Who keeps creating a directory called ~ in my homedir?

lfitzgerald · 2023-06-07 04:56:12

Here's a fun one - a while ago, I noticed a directory called `~` in my home dir. I don't mean the shell token. It's literally `/home/lfitzgerald/~/` and it's empty.

This is obviously a misconfiguration and 99% my fault - I must have intended to provide my home dir path but ended up with it not being expanded.

The problem is that when I delete it, a while later it comes back. So it must be some periodic process. After that, I'm stumped.

How can I figure out what is creating this directory? I use symlinks to manage my dotfiles, and the repo is huge, so a simple search for "~" is not going to work. Also, the dotfiles are too complex for me to attempt git bisect.

seth · 2023-06-07 05:01:35

https://wiki.archlinux.org/title/Audit_ … ies_access

lfitzgerald · 2023-06-07 05:21:58

Neat! But I think I'm missing something after skimming that page.

I did "sudo auditctl -w ~/'~/' -p rwax" which appears to have added the right rule (I see it in "sudo auditctl -l"). But:

$ sudo aureport -n

Anomaly Report
=========================================
# date time type exe term host auid event
=========================================
Error opening /var/log/audit/audit.log (No such file or directory)

I delete the ~/'~' dir, and did aureport again, figuring I should at least see my own delete event, but I still get the same output. The files hasn't been re-created yet, it may be a per-boot thing.

How do I see the audit events?

seth · 2023-06-07 05:44:05

The first rule keeps track of every read r , write w , execution x , attribute change a to the file /etc/passwd. The second one keeps track of any access to the /etc/security/ folder.

Which one do you think you want here?
(Deleting a file specifically does nothing to that file, it alters the parent directory)

it may be a per-boot thing.

https://wiki.archlinux.org/title/Audit_ … stallation

/etc/audit/audit.rules

-w '/home/lfitzgerald/~'

Though I guess you can just add that rule transiently and then log into your session (to get the bogus directory created)

lfitzgerald · 2023-06-07 05:59:32

seth wrote:

Which one do you think you want here?

Well, I figure all of them. There's probably not going to be that many events anyway, but I want to make sure I don't miss any. Although I'm guessing the event is directory creation.

seth wrote:

(Deleting a file specifically does nothing to that file, it alters the parent directory)

D'oh! That's right... Hmm, well in that case what about creation? Do I need to set the watch on ~ instead of ~/'~'? That probably *would* be a lot of events, but I guess I can grep them out anyhow.

seth wrote:

https://wiki.archlinux.org/title/Audit_ … stallation

I see - the service was actually disabled, so that explains it. I enabled it now.

seth wrote:

/etc/audit/audit.rules
-w '/home/lfitzgerald/~'
Though I guess you can just add that rule transiently and then log into your session (to get the bogus directory created)

Nah, I figure I can just add the rule normally and remember to remove later. I assumed the auditctl command would persist to that rules file, but surprisingly no. That file also said it's randomly generated, so I put the rule in "/etc/audit/rules.d/mystery_tilde".

So in sum:
* I enabled/started auditd
* I deleted the mystery ~/'~' dir
* I add a watch for ~/'~' to rules.d
* I also created a watch with auditctl, but I figure that won't persist after a boot

I expect that if I reboot now I will see that the mystery dir is back. Is the above enough to ensure I'll see the audit events for it, or is there more?

Last edited by lfitzgerald (2023-06-07 06:00:01)

Awebb · 2023-06-07 06:05:17

I'd omit -p rwxa and log everything. As with deletion, I'm not sure creating a file does anything to the file.

I also think that it does not understand ~ for /home/currentuser correctly, as the audit message is being generated at a lower level, so as seth suggested, try the full path.

Edit: I bet this is something you can find manually by grepping through your dotfiles. There aught to be some "mkdir -p ~ /foldername", where you've added a rogue whitespace between the tilde and the path separator slash.

Last edited by Awebb (2023-06-07 06:09:21)

lfitzgerald · 2023-06-07 06:07:56

Awebb wrote:

I'd omit -p rwxa and log everything

Oh - I thought it was mandatory! Sounds good.

Awebb wrote:

As with deletion, I'm not sure creating a file does anything to the file.

If that is the case, what do I do? Should I watch the parent dir instead?

Awebb wrote:

I also think that it does not understand ~ for /home/currentuser correctly,

I get that - I was just using shorthand. It's the full expanded path in my actual files.

Awebb · 2023-06-07 06:10:00

Watching the parent dir is a good idea!

Also see my edit above.

lfitzgerald · 2023-06-07 06:21:20

Awebb wrote:

Edit: I bet this is something you can find manually by grepping through your dotfiles. There aught to be some "mkdir -p ~ /foldername", where you've added a rogue whitespace between the tilde and the path separator slash.

That would be nice, but "$ rg '~' | wc" gives 9k results And it may be some services or something I created outside the dotfiles as a one off, as well, so it would be hard to narrow down the 9k.

Awebb · 2023-06-07 07:30:51

It must be something that creates a directory. Try '~ ' or '~ /' or some regex with mkdir and a tilde followed by a blank.

...or a tilde followed by a variable that is empty at the time, so ~/$, or ~/"$.

Last edited by Awebb (2023-06-07 07:32:36)

seth · 2023-06-07 11:50:59

lfitzgerald wrote:

If that is the case, what do I do? Should I watch the parent dir instead?

I'd just try and see, the offender might actually want to do something with it.

Otherwise you can https://wiki.archlinux.org/title/Audit_ … t_syscalls for mkdir and mkdirat, but if, as Awebb suspects, this results in a call to /usr/bin/mkdir that won't tell you much either.
You could then replace /usr/bin/mkdir w/ a script that checks the parameters, logs "ps fax | grep -C8 $PPID" and then "exec /usr/bin/mkdir.bin "$@""

#!/bin/bash
if [[ "$@" =~ '~' ]]; then
    ps fax | grep -C8 $PPID >> /tmp/mkdir.log
fi
exec /usr/bin/mkdir.bin "$@"

Arch Linux

#1 2023-06-07 04:56:12

Who keeps creating a directory called ~ in my homedir?

#2 2023-06-07 05:01:35

Re: Who keeps creating a directory called ~ in my homedir?

#3 2023-06-07 05:21:58

Re: Who keeps creating a directory called ~ in my homedir?

#4 2023-06-07 05:44:05

Re: Who keeps creating a directory called ~ in my homedir?

#5 2023-06-07 05:59:32

Re: Who keeps creating a directory called ~ in my homedir?

#6 2023-06-07 06:05:17

Re: Who keeps creating a directory called ~ in my homedir?

#7 2023-06-07 06:07:56

Re: Who keeps creating a directory called ~ in my homedir?

#8 2023-06-07 06:10:00

Re: Who keeps creating a directory called ~ in my homedir?

#9 2023-06-07 06:21:20

Re: Who keeps creating a directory called ~ in my homedir?

#10 2023-06-07 07:30:51

Re: Who keeps creating a directory called ~ in my homedir?

#11 2023-06-07 11:50:59

Re: Who keeps creating a directory called ~ in my homedir?

Board footer