[ale] Weird: Unable to delete or create files in /tmp.. "CannotUnlink"

F. Grant Robertson f.g.robertson at alexiongroup.com
Fri Nov 8 10:11:09 EST 2002


This is the solution.  Geeze, you'd think after 6 years on linux I'd
have run across that by now.  For future reference (and the archives..)
the files were marked ---i---- and chattr -R -i /tmp fixed the problem. 
Yay! I can get email again!

Thanks so much,
-G


On Fri, 2002-11-08 at 13:11, Doug McNash wrote:
> Take a look at the files with lsattr if you are using a 
> ext2 filesystem. Change the attributes with chattr.
> 
> I was not aware of these underlying attributes until being 
> baffled by the same behavoir while removing a rootkit. 
>  After studying the rootkit install I learned about these 
> commands and attributes.  That's probably why the busybox 
> tools don't work.
> 
> On 08 Nov 2002 00:08:36 -0500
>   "F. Grant Robertson" <f.g.robertson at alexiongroup.com> 
> wrote:
> >I'm generally not a person who asks questions, prefering 
> >to do the
> >digging myself but, I've dug till I'm blue in the face 
> >with no luck.  
> >
> >I have a mandrake 8.1 machine (ext2, 2.4.3-20mdk) that I 
> >am unable to
> >delete files in /tmp from. I cannot create a new file, 
> >delete existing
> >files, or modify existing files. This, as you may well 
> >imagine, is
> >causing significant problems with anything that needs to 
> >work from /tmp
> >(can't lock mailboxes, pop can't lock, php can't handle 
> >uploaded files,
> >and anything else you can think of that would need to 
> >write to temp)
> >
> >Any help would be greatly appreciated.
> >
> >-g
> >
> >p.s. I've included some sample errors and such below to 
> >help anyone who
> >wants to get into detail about it. 
> >
> >  drwxrwxrwt    9 root     root         4096 Oct 26 11:28 
> >./
> >drwxr-xr-x   22 root     root         4096 Nov  8 04:04 
> >../
> >
> >[root at hartge /tmp]# ls -al /tmp/session_mm.sem 
> >-rwxrwxrwx    1 apache   apache          0 Oct  6 17:56
> >/tmp/session_mm.sem*
> >
> >[root at hartge /tmp]# rm /tmp/session_mm.sem -f
> >rm: cannot unlink `/tmp/session_mm.sem': Permission 
> >denied
> >
> >Notes: I can change permissions and ownership to anything 
> >root:root,
> >rwxrwxrwx, nobody:nobody rwxrwxrwx and I always receive 
> >the same error
> >message. 
> >
> >* Problem started as a result of a cinik.worm attack, has 
> >been
> >(reasonably) cleaned, rebooted, and just to make sure it 
> >wasn't a result
> >of utilities that had been root kitted, I compiled and 
> >installed
> >busybox. I get the same errors with it as I do with the 
> >currently
> >installed "rm"
> >
> >
> >
> >
> >---
> >This message has been sent through the ALE general 
> >discussion list.
> >See http://www.ale.org/mailing-lists.shtml for more info. 
> >Problems should be 
> >sent to listmaster at ale dot org.
> >
> 
> --
> Doug McNash
> dmcnash at smyrnacable.net
> 
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list