-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Ted / LKML,
I've got this snapshot of an ext3 filesystem with a directory that
simply cannot be removed! (image below is just 1.2MB)
As root:
# wget http://users.nagafix.co.uk/~antoine/root-broken.bz2
# bunzip2 root-broken.bz2
# mount -o loop -t ext2 root-broken ./tmp
# rm -fr tmp/chroot.broken
rm: cannot remove directory (...)
Same result when trying to do anything to those files chown/chmod/touch:
"Operation not permitted"
Tested with e2fsprogs v1.39 on 3 systems.
Not sure where else to post this...
Cheers
Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG9+xHGK2zHPGK1rsRCn6/AJ0S9/D1LTTxsi69uVovKRURa1fFhACfcEzx
8I6nOimUYCFKh9oX6ebnLc0=
=FhTL
-----END PGP SIGNATURE-----
On Mon, Sep 24, 2007 at 05:56:39PM +0100, Antoine Martin wrote:
> I've got this snapshot of an ext3 filesystem with a directory that
> simply cannot be removed! (image below is just 1.2MB)
> As root:
> # wget http://users.nagafix.co.uk/~antoine/root-broken.bz2
> # bunzip2 root-broken.bz2
> # mount -o loop -t ext2 root-broken ./tmp
> # rm -fr tmp/chroot.broken
> rm: cannot remove directory (...)
> Same result when trying to do anything to those files chown/chmod/touch:
> "Operation not permitted"
>
> Tested with e2fsprogs v1.39 on 3 systems.
> Not sure where else to post this...
Various files in the directories it complains about have their 'i'
bit set. lsattr will show you. chattr -i those files, and the
directory is removable again.
Dave
--
http://www.codemonkey.org.uk
On Monday 24 September 2007 17:56:39 Antoine Martin wrote:
> Hi Ted / LKML,
>
> I've got this snapshot of an ext3 filesystem with a directory that
> simply cannot be removed! (image below is just 1.2MB)
> As root:
> # wget http://users.nagafix.co.uk/~antoine/root-broken.bz2
> # bunzip2 root-broken.bz2
> # mount -o loop -t ext2 root-broken ./tmp
> # rm -fr tmp/chroot.broken
> rm: cannot remove directory (...)
> Same result when trying to do anything to those files chown/chmod/touch:
> "Operation not permitted"
>
> Tested with e2fsprogs v1.39 on 3 systems.
> Not sure where else to post this...
URL is broken. Tried doing a "lsattr" to ensure no xattrs (like +i) are set?
--
Cheers,
Alistair.
137/1 Warrender Park Road, Edinburgh, UK.
Dave Jones wrote:
> On Mon, Sep 24, 2007 at 05:56:39PM +0100, Antoine Martin wrote:
>
> > # rm -fr tmp/chroot.broken
> > rm: cannot remove directory (...)
> > Same result when trying to do anything to those files chown/chmod/touch:
> > "Operation not permitted"
>
> Various files in the directories it complains about have their 'i'
> bit set. lsattr will show you. chattr -i those files, and the
> directory is removable again.
Additionally, this is a classic symptom of malware. A directory named
"..." is a big hint.
On Tue, Sep 25, 2007 at 03:46:25AM +0930, David Newall wrote:
> Dave Jones wrote:
> > On Mon, Sep 24, 2007 at 05:56:39PM +0100, Antoine Martin wrote:
> >
> > > # rm -fr tmp/chroot.broken
> > > rm: cannot remove directory (...)
> > > Same result when trying to do anything to those files chown/chmod/touch:
> > > "Operation not permitted"
> >
> > Various files in the directories it complains about have their 'i'
> > bit set. lsattr will show you. chattr -i those files, and the
> > directory is removable again.
>
> Additionally, this is a classic symptom of malware. A directory named
> "..." is a big hint.
That was "..." as in "more stuff follows" rather than the actual name
being reported.
Dave
--
http://www.codemonkey.org.uk