httpd-modsec2_debug.log: Operation not permitted

Ian Smith smithi at nimnet.asn.au
Fri Jan 14 14:14:14 UTC 2011 

In freebsd-questions Digest, Vol 345, Issue 9, Message: 10
On Thu, 13 Jan 2011 23:35:26 +0100 Polytropon <freebsd at edvax.de> wrote:
 > On Thu, 13 Jan 2011 23:08:33 +0100, Swe Gill <swegill at gmail.com> wrote:
 > > That is the problem. One file sizes upto 50GB and other 3 GB...
 > > 
 > >  52872944 -rw-rw----   1 root  wheel      50G Jan 13 22:51
 > > httpd-modsec2_audit.log
 > >   3320928 -rw-rw----   1 root  wheel     3.2G Jan 13 22:51
 > > httpd-modsec2_debug.log
 > > 
 > > I am just standing nowhere to remove the files....
 > > 
 > > have tried by setting flags, changing modes.... all as a root but no luck
 > > yet...
 > > 
 > > Any help?
 > 
 > Is your system running on a raised securelevel maybe? See
 > in "man security" where this is mentioned, section "SECURING
 > THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS". It seems
 > that this could cause different behaviour in relation to flags.

That's possible, but perhaps it may be simpler than that?

 > I will _not_ advise you to kill the files per inode (fsdb,
 > clri) because this could cause further filesystem trouble. :-)

Indeed it could :)

Swe, I suspect the reason you can't just delete these files is likely 
because something has them open for writing, and the system won't let 
you remove such files, naturally enough.  See what you get by running:

 # fstat /path/to/httpd-modsec2_*.log

If that shows any processes writing to those files, you need to stop 
that/those processes.  From the filenames my guess would be apache, in 
which case you'd need to stop it, perhaps best by:

 # /usr/local/etc/rc.d/apache stop  # or apache2, whatever it's called.

then check again with fstat.  If that doesn't work for some reason then:

 # shutdown now

to single-user mode will terminate any process accessing those files.

Either way, you can then rm safely, or probably better, truncate each to 
zero bytes (thus keeping their ownership and permissions intact) by eg:

 # echo -n '' > filename

Then restart apache|whatever, or hit ^D or 'exit' to restart multiuser 
if you had to go that far to stop anything keeping those file/s open.

As previously advised, configuring and running newsyslog (or logrotate 
or suitable others) to manage keeping logs to reasonable sizes is well 
worth implementing, now that you've been bitten.  If you don't want to 
look at your logs too often or need blow-by-blow details, reducing the 
logging level to more severe problems may prove more useful longterm.

cheers, Ian

More information about the freebsd-questions mailing list