tmp files created every 2 seconds

kirth · 2023-08-07 18:21:05

Hi,
yesterday I noticed some weird stuff going on my Arch system.
Every 2 seconds a

tmp.xyzxyzxyz

file is created in the /tmp directory:

ls -t --full-time                                                                                                      
total 0
-rw------- 1 marco marco  0 2023-08-07 19:51:22.479893108 +0200 tmp.jLKX6jpzXn
-rw------- 1 marco marco  0 2023-08-07 19:51:20.476575438 +0200 tmp.UQltnTDQnY
-rw------- 1 marco marco  0 2023-08-07 19:51:18.476591080 +0200 tmp.2mO1XNeQL8
-rw------- 1 marco marco  0 2023-08-07 19:51:16.476606726 +0200 tmp.ZeIacFpgUR
-rw------- 1 marco marco  0 2023-08-07 19:51:14.473289067 +0200 tmp.AoOIOP1UnO
-rw------- 1 marco marco  0 2023-08-07 19:51:12.473304724 +0200 tmp.W41XHltCix
-rw------- 1 marco marco  0 2023-08-07 19:51:10.473320384 +0200 tmp.YWyYQrca3Z
-rw------- 1 marco marco  0 2023-08-07 19:51:08.473336049 +0200 tmp.nOJW2ZRmN7
-rw------- 1 marco marco  0 2023-08-07 19:51:06.473351719 +0200 tmp.rXQ7CAVxTT
-rw------- 1 marco marco  0 2023-08-07 19:51:04.473367391 +0200 tmp.shkf91Mot8
-rw------- 1 marco marco  0 2023-08-07 19:51:02.470049760 +0200 tmp.XdWibRmE2c

I honestly don't know where to look at.

I've found the following question https://serverfault.com/questions/73560 … rary-files and tried to follow along the investigation.

sudo auditctl -l                                                                                                
-a always,task
-w /tmp -p rwxa -k tmpfiles

Looking at ausearch nothing pops up:

sudo ausearch -k tmpfiles|grep "tmp."
<no matches>

sudo ausearch  -k tmpfiles|grep "/tmp/tmp."
<no matches>

Looking for a specific `tmp` file makes no difference:

sudo ausearch  -k tmpfiles -f /tmp/tmp.zxN2SAVsiB
sun_path len too short
sun_path len too short
sun_path len too short
<no matches>

Trying fnotifystat, I get the following output where I also see a .psub.xxxxxxx file...

sudo fnotifystat -i /tmp
Total   Open  Close   Read  Write     PID  Process         Pathname
  4.0    2.0    1.0    1.0    0.0    75567 <unknown>       /tmp/.psub.bdJrnvbDPm
  3.0    0.0    1.0    0.0    2.0    75595 <unknown>       /tmp/.psub.bdJrnvbDPm
  3.0    1.0    1.0    0.0    1.0    75587 <unknown>       /tmp/.psub.bdJrnvbDPm
  3.0    1.0    1.0    0.0    1.0    75571 <unknown>       /tmp/tmp.GdoQwCp9gT
  2.0    0.0    1.0    0.0    1.0    75573 <unknown>       /tmp/tmp.GdoQwCp9gT
  1.0    1.0    0.0    0.0    0.0    75567 <unknown>       /tmp/tmp.GdoQwCp9gT

Total   Open  Close   Read  Write     PID  Process         Pathname
  4.0    2.0    1.0    1.0    0.0    75601 <unknown>       /tmp/.psub.c1wbvznUjg
  3.0    0.0    1.0    0.0    2.0    75629 <unknown>       /tmp/.psub.c1wbvznUjg
  3.0    1.0    1.0    0.0    1.0    75620 <unknown>       /tmp/.psub.c1wbvznUjg
  3.0    1.0    1.0    0.0    1.0    75604 <unknown>       /tmp/tmp.7X094xjXOC
  2.0    0.0    1.0    0.0    1.0    75606 <unknown>       /tmp/tmp.7X094xjXOC
  1.0    1.0    0.0    0.0    0.0    75601 <unknown>       /tmp/tmp.7X094xjXOC

Total   Open  Close   Read  Write     PID  Process         Pathname
  4.0    2.0    1.0    1.0    0.0    75634 <unknown>       /tmp/.psub.Gxr08s9jMg
  3.0    1.0    1.0    0.0    1.0    75653 <unknown>       /tmp/.psub.Gxr08s9jMg
  3.0    0.0    1.0    0.0    2.0    75654 <unknown>       /tmp/.psub.Gxr08s9jMg
  3.0    1.0    1.0    0.0    1.0    75637 <unknown>       /tmp/tmp.3micZXAw51
  2.0    0.0    1.0    0.0    1.0    75639 <unknown>       /tmp/tmp.3micZXAw51
  1.0    1.0    0.0    0.0    0.0    75634 <unknown>       /tmp/tmp.3micZXAw51

Total   Open  Close   Read  Write     PID  Process         Pathname
  4.0    2.0    1.0    1.0    0.0    75669 <unknown>       /tmp/.psub.JAJalhkU3K
  3.0    0.0    1.0    0.0    2.0    75692 <unknown>       /tmp/.psub.JAJalhkU3K
  3.0    1.0    1.0    0.0    1.0    75688 <unknown>       /tmp/.psub.JAJalhkU3K
  3.0    1.0    1.0    0.0    1.0    75672 <unknown>       /tmp/tmp.qmI6ZdoVZb
  2.0    0.0    1.0    0.0    1.0    75674 <unknown>       /tmp/tmp.qmI6ZdoVZb
  1.0    1.0    0.0    0.0    0.0    75669 <unknown>       /tmp/tmp.qmI6ZdoVZb

^C

lsof every second:

[marco@arch tmp]$ sudo lsof -r1 /tmp/*
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mpd     2900 marco   13r  FIFO   0,32      0t0   34 /tmp/mpd.fifo
mpd     2900 marco   14w  FIFO   0,32      0t0   34 /tmp/mpd.fifo
=======
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mpd     2900 marco   13r  FIFO   0,32      0t0   34 /tmp/mpd.fifo
mpd     2900 marco   14w  FIFO   0,32      0t0   34 /tmp/mpd.fifo
=======
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mpd     2900 marco   13r  FIFO   0,32      0t0   34 /tmp/mpd.fifo
mpd     2900 marco   14w  FIFO   0,32      0t0   34 /tmp/mpd.fifo
=======
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mpd     2900 marco   13r  FIFO   0,32      0t0   34 /tmp/mpd.fifo
mpd     2900 marco   14w  FIFO   0,32      0t0   34 /tmp/mpd.fifo
=======
^C

Using inotifywait in conjunction with lsof:

[marco@arch tmp]$ inotifywait -e create /tmp | tee /dev/stderr | grep CREATE | cut -d ' ' -f 3 | xargs -I {} lsof /tmp/{}
Setting up watches.
Watches established.
/tmp/ CREATE tmp.aPHPs6Ht0Z

I run a fully updated Arch system with no other sw or package installed outside the official repositories in the last months.

I really need some help because I'm lost.

Thank you very much.

frostschutz · 2023-08-07 19:05:19

/tmp/.psub… could be the fish shell. I'm not familiar with this shell. Testing superficially with a few simple commands, it left behind some of these files without cleaning them up. Maybe you get more such files in a more complex fish script?

kirth · 2023-08-07 19:14:11

Yes, I found something about .psub pointing to fish shell. But I honestly don't know how to investigate it further.
I just tried to change shell to bash and make sure no fish process was running on the system but the tmp files are still created the same...

seth · 2023-08-07 19:35:45

Including the .psub ones?
What if you uninstall fish?
You didn't symlink /bin/sh to fish, did you?

kirth · 2023-08-07 21:42:00

Yes, including the .psub ones.
/usr/bin/fish is not symlinked to /bin/sh.
Tried uninstalling fish, but nothing has changed.

I can't understand why auditd via ausearch cannot find anything with that pattern...

seth · 2023-08-08 06:10:20

"-p rwxa" is probably not happening

kirth · 2023-08-08 06:50:31

I'm sorry I have to correct myself and I apologize for the wrong answer given yesterday evening.
The "culprit" was the fish shell. Rebooting the system after having uninstalled it seems to have stopped the tmp files generation.
Previously (with fish still installed) I also checked logging into the system as root and saw that the tmp files were not generated.
I honestly don't know what and where to look at in fish to identify the root cause of this behaviour. I also didn't change any of its configuration files in ages...

seth · 2023-08-08 07:27:13

.psub is fish's process substitution implementation, you primarily want to figure what script triggers this
1s sounds like it's some connky script.

You could keel a real™ shell as your login shell and use fish explicitly as interactive shell through command parameter to your terminal emulator.

Arch Linux

#1 2023-08-07 18:21:05

tmp files created every 2 seconds

#2 2023-08-07 19:05:19

Re: tmp files created every 2 seconds

#3 2023-08-07 19:14:11

Re: tmp files created every 2 seconds

#4 2023-08-07 19:35:45

Re: tmp files created every 2 seconds

#5 2023-08-07 21:42:00

Re: tmp files created every 2 seconds

#6 2023-08-08 06:10:20

Re: tmp files created every 2 seconds

#7 2023-08-08 06:50:31

Re: tmp files created every 2 seconds

#8 2023-08-08 07:27:13

Re: tmp files created every 2 seconds

Board footer