Solved Can't delete files in /var/log

Zack

Member


Messages: 37

I'm trying to remove /var/log/rkhunter.log and the swap files associated with it. As a root user, I keep getting permission errors.

ls -lo rkhunter*

Code:
-rwxr--r--  1 root  wheel  -  5982 Nov  7 03:31 rkhunter.log
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:54 rkhunter.log.old
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:31 rkhunter.lo~
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:37 rkhunter.lz~
-rwxr--r--  1 root  wheel  - 16384 Nov  6 23:55 rkhunter.swl
-rwxr--r--  1 root  wheel  - 28672 Nov  6 23:55 rkhunter.swm
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:37 rkhunter.swn
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:36 rkhunter.swo
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:19 rkhunter.swp
I've changed the permissions myself, there are no chflags set.
Code:
rm: rkhunter.log: Operation not permitted
rm: rkhunter.log.old: Operation not permitted
rm: rkhunter.lo~: Operation not permitted
rm: rkhunter.lz~: Operation not permitted
rm: rkhunter.swl: Operation not permitted
rm: rkhunter.swm: Operation not permitted
rm: rkhunter.swn: Operation not permitted
rm: rkhunter.swo: Operation not permitted
rm: rkhunter.swp: Operation not permitted
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,182
Messages: 29,471

Make sure rthunter isn't running and keeping those files locked up.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,182
Messages: 29,471

Looking at the filenames, they look like someone has a vi(1) session open with those files. Make sure no other process has the files open.
 

kpa

Beastie's Twin

Reaction score: 1,801
Messages: 6,318

If all else fails boot to single user mode and run fsck(8), I've seen cases where a slightly messed up filesystem leads to undeletable files.
 
OP
OP
Zack

Zack

Member


Messages: 37

Looking at the filenames, they look like someone has a vi(1) session open with those files. Make sure no other process has the files open.
No processes are using the files. lsof returns nothing.

If all else fails boot to single user mode and run fsck(8), I've seen cases where a slightly messed up filesystem leads to undeletable files.
I will try this right now.
 
OP
OP
Zack

Zack

Member


Messages: 37

After booting into single user mode and running fsck I still can't delete the files.
Code:
rm: rkhunter.log: Operation not permitted
rm: rkhunter.log.old: Operation not permitted
rm: rkhunter.lo~: Operation not permitted
rm: rkhunter.lz~: Operation not permitted
rm: rkhunter.swl: Operation not permitted
rm: rkhunter.swm: Operation not permitted
rm: rkhunter.swn: Operation not permitted
rm: rkhunter.swo: Operation not permitted
rm: rkhunter.swp: Operation not permitted
Permissions of /var/log
Code:
drwxr-x---   5 root     wheel    sappnd 3072 Nov  7 00:04 log
 

x-com

Member

Reaction score: 3
Messages: 62

Out of couriosity: Do you have a separate /var partition and is it on another hard disk? If so, what are the mount options in the /etc/fstab file?

Edit: is the log daemon still running? Try shut him down first
 
OP
OP
Zack

Zack

Member


Messages: 37

Out of couriosity: Do you have a separate /var partition and is it on another hard disk? If so, what are the mount options in the /etc/fstab file?
No I do not.

Solved the problem by booting to single user mode and unsetting the flags on /var/log for a moment.
 
Top