curious root find running
Derek Ragona
derek at computinginnovations.com
Fri Aug 17 06:34:55 PDT 2007
At 06:59 AM 8/17/2007, Jonathan McKeown wrote:
>On Friday 17 August 2007 13:34, Derek Ragona wrote:
> > At 05:19 AM 8/17/2007, brad clawsie wrote:
> > >hi
> > >
> > >while sitting at my computer tonight i noticed a great deal of disk
> > >activity. i found that this process was running:
> > >
> > >$ ps -auxwww 1463
> > >USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> > >root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr
> > >-xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm
> > >-u+s -or -perm -g+s ) -print0
> > >
> > >any idea why this is running? is it part of a sanctioned background
> > >process?
> >
> > Check your cron jobs. It is likely part of a rebuild of the locate
> > database.
>
>I don't want to be rude, and this just happens to be the message I'm
>responding to with a more general gripe, but there does seem to be quite a
>lot of guessing in answers on this list over the last few days, which isn't
>perhaps as helpful as it's intended to be.
>
>This is nothing to do with locate(1) - it's a find command looking in /usr
>for
>executable files (the first set of parens) which have the suid or sgid bits
>set (the second set of params). It's part of the daily security check carried
>out by periodic(8), as unexpected suid/sgid executables can be security
>holes.
I hate to be an "I told you so" but if you look in the script that rebuilds
the locate database:
/usr/libexec/locate.updatedb
You will see a number of find commands.
In reality, you'd need to do:
ps -al
and follow the PID and PPID to determine what is running this find command.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the freebsd-questions
mailing list