[techtalk] Filename star

Wed Dec 29 15:06:22 EST 1999

On Tue, Dec 28, 1999 at 09:11:42PM -0500, Subba Rao wrote:
> 
> I have noticied a meta character named file in the root's home directory and another user's
> home directory. They were created on December 23rd. The file ownership permissions are
> perfectly normal. The dreaded meta-character is '*'.
> 
> To remove this I did,
> 
> $ rm -i *
> 
> and got rid of it.

A nice enough solution (you forgot to claim that you followed the advice of an
earlier thread about sys-adminning and "did not panic" :-) ). Bad luck if you
had a few hundred files dot-files in the directory, though, since these would
be sorted before the '*' file. You can also delete it by doing:

 rm \*

The reason this solution works is because of how the wildcards (like '*') get
expanded. The shell (I'm most familiar with bash, but they are all fairly
similar in this respect) expands the wildcard to a list of all filenames
before executing the 'rm' command. By putting a backslash before the '*', you
are preventing the shell from expanding it, so the 'rm' command is asked to
remove the file '*'.

Since I'm in a talkative mood today ... (sorry, folks!) ... this is a
relatively benign case, since you can see the character. AEleen Frisch, in her
"Essential System Administration" (O'Reilly) book tells of a user who kept
complaing that the 'ls' beeped all the time. Turned out the directory had a
file called ^G in it (the bell character). :-)

I was somewhat disappointed to discover just now that 

touch $(echo -e \\007)

creates a file with the name of ^G (my shell is bash, again), but it doesn't
beep ... it only displays as '?'. :-( If you are experimenting, replace
'touch' with 'rm' in the above statement to get rid of this file.

To delete such problem files, if you use emacs, you can use the directory
editing feature in emacs is useful (^X ^F from memory). Since I do *not* use
emacs, I can't elaborate further without embarassing myself, but the directory
editing mode displays all control characters as things like ^G, etc.

> 
> I don't know how this file got created. What is the best way to trace the creation
> of such files? I want to know the process that is creating it. External login is impossible
> to this box. It has to be one of the several tools I have downloaded and compiled.

Files, unfortunately, do not keep track of "who created me". The only
suggestion I would have is to search for all files with creation times within
a minute or so of the criminal file. This should give you some clues about
what else was being installed at the time. Unfortunately, the 'find' command
to do that is horrible, since you would have to work out how many *minutes*
old the file is. But, for example, supposing it was 3 days, 5 hours and 15
minutes ago (which is 4635 minutes), you would do

find / -mmin +4634 -mmin -4636

to get all the files modified between 4634 and 4636 minutes ago. (You sort of
have to construct this command for a couple of minutes in the future and then
wait for the clock to tick over before hitting enter -- or use a bigger
interval) :-)

> How do you search for files, with meta characters as their names?

Apart from the emacs feature I mentioned above, I don't know of any failsafe
method.

One final anecdote: Kernighan and Pike in "The Practice of Programming" tell
of how Stephen Bourne (writer of the Bourne shell, amazingly enough) created
254 files for testing his shell's file handling capabilities: each file had a
one character name and he used every character in the set except for '\0' and
'\', which are not allowed in Unix as filenames. So some shells, at least, can
handle these things.

OK .. I've waffled enough and the rain has stopped (it's *meant* to be summer,
here ...grrr). Off for some sunshine. :-)

Malcolm Tredinnick

--
A clear conscience is usually the sign of a bad memory.

************
techtalk at linuxchix.org   http://www.linuxchix.org