Date: Fri, 17 Aug 2007 08:34:05 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za>, freebsd-questions@freebsd.org Subject: Re: curious root find running Message-ID: <6.0.0.22.2.20070817082855.02638ff8@mail.computinginnovations.com> In-Reply-To: <200708171359.06464.jonathan%2Bfreebsd-questions@hst.org.za> References: <20070817101935.GA1064@localhost.gateway.2wire.net> <6.0.0.22.2.20070817063356.026581f8@mail.computinginnovations.com> <200708171359.06464.jonathan%2Bfreebsd-questions@hst.org.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:59 AM 8/17/2007, Jonathan McKeown wrote:
>On Friday 17 August 2007 13:34, Derek Ragona wrote:
> > At 05:19 AM 8/17/2007, brad clawsie wrote:
> > >hi
> > >
> > >while sitting at my computer tonight i noticed a great deal of disk
> > >activity. i found that this process was running:
> > >
> > >$ ps -auxwww 1463
> > >USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> > >root 1463 4.3 0.1 1876 1404 ?? D 3:01AM 0:07.26 find /usr
> > >-xdev -type f ( -perm -u+x -or -perm -g+x -or -perm -o+x ) ( -perm
> > >-u+s -or -perm -g+s ) -print0
> > >
> > >any idea why this is running? is it part of a sanctioned background
> > >process?
> >
> > Check your cron jobs. It is likely part of a rebuild of the locate
> > database.
>
>I don't want to be rude, and this just happens to be the message I'm
>responding to with a more general gripe, but there does seem to be quite a
>lot of guessing in answers on this list over the last few days, which isn't
>perhaps as helpful as it's intended to be.
>
>This is nothing to do with locate(1) - it's a find command looking in /usr
>for
>executable files (the first set of parens) which have the suid or sgid bits
>set (the second set of params). It's part of the daily security check carried
>out by periodic(8), as unexpected suid/sgid executables can be security
>holes.
I hate to be an "I told you so" but if you look in the script that rebuilds
the locate database:
/usr/libexec/locate.updatedb
You will see a number of find commands.
In reality, you'd need to do:
ps -al
and follow the PID and PPID to determine what is running this find command.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20070817082855.02638ff8>