Friday, May 18, 2012

What is a Zombie Process?

When a process finishes execution, it will have an exit status to report to its parent process. Because of this last little bit of information, the process will remain in the operating system’s process table as a zombie process, indicating that it is not to be scheduled for further execution, but that it cannot be completely removed (and its process ID cannot be reused) until it has been determined that the exit status is no longer needed.

When a child exits, the parent process will receive a SIGCHLD signal to indicate that one of its children has finished executing; the parent process will typically call the wait() system call at this point. That call will provide the parent with the child’s exit status, and will cause the child to be reaped, or removed from the process table.

How do I see if there are zombie processes on a system?
Run “ps aux” and look for a Z in the STAT column.

How do I remove zombie processes from a system?
Well, first you can wait. It’s possible that the parent process is intentionally leaving the process in a zombie state to ensure that future children that it may create will not receive the same pid. Or perhaps the parent is occupied, and will reap the child process momentarily.

Secondly, you can send a SIGCHLD signal to the parent (“kill -s SIGCHLD <ppid>“). This will cause well-behaving parents to reap their zombie children.

Finally, you can kill the parent process of the zombie. At that point, all of the parent’s children will be adopted by the init process (pid 1), which periodically runs wait() to reap any zombie children.

Thursday, May 17, 2012

HOWTO use the Sticky Bit on a directory or file

The main property about the Sticky Bit on directories is that other users cannot delete or rename the files (or subdirectories) within that directory. When the sticky bit is set on a directory, only the owner and the root user can delete / rename the files or directories within that directory.

1. Set the Sticky bit on directory

Use chmod command to set the sticky bit. If you are using the octal numbers in chmod, give 1 before you specify other numbered privileges, as shown below. The example below, gives rwx permission to user, group and others (and also adds the sticky bit to the directory).

ximena@anakin:# chmod 1777 dir

Or, you can assign only sticky bit to an existing directory (without touching any other user, group and other privileges) using chmod command as shown below.

ximena@anakin:# chmod +t dir

Once the sticky bit is assigned to a directory, you’ll see (t) as the last character in the permission. In this example, it is drwxrwxrwt.

ximena@anakin:# ls -ld /home/ximena/dir
drwxrwxrwt 2 ximena ximena 4096 2012-05-17 14:09 /home/ximena/dir
ximena@anakin:# ls -l dir
total 8
-rwxrwxrwx 1 ximena ximena   20  2012-05-17 14:12 ximunix.txt
-rwxrwxrwx 1 guest guest 41  2012-05-17 14:13 guest.txt

In the above example, as dir has rwx permission to everybody, all other users are allowed to do create their files or directories under this directory. However, even when the sub-directories or files under dir is having rwx permission to everybody, only the owner of those can delete or rename those files and directory. Other users cannot delete or rename it because of sticky bit.

In the above example, ximunix.txt has rwx to users, groups, and others. But, when guest user is trying to delete the file bala.txt, he’ll see the “Operation not permitted” message as shown below.

ximena@anakin:# su guest
ximena@anakin:# cd /home/bala/dir1
ximena@anakin:# rm bala.txt
rm: cannot remove `bala.txt': Operation not permitted

Please note that /tmp has sticky bit enabled by default. You might have not noticed that until now. Now you know why /tmp directory is supposed to have sticky bit enabled.

ximena@anakin:# ls -ld /tmp
drwxrwxrwt 3 root root 4096 Jan 31 08:29 /tmp

To remove the sticky bit from a directory, do the following.

ximena@anakin:# chmod -t dir

2. Set the sticky bit on File

Setting the sticky bit on a file is pretty much useless, and it doesn’t do anything. On some of the older *nix flavors, a sticky bit enabled executable file will be loaded to the swap memory after 1st execution, which speeds up all subsequent execution. This is not true anymore.

Tuesday, May 15, 2012

atime, ctime and mtime in Unix filesystems

Unix filesystems store a number of timestamps for each file. This means that you can use these timestamps to find out when any file or directory was last accessed (read from or written to), changed (file access permissions were changed) or modified (written to).

File and directory timestamps in Unix

Three times tracked for each file in Unix are these:
access time - atime
change time – ctime
modify time – mtime

atime – File Access Time:
Access time shows the last time the data from a file was accessed – read by one of the Unix processes directly or through commands and scripts.

ctime – File Change Time:
ctime also changes when you change file's ownership or access permissions. It will also naturally highlight the last time file had its contents updated.

mtime – File Modify Time:
Last modification time shows time of the  last change to file's contents. It does not change with owner or permission changes, and is therefore used for tracking the actual changes to data of the file itself.

The simplest way to confirm the times associated with a file is to use ls command.

Timestamps are shown when using the long-format output of ls command, ls -l:

ximena@anakin: ls -l /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:10 /tmp/file1

This is the default output of ls -l, which shows you the time of the last file modification – mtime. In our example, file /tmp/file1 was last changed around 7:10am.

If we want to see the last access time for this file, atime – you need to use -lu options for ls. The output will probably show some later time:

ximena@anakin: ls -lu /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:27 /tmp/file1

In the example, it's 7:27am.

Lastly, ls -lc will show you the last time our file was changed, ctime:

ximena@anakin: ls -lc /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:31 /tmp/file1

Show atime, ctime and mtime with stat command

In Linux distributions, you will probably find a stat command, which can be used to show all of the times in a more convenient way, and among plenty of other useful information about your file:

ximena@anakin: stat /tmp/file1
File: `/tmp/file1'
Size: 9             Blocks: 8          IO Block: 4096   regular file
Device: 811h/2065d    Inode: 179420      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2008-04-05 07:27:51.000000000 +0100
Modify: 2008-04-05 07:10:14.000000000 +0100
Change: 2008-04-05 07:35:22.000000000 +0100

Monday, May 14, 2012

Delete or Remove Files With Inode Number

An inode identifies the file and its attributes such as file size, owner, permissions and so on. A unique inode number within the file system identifies each inode. But, why to delete file by an inode number? Sure, you can use rm command to delete file. Sometime accidentally you creates filename with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. Removing such special character filenames can be problem. Use following method to delete a file with strange characters in its name:

First find out file inode number with any one of the following command:

stat {file-name}
ls -il {file-name}

Use find command to remove file:
find . -inum [inode-number] -exec rm -i {} \;

When prompted for confirmation, press Y to confirm removal of the file.

E.g. Delete or remove files with inode number: 

(1). Create a hard to delete file name:
$ cd /tmp
$ touch "\+Xy \+\8"
$ ls

(2). Try to remove this file with rm command:
$ rm \+Xy \+\8

(3). Remove file by an inode number, but first find out the file inode number:
$ ls -li


781956 drwx------  3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx------  2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x  1 viv viv    0 2006-01-27 15:05 mapping-viv
781939 drwx------  2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx------  2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx------  2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r--r--  1 viv viv    0 2006-01-27 15:49 \+Xy \+\8

Note: 782263 is inode number.

(4). Use find command to delete file by inode:
$ find . -inum 782263 -exec rm -i {} \;

Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm "\+Xy \+\8"

If you have file like name like name "2012/05/14" then no UNIX or Linux command can delete this file by name. Only method to delete such file is delete file by an inode number. Linux or UNIX never allows creating filename like 2012/05/14 but if you are using NFS from MAC OS or Windows then it is possible to create a such file.