I am (or was) running Ubuntu 14.04.05.
I've been noticing a lot of files titled simply =
that appear above the .
and ..
when you inspect a directory with ls -al
and another empty file called simply 0
in folders spread out across the file system, but primarily in my /home/user/
folder and it's subdirectories. I can remove 0
by inode with find . -inum $inode_of_equal_sign -exec rm {} \;
. However I cannot delete the =
file, using any technique I could find for getting rid of filenames with special characters, nor could I identify the process that keeps replacing them.
I can't stat a majority of files using lsof
or stat
or file
or any other utilities as I keep getting an error can't stat /run/users/1000/gvfs
if I unmount it, it gets remounted. It also appears to be owned by UID 999
, which is the ubuntu live setup user. I looked through the devices folder, and there it seems that /dev/fuse
is owned by root:pulseaudio
, and refuses to stay deleted, or be unlocked.. This strikes me a somewhat suspect to understate it as dramatically as possible, as this is my development machine, and I have stripped it of all unnecessary packages and services, which includes all audio and printer packages, config files, and kernel modules. The pulseaudio
group also owns a few files/folders in other parts of the system. I've traced it back to systemd
which, as far as I can tell, only starts processes, which are already started by upstart. The config files in /etc/systemd
are almost all symlinks back to /lib/systemd
, I eliminated the systemd
from upstart, restarted but it appears that systemd
or whatever this actually is, is actually started by PID 2
, D-Bus
... Not exactly sure what to do about that, never manually configured anything in D-bus before. then noticed several .so
files in /var/lib/systemd
and /lib/systemd/
with names that seem like they were made with mktemp
. A lot of them were binary, but the mimetype didn't match the shared object profile, a lot of them were symlinked to shared object files in the kernel library. There was also a folder /lib/xtables
with a fistful of perl scripts for what I guess we can call "non-standard" network utilities, and some binaries that I didn't examine. A few of the these mystery files turned out be simple text files containing the PIDs of processes related to this ... I dunno, secret feature? Undocumented daemon? Loaded by systemd.
(I feel like it's pretty safe to say I'm not exactly the owner of this system anymore, like maybe I'm just borrowing it now) I identified that all of the suspect files were created at approximately the same time. 3:33 on April 19th. So I started digging through the files that had been created at that time. They all seemed off. Found one, I forget which one, but it had ?
characters for it's inode, all of it's permission attributes, it's size, etc.. when you viewed it with ls -ial
I've seen a fair amount of weird schiz in my directories, terminal going crazy from accidentally cat
ing some binary file, graphics glitches, etc.. but that one was new one on me.
Anyways, I'm wondering if anyone has seen this before. It's a self-replenishing system of sockets, symlinks, and files that centers around locking /dev/fuse
to /run/user/<Your UID>/gvfs
, and appears to create a sort of mirror gvfs
locked to the id of your user. It survives reinstalltion in the hard disk, and even stopped some attempts to dd if=/dev/urandom of=/dev/sda
it from a live disk on top. I also noticed the 0
files on a USB drive I was short-sighted enough to connect to try to save my work (which I did.) It assigns group ownership to files to groups that are common, (i.e. pulseaudio, alsa, but which are not necessarily in /etc/groups. Reading through the source of the live disc I installed, it seems that there are some perl scripts that set hooks for boot/installation events in place to load different efi files than the ones in the boot folder. This could be part of the secureboot thing though. I'm not sure. I'm downloading several other copies of ubuntu, and some other distros to compare against this which I have saved, but don't have a free isolated machine to use as a quarantine or a "clean room".
Just wondering if anyone else using ubuntu has seen this behavior before, and if this thing has a name already. Or.. you know.. If this is a hidden feature of the OS.. How do I disable it.
[UPDATE:] I found this: https://unix.stackexchange.com/questions/77453/why-cannot-find-read-run-user-1000-gvfs-even-though-it-is-running-as-root#77592
which explains not being able to stat the objects of my attention as root. However, I still can't explain the =
& 0
why /dev/fuse
would be locked and owned by root:pulseaudio
when there is no trace of pulseaudio on the system, including a listing for it in /etc/group
.