Diagnosing directory deletions on Linux











up vote
0
down vote

favorite












Yesterday evening I lost all of my project, or to be more exact, the directory tree named f/ that was in my home directory.



I restored from a backup.



A few minutes ago it disappeared again (fortunately for me, I started backing up with every rebuild since then and I rebuild often so no losses this time). I'm not aware of any executable I could have run or written myself that could've done this.



Since the issue seems to be isolated to ~/f/, I think it's some buggy script that wanted to do rm -rf and instead did rm -r f.



How can I find the culprit?






linux







share|improve this question


























    up vote
    0
    down vote

    favorite












    Yesterday evening I lost all of my project, or to be more exact, the directory tree named f/ that was in my home directory.



    I restored from a backup.



    A few minutes ago it disappeared again (fortunately for me, I started backing up with every rebuild since then and I rebuild often so no losses this time). I'm not aware of any executable I could have run or written myself that could've done this.



    Since the issue seems to be isolated to ~/f/, I think it's some buggy script that wanted to do rm -rf and instead did rm -r f.



    How can I find the culprit?






    linux







    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Yesterday evening I lost all of my project, or to be more exact, the directory tree named f/ that was in my home directory.



      I restored from a backup.



      A few minutes ago it disappeared again (fortunately for me, I started backing up with every rebuild since then and I rebuild often so no losses this time). I'm not aware of any executable I could have run or written myself that could've done this.



      Since the issue seems to be isolated to ~/f/, I think it's some buggy script that wanted to do rm -rf and instead did rm -r f.



      How can I find the culprit?






      linux







      share|improve this question













      Yesterday evening I lost all of my project, or to be more exact, the directory tree named f/ that was in my home directory.



      I restored from a backup.



      A few minutes ago it disappeared again (fortunately for me, I started backing up with every rebuild since then and I rebuild often so no losses this time). I'm not aware of any executable I could have run or written myself that could've done this.



      Since the issue seems to be isolated to ~/f/, I think it's some buggy script that wanted to do rm -rf and instead did rm -r f.



      How can I find the culprit?






      linux




      linux






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 23 at 16:58









      PSkocik

      602623




      602623






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Assuming rm is indeed involved and it's /bin/rm:




          1. sudo ln /bin/rm /bin/rm-real


          2. Create a log directory writable to anyone:



            mkdir /tmp/rm-logdir
            
chmod a+w /tmp/rm-logdir



          3. Write a wrapper script (named script) like this:



            #!/bin/sh
            
pstree -spa "$$" >> "/tmp/rm-logdir/$$"
            
exec /bin/rm-real "$@"


          4. Adjust ownership and permissions of the script so it can mimic rm (non-POSIX fast way:chmod --reference=/bin/rm script; sudo chown --reference=/bin/rm script).



          5. Replace /bin/rm with the script:



            sudo mv script /bin/rm


            From now on anything that calls /bin/rm will be logged to a file in /tmp/rm-logdir.



          6. Wait for the problem to occur again.



          7. Examine files in /tmp/rm-logdir. One of them will hopefully contain something like this:



            systemd,1
            
  `-tmux: server,2652
            
      `-bash,8605
            
          `-rm,15100 /bin/rm -r f
            
              `-pstree,15101 -spa 15100


            with command line arguments and PIDs; note the last but one line. The above is in fact an example from my tests in Kubuntu, where I run rm -r f in interactive bash. Another example (not triggered directly by me) was:



            systemd,1
            
  `-kdeinit5,1679
            
      `-ksmserver,1700
            
          `-rm,16400 /bin/rm /home/kamil/.config/session/kate_10d8d5de64000154299531000000017000020_1542995310_707537
            
              `-pstree,16401 -spa 16400


            It proves other tools (ksmserver in this case) use the wrapper script.




          Notes:





          • pstree is not required by POSIX, it may be unavailable. You can use ps, you can read information directly from /proc.

          • In multi-user environment the solution is not safe. Anyone can write to the log directory. This is deliberately set to capture anyone's rm invocations in a lazy, quick and dirty way. But then anyone can spoof the results.


          To revert:



          sudo mv /bin/rm-real /bin/rm


          (note this will overwrite the script, so if there's no other copy of it, the script itself will be lost).






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377854%2fdiagnosing-directory-deletions-on-linux%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote



            accepted










            Assuming rm is indeed involved and it's /bin/rm:




            1. sudo ln /bin/rm /bin/rm-real


            2. Create a log directory writable to anyone:



              mkdir /tmp/rm-logdir
              
chmod a+w /tmp/rm-logdir



            3. Write a wrapper script (named script) like this:



              #!/bin/sh
              
pstree -spa "$$" >> "/tmp/rm-logdir/$$"
              
exec /bin/rm-real "$@"


            4. Adjust ownership and permissions of the script so it can mimic rm (non-POSIX fast way:chmod --reference=/bin/rm script; sudo chown --reference=/bin/rm script).



            5. Replace /bin/rm with the script:



              sudo mv script /bin/rm


              From now on anything that calls /bin/rm will be logged to a file in /tmp/rm-logdir.



            6. Wait for the problem to occur again.



            7. Examine files in /tmp/rm-logdir. One of them will hopefully contain something like this:



              systemd,1
              
  `-tmux: server,2652
              
      `-bash,8605
              
          `-rm,15100 /bin/rm -r f
              
              `-pstree,15101 -spa 15100


              with command line arguments and PIDs; note the last but one line. The above is in fact an example from my tests in Kubuntu, where I run rm -r f in interactive bash. Another example (not triggered directly by me) was:



              systemd,1
              
  `-kdeinit5,1679
              
      `-ksmserver,1700
              
          `-rm,16400 /bin/rm /home/kamil/.config/session/kate_10d8d5de64000154299531000000017000020_1542995310_707537
              
              `-pstree,16401 -spa 16400


              It proves other tools (ksmserver in this case) use the wrapper script.




            Notes:





            • pstree is not required by POSIX, it may be unavailable. You can use ps, you can read information directly from /proc.

            • In multi-user environment the solution is not safe. Anyone can write to the log directory. This is deliberately set to capture anyone's rm invocations in a lazy, quick and dirty way. But then anyone can spoof the results.


            To revert:



            sudo mv /bin/rm-real /bin/rm


            (note this will overwrite the script, so if there's no other copy of it, the script itself will be lost).






            share|improve this answer



























              up vote
              1
              down vote



              accepted










              Assuming rm is indeed involved and it's /bin/rm:




              1. sudo ln /bin/rm /bin/rm-real


              2. Create a log directory writable to anyone:



                mkdir /tmp/rm-logdir
                
chmod a+w /tmp/rm-logdir



              3. Write a wrapper script (named script) like this:



                #!/bin/sh
                
pstree -spa "$$" >> "/tmp/rm-logdir/$$"
                
exec /bin/rm-real "$@"


              4. Adjust ownership and permissions of the script so it can mimic rm (non-POSIX fast way:chmod --reference=/bin/rm script; sudo chown --reference=/bin/rm script).



              5. Replace /bin/rm with the script:



                sudo mv script /bin/rm


                From now on anything that calls /bin/rm will be logged to a file in /tmp/rm-logdir.



              6. Wait for the problem to occur again.



              7. Examine files in /tmp/rm-logdir. One of them will hopefully contain something like this:



                systemd,1
                
  `-tmux: server,2652
                
      `-bash,8605
                
          `-rm,15100 /bin/rm -r f
                
              `-pstree,15101 -spa 15100


                with command line arguments and PIDs; note the last but one line. The above is in fact an example from my tests in Kubuntu, where I run rm -r f in interactive bash. Another example (not triggered directly by me) was:



                systemd,1
                
  `-kdeinit5,1679
                
      `-ksmserver,1700
                
          `-rm,16400 /bin/rm /home/kamil/.config/session/kate_10d8d5de64000154299531000000017000020_1542995310_707537
                
              `-pstree,16401 -spa 16400


                It proves other tools (ksmserver in this case) use the wrapper script.




              Notes:





              • pstree is not required by POSIX, it may be unavailable. You can use ps, you can read information directly from /proc.

              • In multi-user environment the solution is not safe. Anyone can write to the log directory. This is deliberately set to capture anyone's rm invocations in a lazy, quick and dirty way. But then anyone can spoof the results.


              To revert:



              sudo mv /bin/rm-real /bin/rm


              (note this will overwrite the script, so if there's no other copy of it, the script itself will be lost).






              share|improve this answer

























                up vote
                1
                down vote



                accepted







                up vote
                1
                down vote



                accepted






                Assuming rm is indeed involved and it's /bin/rm:




                1. sudo ln /bin/rm /bin/rm-real


                2. Create a log directory writable to anyone:



                  mkdir /tmp/rm-logdir
                  
chmod a+w /tmp/rm-logdir



                3. Write a wrapper script (named script) like this:



                  #!/bin/sh
                  
pstree -spa "$$" >> "/tmp/rm-logdir/$$"
                  
exec /bin/rm-real "$@"


                4. Adjust ownership and permissions of the script so it can mimic rm (non-POSIX fast way:chmod --reference=/bin/rm script; sudo chown --reference=/bin/rm script).



                5. Replace /bin/rm with the script:



                  sudo mv script /bin/rm


                  From now on anything that calls /bin/rm will be logged to a file in /tmp/rm-logdir.



                6. Wait for the problem to occur again.



                7. Examine files in /tmp/rm-logdir. One of them will hopefully contain something like this:



                  systemd,1
                  
  `-tmux: server,2652
                  
      `-bash,8605
                  
          `-rm,15100 /bin/rm -r f
                  
              `-pstree,15101 -spa 15100


                  with command line arguments and PIDs; note the last but one line. The above is in fact an example from my tests in Kubuntu, where I run rm -r f in interactive bash. Another example (not triggered directly by me) was:



                  systemd,1
                  
  `-kdeinit5,1679
                  
      `-ksmserver,1700
                  
          `-rm,16400 /bin/rm /home/kamil/.config/session/kate_10d8d5de64000154299531000000017000020_1542995310_707537
                  
              `-pstree,16401 -spa 16400


                  It proves other tools (ksmserver in this case) use the wrapper script.




                Notes:





                • pstree is not required by POSIX, it may be unavailable. You can use ps, you can read information directly from /proc.

                • In multi-user environment the solution is not safe. Anyone can write to the log directory. This is deliberately set to capture anyone's rm invocations in a lazy, quick and dirty way. But then anyone can spoof the results.


                To revert:



                sudo mv /bin/rm-real /bin/rm


                (note this will overwrite the script, so if there's no other copy of it, the script itself will be lost).






                share|improve this answer














                Assuming rm is indeed involved and it's /bin/rm:




                1. sudo ln /bin/rm /bin/rm-real


                2. Create a log directory writable to anyone:



                  mkdir /tmp/rm-logdir
                  
chmod a+w /tmp/rm-logdir



                3. Write a wrapper script (named script) like this:



                  #!/bin/sh
                  
pstree -spa "$$" >> "/tmp/rm-logdir/$$"
                  
exec /bin/rm-real "$@"


                4. Adjust ownership and permissions of the script so it can mimic rm (non-POSIX fast way:chmod --reference=/bin/rm script; sudo chown --reference=/bin/rm script).



                5. Replace /bin/rm with the script:



                  sudo mv script /bin/rm


                  From now on anything that calls /bin/rm will be logged to a file in /tmp/rm-logdir.



                6. Wait for the problem to occur again.



                7. Examine files in /tmp/rm-logdir. One of them will hopefully contain something like this:



                  systemd,1
                  
  `-tmux: server,2652
                  
      `-bash,8605
                  
          `-rm,15100 /bin/rm -r f
                  
              `-pstree,15101 -spa 15100


                  with command line arguments and PIDs; note the last but one line. The above is in fact an example from my tests in Kubuntu, where I run rm -r f in interactive bash. Another example (not triggered directly by me) was:



                  systemd,1
                  
  `-kdeinit5,1679
                  
      `-ksmserver,1700
                  
          `-rm,16400 /bin/rm /home/kamil/.config/session/kate_10d8d5de64000154299531000000017000020_1542995310_707537
                  
              `-pstree,16401 -spa 16400


                  It proves other tools (ksmserver in this case) use the wrapper script.




                Notes:





                • pstree is not required by POSIX, it may be unavailable. You can use ps, you can read information directly from /proc.

                • In multi-user environment the solution is not safe. Anyone can write to the log directory. This is deliberately set to capture anyone's rm invocations in a lazy, quick and dirty way. But then anyone can spoof the results.


                To revert:



                sudo mv /bin/rm-real /bin/rm


                (note this will overwrite the script, so if there's no other copy of it, the script itself will be lost).







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 23 at 18:24

























                answered Nov 23 at 18:11









                Kamil Maciorowski

                22.8k155072




                22.8k155072






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377854%2fdiagnosing-directory-deletions-on-linux%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Index of /

                    This page is only for reference, If you need detailed information, please check here
                    Read more

                    Tribalistas

                    Image
                      Nota: Para o álbum homônimo, veja Tribalistas (álbum de 2002). Para o segundo álbum homônimo, veja Tribalistas (álbum de 2017). Para o tipo de organização tribal, veja Tribalismo. Tribalistas Informação geral Origem Salvador e Rio de Janeiro País   Brasil Gênero(s) MPB Pop Samba Período em atividade 2002–2004 2017–atualmente Gravadora(s) EMI Phonomotor Records Universal Music Afiliação(ões) Dadi Pretinho da Serrinha Margareth Menezes Integrantes Arnaldo Antunes Carlinhos Brown Marisa Monte Página oficial www2.uol.com.br/tribalistas/ ...
                    Read more

                    Listed building

                    Image
                    Listed building (literalmente: prédio listado ) é toda estrutura protegida por lei pelo complexo sistema de tombamento do Reino Unido. Um listed building é qualquer estrutura oficialmente designada como tendo especial interesse arquitetônico, histórico ou cultural. É um estatuto amplamente usado, aplicado a centenas de milhares de estruturas. Estruturas tombadas não podem ser alteradas sem permissão especial, e desfrutam de isenções fiscais e outros benefícios. Cada um dos países do Reino Unido trata tombamento de forma diferente: Índice 1 Inglaterra 2 País de Gales 3 Irlanda do Norte 4 Escócia 5 Referências Inglaterra | O Palácio de Buckingham, Londres. As estruturas tombadas são listadas no Statutory List of Buildings of Special Architectural or Historic Interest , e incluem campos, sinais de trânsito, piers e áreas geográficas. A principal legislação pertinente é o Ancient Monuments and Archaeological Areas Act 1979 , [ 1 ] embora legisla...
                    Read more