cannot remove files from /tmp

James Wilkinson fedora at
Tue Jan 9 08:42:19 UTC 2007

Steve Siegfried wrote:
> As an aside: 99.99% of Linux programs don't mess with file attribute bits.
>              The only time I've seen these attributes modified in 
>              a non-orange-book-secure (i.e.: SELinux) environment
>              was done as part of a script-kiddie break-in/root-hack. 
>              Because of this, I'm gonna ask: are you sure you're not
>              being hacked even as you try and resolve this?  Suggest at a
>              minimum, you pick up a copy of chkrootkit available through
>     and run it.

Firstly, chkrootkit is in extras, although it's more trustworthy if you
run it from "known good" media (e.g. a CD). (It is possible for a
rootkit to modify the kernel so that everything looks good to

Secondly, Rolf's problems could also come from a corrupted filesystem. I'd
recommend booting from a rescue CD, *not* mounting any filesystems, and
fscking the filesystem in question.

Lastly, although 99.9% of Linux *programs* don't mess with file
attribute bits, it's a lot more common at the distribution level (and I
seem to remember stuff like Bastille does it too)[1]. But the set of
attributes that have been set doesn't look right for that.

Hope this helps,


[1] For example, setting immutable bits on key system binaries to make
rootkits' lives that much harder.
E-mail:     james@ | I'll be more enthusiastic about encouraging thinking | outside the box when there's evidence of any thinking
                   | going on inside it.
                   |     -- Terry Pratchett

More information about the users mailing list