Magical disappearing disk space

8:06 PM

Disk Full

You've got an alert that a disk partition is full or rapidly filling and you can't find the culprit. You've checked all the usual places and nothing stands out.
One programming technique that can lead to this type of situation involves opening a file on the filesystem (typically in /tmp), then unlinking it (deleting) without closing the file handle. This gives you a file handle that:
  • bypasses quotas
  • is nearly undetectable
  • confuses the heck out of admins
  • gets cleaned up properly when the process exits normally or dies
Problems with this approach:
  • it bypasses quotas
  • it's nearly undetectable
  • it confuses the heck out of admins
  • a runaway file writing process can fill up the filesystem
How do you tell if you have this type of situation? You can look in every processes' directory tree under /proc for file descriptors that have been deleted...they look similar to:
   /proc/4567/fd/4 /tmp/filename (deleted)
Probably the fastest means of uncovering these type of files is with the 'lsof +L1' command. Here's sample output:
# lsof +L1
COMMAND    PID  USER   FD   TYPE DEVICE       SIZE NLINK   NODE NAME
cmaeventd 4273  root    5u   REG  104,3    7095392     0 576049 /tmp/qlsdm.dat (deleted)
cmaidad   4281  root    4u   REG  104,3    7095392     0 576049 /tmp/qlsdm.dat (deleted)
cmafcad   4287  root    4u   REG  104,3    7095392     0 576049 /tmp/qlsdm.dat (deleted)
VVAgent   6432  root    6u   REG  104,3          0     0 576067 /tmp/VProgressMemFile-4147 (deleted)
mysqld    7174 mysql    0u   CHR  136,8                0     10 /dev/pts/8 (deleted)
mysqld    7174 mysql    7u   REG  104,3          0     0 576050 /tmp/ibBHJVkm (deleted)
mysqld    7174 mysql    8u   REG  104,3          0     0 576054 /tmp/ibOdGYsv (deleted)
mysqld    7174 mysql    9u   REG  104,3          0     0 576055 /tmp/ibnK9NIG (deleted)
mysqld    7174 mysql   14u   REG  104,3          0     0 576056 /tmp/ib30t6DT (deleted)
mysqld    7174 mysql   73u   REG  104,3 2531479552     0 576066 /tmp/SThpeslw (deleted)
As you can see, there is a 2.5 gig file in /tmp. Stopping the appropriate process will clear them up or, if you can't find the right one, reboot (sometimes just taking the system to runlevel 1 is sufficient.)
Note: this is NOT a technique developed by system crackers nor an indication that a system has been compromised although it can be said that crackers may use this technique to hide their activities.

Share This Story

Tags:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor Aenean massa.

You Might Also Like

0 comments

Contact Form

Name

Email *

Message *

Translate

Wikipedia

Search results