Re: repeated system mail, /etc/.pwd.lock ?
On Wed 05 May 2021 at 07:26:34 (-0400), Greg Wooledge wrote:
> On Tue, May 04, 2021 at 09:32:49PM -0500, David Wright wrote:
> > It looks reasonable for determining whether your system files are
> > being interfered with. But you just showed one example from the
> > log, which was for the /etc/.pwd.lock lockfile. I assume you don't
> > have 2757 of these but, rather, the names of an assortment of files.
>
> That's an interesting interpretation. If that's actually *true*, I
> wish the OP had made that more clear. I interpreted it as literally
> being thousands of instances of the *same* file, the one shown in the
> Subject: header and in the original message body.
>
> (In which case, removing iwatch will certainly stop the logging, but
> it won't stop whoever is locking and unlocking your passwd/shadow
> files thousands of times, which is something I might care enough to
> investigate -- and is a great reason for installing iwatch, to look for
> such a thing.)
>
> (Also I'd never heard of "monkeysphere" before and didn't even know
> that openssh-client suggested it. So it's been an educational thread.)
FYI:
I installed iwatch, and that immediately generated two messages from
/etc/.etckeeper. Then I upgraded:
apt apt-doc apt-utils bind9-host curl dnsutils exim4 exim4-base exim4-config exim4-daemon-light
firefox-esr firefox-esr-l10n-en-gb gstreamer1.0-gl gstreamer1.0-libav gstreamer1.0-plugins-bad
gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-pulseaudio gstreamer1.0-x
libapt-inst2.0 libapt-pkg5.0 libbind9-161 libcurl3-gnutls libcurl4 libdns-export1104 libdns1104
libgstreamer-gl1.0-0 libgstreamer-plugins-bad1.0-0 libgstreamer-plugins-base1.0-0 libirs161
libisc-export1100 libisc1100 libisccc161 libisccfg163 libjs-underscore libldb1 liblwres161
libopenjp2-7 openjdk-11-jre openjdk-11-jre-headless wpasupplicant xserver-common
xserver-xorg-core xserver-xorg-legacy
44 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
and got 387 more messages.
I then added one new user, which generated 97 more, where
/etc/.pwd.lock was the subject of four of them.
Purging iwatch then generated a final three.
So the OP's 2757 is no surprise with the default configuration.
Cheers,
David.
Reply to: