Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Anyone who knows the answer would be able to give an example of how a directory file can change from 4096 to a larger value.
Yes, in post #12, Michael gave an actual example: He created 150 files in a directory and then deleted them. The filesystem can't fit the needed structures for 150 filenames in 4096 bytes, and the directory became 12288 bytes.
There are programs which create a lot of temporary files.
Quote:
Originally Posted by compis
an example is the app vocal it placed a cache file that was bigger than 4096.
What is occurring ? I can see no reason for the size of a directory to change and if there is a reason what is it
You say cache, don't you? I seem to have a directory ~/.cache/mozilla/firefox/????????.default/cache2/entries with a size of 77824. There are (or has been) so many files that 77824 is needed. Even if I cleared the cache, it would stay at 77824.
You can still put in 50 files, 127, 151, 152 or even 10,000 files, remove [some] files and see how it works.
Code:
$ mkdir test;ls -ld test;for((C=0;C<10000;C++))do>test/$C;done;rm -f test/*;ls -ld test
drwxr-xr-x 2 compis users 4096 2023-11-19 13:05 test
drwxr-xr-x 2 compis users 262144 2023-11-19 13:05 test
There is a -D option for e2fsck:
Code:
-D Optimize directories in file system. This option causes e2fsck
to try to optimize all directories, either by re-indexing them
if the file system supports directory indexing, or by sorting
and compressing directories for smaller directories, or for file
systems using traditional linear directories.
Even without the -D option, e2fsck may sometimes optimize a few
directories --- for example, if directory indexing is enabled
and a directory is not indexed and would benefit from being in-
dexed, or if the index structures are corrupted and need to be
rebuilt. The -D option forces all directories in the file sys-
tem to be optimized. This can sometimes make them a little
smaller and slightly faster to search, but in practice, you
should rarely need to use this option.
The -D option will detect directory entries with duplicate names
in a single directory, which e2fsck normally does not enforce
for performance reasons.
Last edited by Petri Kaukasoina; 11-19-2023 at 05:20 AM.
Anyone who knows the answer would be able to give an example of how a directory file can change from 4096 to a larger value. So yes I believe this is hidden malware which no one noticed.
We have offered a way to reproduce the issue (change of the size of the directory, if I understand well). Also you can find the log of the execution in these posts.
Did you try them on your host? Can you compare your results to the one posted? Can you show us your results?
I think I know what’s going on. Compis isn’t aware that files that start a dot aren’t listed by “ls” unless you supply it a special flag.
Explains every one of his posts here.
(It is of course the case that every "suggestion" that he'd gotten was, indeed, "valid").
Quote:
Originally Posted by compis
So yes I believe this is hidden malware which no one noticed.
See, you're not thinking before you post. How would such a malware execute? It would require a code execution vulnerability to be present in either the kernel or in glibc. As the definition of a directory has been explained to you many times, you should know this.
Now, can you find a single link, CVE, for example, to support your "belief" that there's a security issue here? Which you "stated"? No. So drop this silliness.
This problem has occurred again on mx linux 21.3. Notice how Pictures directory size changed from 4096 to 12288.
ls -l
total 44
drwxr-xr-x 8 Name Name 4096 Dec 15 23:54 Desktop
drwxr-xr-x 18 Name Name 4096 Dec 8 22:56 Documents
drwxr-xr-x 12 Name Name 4096 Dec 19 05:28 Downloads
drwxr-xr-x 3 Name Name 4096 Jun 23 03:14 Music
drwxr-xr-x 4 Name Name 12288 Dec 8 21:06 Pictures
drwxr-xr-x 2 Name Name 4096 Aug 12 18:11 Public
drwxr-xr-x 2 Name Name 4096 Aug 14 2022 Templates
drwxr-xr-x 2 Name Name 4096 Dec 14 23:03 Videos
drwxr-xr-x 7 Name Name 4096 Dec 18 05:55 'VirtualBox VMs'
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
