Solved Can't delete files in /var/log

Zack

Zack

I'm trying to remove /var/log/rkhunter.log and the swap files associated with it. As a root user, I keep getting permission errors.

ls -lo rkhunter*

Code: 
-rwxr--r--  1 root  wheel  -  5982 Nov  7 03:31 rkhunter.log
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:54 rkhunter.log.old
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:31 rkhunter.lo~
-rwxr--r--  1 root  wheel  - 17412 Nov  6 23:37 rkhunter.lz~
-rwxr--r--  1 root  wheel  - 16384 Nov  6 23:55 rkhunter.swl
-rwxr--r--  1 root  wheel  - 28672 Nov  6 23:55 rkhunter.swm
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:37 rkhunter.swn
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:36 rkhunter.swo
-rwxr--r--  1 root  wheel  -  4096 Nov  6 23:19 rkhunter.swp

I've changed the permissions myself, there are no chflags set.
Code: 
rm: rkhunter.log: Operation not permitted
rm: rkhunter.log.old: Operation not permitted
rm: rkhunter.lo~: Operation not permitted
rm: rkhunter.lz~: Operation not permitted
rm: rkhunter.swl: Operation not permitted
rm: rkhunter.swm: Operation not permitted
rm: rkhunter.swn: Operation not permitted
rm: rkhunter.swo: Operation not permitted
rm: rkhunter.swp: Operation not permitted
 
Make sure rthunter isn't running and keeping those files locked up.
 
Looking at the filenames, they look like someone has a vi(1) session open with those files. Make sure no other process has the files open.
 
If all else fails boot to single user mode and run fsck(8), I've seen cases where a slightly messed up filesystem leads to undeletable files.
 
SirDice said:
Looking at the filenames, they look like someone has a vi(1) session open with those files. Make sure no other process has the files open.
Click to expand...
No processes are using the files. lsof returns nothing.

kpa said:
If all else fails boot to single user mode and run fsck(8), I've seen cases where a slightly messed up filesystem leads to undeletable files.
Click to expand...
I will try this right now.
 
After booting into single user mode and running fsck I still can't delete the files.
Code: 
rm: rkhunter.log: Operation not permitted
rm: rkhunter.log.old: Operation not permitted
rm: rkhunter.lo~: Operation not permitted
rm: rkhunter.lz~: Operation not permitted
rm: rkhunter.swl: Operation not permitted
rm: rkhunter.swm: Operation not permitted
rm: rkhunter.swn: Operation not permitted
rm: rkhunter.swo: Operation not permitted
rm: rkhunter.swp: Operation not permitted

Permissions of /var/log
Code: 
drwxr-x---   5 root     wheel    sappnd 3072 Nov  7 00:04 log
 
Out of couriosity: Do you have a separate /var partition and is it on another hard disk? If so, what are the mount options in the /etc/fstab file?

Edit: is the log daemon still running? Try shut him down first
 
x-com said:
Out of couriosity: Do you have a separate /var partition and is it on another hard disk? If so, what are the mount options in the /etc/fstab file?
Click to expand...
No I do not.

Solved the problem by booting to single user mode and unsetting the flags on /var/log for a moment.
 
You must log in or register to reply here.
Back
Top