filename Then restart apache|whatever, or hit ^D or 'exit' to restart multiuser if you had to go that far to stop anything keeping those file/s open. As previously advised, configuring and running newsyslog (or logrotate or suitable others) to manage keeping logs to reasonable sizes is well worth implementing, now that you've been bitten. If you don't want to look at your logs too often or need blow-by-blow details, reducing the logging level to more severe problems may prove more useful longterm. cheers, Ian