0

When I run in the terminal a script which compiles different things by running other scripts, it shows up an error, telling me that the file XXX doesn't exist. But it existed before I ran the script. Thus, I would like to find out what script/program/process deleted the file to fix the bug.

I looked at this but it didn't help me: I am looking for the program at the origin of the deletion, not the user. Additionally, auditctl and iwatch don't exist on the machine I am using.

Please note that I am not interested in what files are deleted (I perfectly know which).

Also, I can recreate XXX to run again the script.

How to simply find out what causes the deletion of XXX?

Codoscope
  • 892
  • 1
  • 10
  • 18
  • 2
    You could make it write-protected (`chmod 440 XXX`), and see if some script complains. Are you using `make`? `make` deletes intermediate products. – sauerburger Aug 31 '17 at 08:33
  • `chmod` doesn't work because XXX is actually a symbolic link, so the permissions remain `lrwxrwxrwx` and the file is still deleted. I don't think that XXX is the target of a Makefile. I am also using shell scripts. – Codoscope Aug 31 '17 at 09:02
  • I have replaced XXX by a regular file to use `chmod 440` on it, but it is still deleted. Yet, I am not using `sudo` when I run the first script. – Codoscope Aug 31 '17 at 09:07
  • You must set the owner and group to `root` to prevent non-sudo access for a user. – Murphy Aug 31 '17 at 09:28
  • Use `chattr +i` instead of `chmod 440`. – ceving Aug 31 '17 at 11:07
  • Be aware: ["Not all flags are supported or utilized by all filesystems; refer to filesystem-specific man pages such as btrfs(5), ext4(5), and xfs(5) for more filesystem-specific details."](http://man7.org/linux/man-pages/man1/chattr.1.html) – Murphy Aug 31 '17 at 11:12

1 Answers1

1

Two possibilities come to mind how to debug a shell script:

  1. Use strace; the function call you're looking for is most probably unlink(). From the surrounding calls you should be able to deduct the context the deletion is called from.
  2. Switch on command echo with set -x or the shebang #!/bin/bash -x (for Bash) and grep for rm and perhaps unlink. However the deletion may occur in some binary that's called somewhere, in that case you won't find anything this way.

Redirect the output to a file to make searching easier.

Murphy
  • 3,827
  • 4
  • 21
  • 35