It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover. I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it.
Regards,
Priyanka
On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <imran.k.23@xxxxxxxxx> wrote:
In that case involving OS admin make sense.On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <jeff.janes@xxxxxxxxx> wrote:On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@xxxxxxxxxxx> wrote:On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@xxxxxxxxxxx> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)Cheers,Jeff