[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: repeated system mail, /etc/.pwd.lock ?



On Wed 05 May 2021 at 07:26:34 (-0400), Greg Wooledge wrote:
> On Tue, May 04, 2021 at 09:32:49PM -0500, David Wright wrote:
> > It looks reasonable for determining whether your system files are
> > being interfered with. But you just showed one example from the
> > log, which was for the /etc/.pwd.lock lockfile. I assume you don't
> > have 2757 of these but, rather, the names of an assortment of files.
> 
> That's an interesting interpretation.  If that's actually *true*, I
> wish the OP had made that more clear.  I interpreted it as literally
> being thousands of instances of the *same* file, the one shown in the
> Subject: header and in the original message body.

Yes, it was an assumption, and perhaps now we shall never know.
(Sampling the emails didn't appeasr to be an option.)
We also were not told whether 2757 notifications came in over
a week, a month, a year, or since openssh-client was installed,
whenever that was (possibly at installation).

  $ zgrep ':[0-9][0-9] configure ' /var/log/dpkg.log* | sort -k 4 | less
run on this system, which has just passed its first birthday¹, shows
2788 lines, and each must represent a number of modifications to
the directories given earlier (/etc, /[s]bin, /lib). So 2757 looks
small in that context.

OTOH perhaps monkeysphere has some reason to lock /etc/passwd et al
during operation. Running strings on its binaries might throw up
some 'pwd.lock' matches. Or one could inotifywatch the program to
see how often it is run (unless it's a daemon). Just thinking aloud.

> (In which case, removing iwatch will certainly stop the logging, but
> it won't stop whoever is locking and unlocking your passwd/shadow
> files thousands of times, which is something I might care enough to
> investigate -- and is a great reason for installing iwatch, to look for
> such a thing.)
> 
> (Also I'd never heard of "monkeysphere" before and didn't even know
> that openssh-client suggested it.  So it's been an educational thread.)

One thing I didn't learn is why .pwd.lock is in /etc/ rather than,
say, /run/lock/. Perhaps related, why are there dotfiles in /etc/
anyway. (.git/, .java/, .etckeeper, .gitignore are the others.)
What are they hiding from?

¹ alternatives, apt, and dpkg have 5yr log rotation, exim has 10.

Cheers,
David.


Reply to: