httpd-modsec2_debug.log: Operation not permitted

[Ian Smith]

On Sat, 15 Jan 2011, perryh at pluto.rain.com wrote:
 > Ian Smith <smithi at nimnet.asn.au> wrote:
 > 
 > > Swe, I suspect the reason you can't just delete these files is
 > > likely because something has them open for writing, and the system
 > > won't let you remove such files, naturally enough.
 > 
 > Really?  Must be a fairly recent change -- and IMO not necessarily
 > a good one.  For one thing, it would break one of the long-standing
 > methods for ensuring that scratch files get cleaned up when a
 > program exits, even under circumstances which don't allow for signal
 > handlers to be run.

Hmm, on reflection you're probably right.  I was thinking that removing 
a file being written by a root-owned process would force that process to 
fail on write and exit, but maybe that's not what's happening here.

 > Last I knew having a file open, even for writing, was no protection
 > against its last link being removed.  The _inode_ won't go away
 > until the last handle is closed, but the _directory entry_ can still
 > be removed.

Accepting that, why wouldn't root be permitted to rm these files?  It's 
been shown that they don't have immutable, append-only or other flags 
set.  Clearly the filesystem is writable, if full.

I'm still curious about what fstat reveals, and it'd be extra weird if 
they can't be deleted or truncated in single-user mode, eh?

cheers, Ian