TMPREAPER(8) | System Manager's Manual | TMPREAPER(8) |
tmpreaper - removes files which haven't been accessed for a period of time
tmpreaper [-htvfmMsaT] [--help] [--test] [--verbose] [--force] [--delay=x] [--runtime=x] [--showdeleted] [--ctime] [--mtime] [--mtime-dir] [--symlinks] [--all] [[--protect '<shell_pattern>']...] <time_spec> <dirs>...
tmpreaper recursively searches for and removes files and empty directories which haven't been accessed for a given number of seconds. Normally, it's used to clean up directories which are used for temporary holding space, such as "/tmp". Please read the WARNINGS section of this manual.
When changing directories, tmpreaper is very sensitive to possible race condition security exploits[1], and will exit with an error if one is detected. It does not follow symbolic links in the directories it's cleaning (even if a symbolic link is given as its argument), never performs chdir(".."), will not switch file systems, and only removes empty directories and regular files. Unless your machine is one with lots of relatively untrusted users, such as an ISP or school, you don't need this program; `find ... -exec rm ...' works just as well when you don't have to be concerned about people trying to exploit the race condition on you.
tmpreaper will stop itself after almost one minute with an appropriate warning message, as attempts to keep it running long enough so that it runs in parallel with another instance of itself may also lead to possible vulnerabilities. Normally, tmpreaper won't need that amount of time. If your system is so slow that it does, try to configure things so that this doesn't happen. As a last resort, the --runtime=x option can be used to set the number of seconds after which the timeout occurs; the default setting is 55 seconds.
tmpreaper dates files by their atime, not their mtime, unless you select the --mtime option. If files aren't being removed when ls -l implies they should be, use stat(1) or ls --time=access to examine the file's atime and see if that helps to explain the problem.
Additionally, tmpreaper can be instructed to also check the ctime (inode change time, which is updated e.g. when the file is created or permissions are changed). This is primarily useful when tmpreaper is used to clean up directories that are accessible as a Samba share; DOS (and Windows) PCs preserve the mtime and the atime when copying to a new file, so that it appears that the newly created file is old. tmpreaper will remove such files if the atime is beyond the removal time, even though they were just created. This is avoided by using the --ctime option.
As testing the contents of subdirectories will update those directories' atime, empty directories won't be removed. To circumvent this problem you can use the --mtime-dir option, which will switch on mtime checking for directories only. Using --mtime-dir in addition to --mtime doesn't do anything useful.
The <time_spec> parameter defines the age threshold for removing files. If the file has not been accessed for <time_spec>, it becomes eligible for removal. The <time_spec> should be a number, defaulting to hours, optionally suffixed by one character: `d' for days, `h' for hours, `m' for minutes, or `s' for seconds. Following the time option, one or more directories must be given for tmpreaper to clean up.
On linux ext2/ext3/ext4 filesystems, no errors will be given when trying to remove files marked as immutable. A common situation for this was the ext3 .journal file. However, there may of course be other files marked as such by the system administrator.
If you do not enclose the <shell_pattern> in single quotes, the shell will perform the expansion before tmpreaper reads its argument array. The program does not support that syntax, so you must use single quotes around the glob pattern.
tmpreaper will chdir(2) into each of the directories you've specified for cleanup, and check for files matching the <shell_pattern> there. It then builds a list of them, and uses that to protect them from removal. For example:
tmpreaper --test --verbose --protect \
'.X*-{lock,unix,unix/*}' --protect '.ICE-{unix{/*,}}' \
5d /tmp # 5 day grace period
As long as there are files present inside a subdirectory, it won't get removed. You can use a non-writable, self-owned file, perhaps named ".tmpreaper", or, if you are su, a file that has the ext2fs immutable attribute set, to keep a subdirectory from being deleted. Of course, you could just as easily use use the --protect option to obtain the same result.
Because the command line argument processing is implemented with GNU getopt_long(3)[2], you may order the arguments thusly, if it pleases you:
tmpreaper --test --verbose 5h \
--protect './tmp/{blah?,dir{/blah4,}}' ./tmp \
--protect '/tmp/.X*' /tmp
... Note that if you use --all or --symlinks, it will have
global effect. If you only want it turned on for one directory, you must use
separate commands.
Please do not ever run tmpreaper on `/'!!! There are no safeguards against this built into the program, because that would make it difficult to use in a chrooted environment.
chattr(1) chdir(2) chroot(8) cron(1) getopt_long(3) ls(1) lsattr(1) rm(1) stat(1)
[1] http://seclists.org/lists/bugtraq/1996/May/0046.html or
http://www.security-express.com/archives/bugtraq/1996_2/0054.html
http://linuxgazette.net/18/tmp.html
(formerly http://www.linuxgazette.com/issue18/tmp.html)
http://linuxgazette.net/20/followup.html
[2] info:(libc)Long Options
Karl M. Hegbloom <karlheg@debian.org>
Mostly based on `tmpwatch-1.2/1.4', by:
Erik Troan <ewt@redhat.com>
Now being maintained for Debian by:
Paul Slootman <paul@debian.org>
Sat Jan 5 2019 | 4th Berkeley Distribution |