incron crawling disk without configuration

[trueshanti]

it seems incron is crawling all disk , but should onyl monitor "1" file

syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/3 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/4 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/5 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/6 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/7 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/8 - events will be discarded silently
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: cannot create watch for user root: (2) No such file or directory
syslog.2.gz:Sep 30 01:28:40 scytale incrond[1225]: access denied on ./proc/2787/task/3193/fd/9 - events will be discarded silently

how can i restrict incrond to only work with configfiles and turning off such unwanded behavior ?

thanks 4 support
br

[ericjunkermann]

There's no answer to this without seeing your incrontab file. Knowing the incron version might also help.

[trueshanti]

:-) right:

$> incrond -V
incrond 0.5.12

$> cat /etc/incron.conf |grep -v \#
$>

-> only commented lines

 incrontab -l
/etc/exim.conf	IN_MODIFY	    /root/bin/da_postbuild-exim.sh

nothing more

[trueshanti]

my primary system is Debian 10

[trueshanti]

cat /etc/incron.allow
root

incron.deny is empty , also /etc/incron.d is empty. /etc/incrond.conf is delault.

systemd-unit-file is debian-default and also holds no extra config

tabs in /var/spool/incron/* are commented-out (#) so i guess the are inactive .. if active, they would hold no jobs monitoring any /home or /proc folders,

br

[Ray-electrotechie]

You didn't say what was, and who owned process id 2787 - was that incrond itself?
Why not try to monitor something NOT in /etc but in your own account with full permissions for everyone before you try system files? Also you should allow yourself in incron users, not just root. Try to simplify the problem before launching into the full solution. Best of luck.

[trueshanti]

oh i am sorry:

so:
incrond runs as systemd-service on debian10 with UID 11811:

systemctl status incron.service

● incron.service - file system events scheduler
   Loaded: loaded (/lib/systemd/system/incron.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-11-01 17:42:46 CET; 32s ago
     Docs: man:incrond(8)
  Process: 11811 ExecStart=/usr/sbin/incrond (code=exited, status=0/SUCCESS)
 Main PID: 11812 (incrond)
    Tasks: 2 (limit: 4915)
   Memory: 1.7G
   CGroup: /system.slice/incron.service
           ├─11812 /usr/sbin/incrond
           └─11813 find

Nov 01 17:42:46 scytale.mojo.cc systemd[1]: Starting file system events scheduler...
Nov 01 17:42:46 scytale.mojo.cc incrond[11811]: starting service (version 0.5.12, built on Dec  2 2019 22:20:07
Nov 01 17:42:46 scytale.mojo.cc incrond[11812]: loading system tables
Nov 01 17:42:46 scytale.mojo.cc systemd[1]: Started file system events scheduler.
Nov 01 17:42:46 scytale.mojo.cc incrond[11812]: loading user tables
Nov 01 17:42:46 scytale.mojo.cc incrond[11812]: loading table for user root

incrontab for root (incrontab -l):
/root/test.txt IN_MODIFY date > /tmp/incrontimertest

as you can see: a forked "find"-process is crawling my disk .. IMO for no reason - why is it doing this causing logs like:
Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/760 - events will be discarded silently Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/761 - events will be discarded silently Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/763 - events will be discarded silently Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/766 - events will be discarded silently Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/768 - events will be discarded silently Nov 01 17:45:19 scytale.mojo.cc incrond[11812]: access denied on ./proc/14652/task/7963/fdinfo/769 - events will be discarded silently

and
Time: Sun Nov 1 17:47:22 2020 +0100 Alert: *Error* Log line flooding/looping in /var/log/syslog. Reopening log file

please mind: its not the access-error itself that troubles me , but more like noconfig at all tells incrond to crawl without instruction - so i guess its hardcoded behavior that i like to disable.

br

[trueshanti]

You didn't say what was, and who owned process id 2787 - was that incrond itself?

PID 2787 along with the 1000s of other access-denied errors is just one of many processes running at that moment i start incrond .. same for the homefolders and-so-on .. nowadays such may also been handeled by polkitd (specially on /proc-access), so mayby this is not hononred - but is it an issue at all?

update to mention: /proc is mounted with option "hidepid=2" and user incron is not part of that group (but why should it ?)

[Ray-electrotechie]

I have first to warn you that I am an amateur in incron, so it is the blind leading so to speak.
You do know that "access denied on ./proc/14652/task/7963/fdinfo/761 - events will be discarded silently" is a warning reported from incron itself i.e. it is currently processing user tables in "usertable.cpp" and it trying to "AddTabEntry()"
The code reporting the error is:
syslog(LOG_WARNING, "access denied on %s - events will be discarded silently", rE.GetPath().c_str());

So it is incrond that is telling you that it cannot do something because it does not have access to "./proc/14652/task/7963/fdinfo/763". Now, I fully admit that I don't know WHY it needs access to that - that would be much further research. I can tell you anyway that it is not the process "find" that is reporting it, it is incrond. It is certainly NOT trying to do something secretive, it is shouting loudly that it is not happy working within it's current privileges.

Like you, I do not understand the "find" shown forked from systemD. Might think about that later...
I hope that info will help you progress. It is Sunday night and dinner will not be long away.

[Ray-electrotechie]

Ah, postscript, I just noticed that there is an "fdinfo" at the end of the ./proc/14652.... Could that mean "file descriptor info" i.e. something related to the file you are trying to monitor. To be investigated....

[trueshanti]

Thank you Ray for looking into ..

FYI:

1. running the binary in fg-mode doesnt show the issue, so maybe systemd plays a role here as well.
2. I replaced /usr/sbin/incrond with a fresh build from this repo(git) .. and no more issues. I think a rebuild of the debian-package would be sufficient.

i will inform [email protected] as packagemaintainer.

thank you

[Ray-electrotechie]

Hello trueshanti, dinner was good - now going to watch TV for a while. I am glad that you have identified a way around your problems. Keep smiling; keep healthy - Ray