On 07/19/15 09:57, jd1008 wrote: > > > On 07/18/2015 07:53 PM, Ed Greshko wrote: >> On 07/19/15 09:17, jd1008 wrote: >>> debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null >>> Inode Pathname >>> 47972353 //root >>> >>> So, why is it trying to do that? >>> I am not logged in as root. >>> >>> How can I find out the process(es) that spawned sh >>> to access /root? >> OK, so you have determined that the path being accessed and cited by the alert is /root. >> >> Don't know if the process is still around, but supposedly it was pid=6476. >> > This is frustrating!! > $ ps -p 6476 > PID TTY TIME CMD > $ > That should then mean that the pid= on each sealert is different. Yes? -- If I wanted a blog or social media I'd go elsewhere -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
