httpd-modsec2_debug.log: Operation not permitted
smithi at nimnet.asn.au
Fri Jan 14 14:14:14 UTC 2011
In freebsd-questions Digest, Vol 345, Issue 9, Message: 10
On Thu, 13 Jan 2011 23:35:26 +0100 Polytropon <freebsd at edvax.de> wrote:
> On Thu, 13 Jan 2011 23:08:33 +0100, Swe Gill <swegill at gmail.com> wrote:
> > That is the problem. One file sizes upto 50GB and other 3 GB...
> > 52872944 -rw-rw---- 1 root wheel 50G Jan 13 22:51
> > httpd-modsec2_audit.log
> > 3320928 -rw-rw---- 1 root wheel 3.2G Jan 13 22:51
> > httpd-modsec2_debug.log
> > I am just standing nowhere to remove the files....
> > have tried by setting flags, changing modes.... all as a root but no luck
> > yet...
> > Any help?
> Is your system running on a raised securelevel maybe? See
> in "man security" where this is mentioned, section "SECURING
> THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS". It seems
> that this could cause different behaviour in relation to flags.
That's possible, but perhaps it may be simpler than that?
> I will _not_ advise you to kill the files per inode (fsdb,
> clri) because this could cause further filesystem trouble. :-)
Indeed it could :)
Swe, I suspect the reason you can't just delete these files is likely
because something has them open for writing, and the system won't let
you remove such files, naturally enough. See what you get by running:
# fstat /path/to/httpd-modsec2_*.log
If that shows any processes writing to those files, you need to stop
that/those processes. From the filenames my guess would be apache, in
which case you'd need to stop it, perhaps best by:
# /usr/local/etc/rc.d/apache stop # or apache2, whatever it's called.
then check again with fstat. If that doesn't work for some reason then:
# shutdown now
to single-user mode will terminate any process accessing those files.
Either way, you can then rm safely, or probably better, truncate each to
zero bytes (thus keeping their ownership and permissions intact) by eg:
# echo -n '' > filename
Then restart apache|whatever, or hit ^D or 'exit' to restart multiuser
if you had to go that far to stop anything keeping those file/s open.
As previously advised, configuring and running newsyslog (or logrotate
or suitable others) to manage keeping logs to reasonable sizes is well
worth implementing, now that you've been bitten. If you don't want to
look at your logs too often or need blow-by-blow details, reducing the
logging level to more severe problems may prove more useful longterm.
More information about the freebsd-questions