3

There are exactly 169 empty .bash_history-*.tmp in my home folder that were created on the same day (April 16 2021) without my knowledge. Files have only read and write permission for the owner. I am not sure what made this to happen. It has never happened in 5 years of my Linux journey(Both desktop and servers). Even stranger thing is that my default shell is not bash but its zsh. It would be great if someone could help me figure out what actually happened(if possible) or has it happened to someone else before? thank you in advance. Here it is

.-(~)(user@host)
`-->> find . -name '.*.tmp'
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-01407.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-01810.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-02487.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-03675.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08255.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08260.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08283.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08326.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08434.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08450.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08550.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08581.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08649.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08676.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08683.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08697.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08698.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08712.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08717.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08742.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08743.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08819.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08841.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08878.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08884.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08904.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08914.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-08962.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09060.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09116.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09157.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09201.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09212.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09228.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09247.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09248.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09265.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09274.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09283.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09331.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09366.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09397.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09445.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09501.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09507.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09548.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09597.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09632.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09701.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09760.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09904.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-09992.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10059.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10158.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10166.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10170.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10320.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10536.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10594.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10631.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10714.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-10753.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11127.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11189.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11494.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11514.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11697.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11774.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11827.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-11973.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12002.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12266.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12316.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12331.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12357.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12377.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12393.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12399.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12400.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12405.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12413.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12417.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12435.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12475.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12513.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12563.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12644.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12648.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12656.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12743.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12779.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12801.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12803.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12817.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12868.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-12971.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13005.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13013.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13020.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13033.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13042.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13047.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13065.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13074.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13089.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13090.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13092.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13094.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13097.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13099.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13145.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13162.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13184.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13202.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13203.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13206.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13208.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13218.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13219.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13220.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13250.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13313.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13316.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13320.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13322.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13323.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13341.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13360.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13388.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13489.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13530.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13566.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13575.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13576.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13630.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13640.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13675.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-13717.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14153.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14156.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14167.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14204.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14254.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14256.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14265.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14267.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14331.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14332.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14359.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14368.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14693.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14792.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14922.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14923.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14928.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14931.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14933.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14943.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14947.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14951.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14955.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-14968.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-30961.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-31005.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-31110.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-31142.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-32057.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-32358.tmp
-rw-------   1 user user   0 Apr 16 17:40 .bash_history-32434.tmp

FYI: someone helped me find a similar post on archlinuxforum but it doesn't answer my question.

nathan
  • 33
  • 5
  • 1
    The pattern `ls ... | grep ...` is a poor one. Generally speaking it's better to give `ls` the glob you want to match. In the case of your question this could have been `ls -ld .*.tmp` (here, because the glob starts with a dot there's no need to give `ls` the `-a` flag) – roaima May 02 '21 at 13:13
  • @roaima that is right, I just missed a dot while typing the question that is it `ls -a | grep ".*.tmp"` – nathan May 02 '21 at 13:15
  • @roaima I agree on your comment about piping things from `ls` to other tools like grep. It is not reliable. find is better in these kinds of stuff. – nathan May 02 '21 at 13:17
  • @roaima I would like to thank you for showing me how I can just list similar kinds of files (based on their name) using the `ls` command alone. If think you need more info to answer this question, feel free to ask me anything. – nathan May 02 '21 at 13:32
  • If you spot a typo or other error please use the opportunity to fix it. This ensures people don't end up answering a question that doesn't actually apply to your situation. I've done it for you this time – roaima May 02 '21 at 14:14
  • I appreciate your efforts to help out a newbie here, thank you. But the catch is that I don't know the things that I don't know. – nathan May 02 '21 at 14:36
  • I wasn't complaining about the typo. I was asking that as you discover typos please fix them. I'm sorry if it came across to you differently; that wasn't my intention. I'd like you to get an answer to this question. – roaima May 02 '21 at 14:38

2 Answers2

3

The bash source (available on Debian with apt-get source bash) writes its history file using the function history_do_write in the file bash-5.0/lib/readline/histfile.c. It creates a temporary file, writes the history lines to that, and then uses this to replace the actual history file

tempname = (overwrite && exists && S_ISREG (finfo.st_mode)) ? history_tempfile (histname) : 0;
output = tempname ? tempname : histname;

...

if (rv == 0 && histname && tempname)
  rv = histfile_restore (tempname, histname);

There are a number of places where the write could fail, and in these instances the temporary file is unlinked (deleted) and the original left alone.

However, you mentioned in a passing comment that you ran a forkbomb. This could well have been the underlying cause of these temporary files. It's possible that with the extreme memory and process pressure triggered by the uncontrolled forkbomb, bash wasn't able to get enough temporary memory to complete even this recovery process and simply crashed out during the attempted update. (Please note that this isn't hard fact, just a hypothesis.)

If you are in an environment where it's likely users will run forkbombs, it's worth enabling resource control.

roaima
  • 107,089
  • 14
  • 139
  • 261
  • 2
    This makes sense, I ran the bash forkbomb after making sure that it would fail by limiting the resources for the non-superusers. Forkbomb ran as expected but it failed to shutdown(slowdown) the system. I will try to recreate the same scenario and will update the post if I succeed to create those tmp files again. – nathan May 02 '21 at 15:11
  • 1
    Welp!! I was successful in reproducing the exact scenario. I can confirm that when you run a bash forkbomb on a system running `debian 10 buster` and when it succeeds to crash bash( it won't happen if you enable strict resource control policies for the users) it will produce a bunch of `.bash_history-*.tmp` files in the `$HOME` dir. I would like to thank you @roaima, you were right. – nathan May 02 '21 at 16:02
0

It's impossible to say for sure, but most likely something changed the HISTFILE environment variable and then called bash (or maybe some other readline-based file, but then the question would be why $HISTFILE would contain .bash-history).

This sounds like something you'd do in a unit test (suite).

I've been digging around bash source code for a couple of minutes now, and it doesn't look like there's any place where it would diverge from the default $HOME/.bash_history unless specified via HISTFILE.

Marcus Müller
  • 21,602
  • 2
  • 39
  • 54
  • Thanks for your answer. I ran a forkbomb --> `:(){ :|:&};:` on my machine using bash interactive shell the other day(I use zsh as my default shell tho). In any way could this be the reason for the creation of tmp files? – nathan May 02 '21 at 13:25
  • as said: no, it could not. – Marcus Müller May 02 '21 at 13:45