cannot remove files from /tmp
fedora at aprilcottage.co.uk
Tue Jan 9 08:42:19 UTC 2007
Steve Siegfried wrote:
> As an aside: 99.99% of Linux programs don't mess with file attribute bits.
> The only time I've seen these attributes modified in
> a non-orange-book-secure (i.e.: SELinux) environment
> was done as part of a script-kiddie break-in/root-hack.
> Because of this, I'm gonna ask: are you sure you're not
> being hacked even as you try and resolve this? Suggest at a
> minimum, you pick up a copy of chkrootkit available through
> http://www.chkrootkit.org and run it.
Firstly, chkrootkit is in extras, although it's more trustworthy if you
run it from "known good" media (e.g. a CD). (It is possible for a
rootkit to modify the kernel so that everything looks good to
Secondly, Rolf's problems could also come from a corrupted filesystem. I'd
recommend booting from a rescue CD, *not* mounting any filesystems, and
fscking the filesystem in question.
Lastly, although 99.9% of Linux *programs* don't mess with file
attribute bits, it's a lot more common at the distribution level (and I
seem to remember stuff like Bastille does it too). But the set of
attributes that have been set doesn't look right for that.
Hope this helps,
 For example, setting immutable bits on key system binaries to make
rootkits' lives that much harder.
E-mail: james@ | I'll be more enthusiastic about encouraging thinking
aprilcottage.co.uk | outside the box when there's evidence of any thinking
| going on inside it.
| -- Terry Pratchett
More information about the users