I want to identify the culprit who is erasing the unix domain socket of tmux.

Asked 5 months ago, Updated 5 months ago, 14 views

Launch zsh on MacOS X El Capitan's iTerm2 and then launch tmux by hand.

And after using it for a while, the unix domain socket (hereinafter referred to as "socket") of tmux will be erased.

/private/var/folder/<Abbreviated >/T/tmux-501/default

tmux-501 and below are erased.The timing of disappearance varies, and after using it for a few hours, it seems to have disappeared before I knew it.When you use socket reading and writing functions such as tmuxls when this disappears

error connecting to/private/var/folder/<abbreviated>/T/tmux-501/default (No such file or directory)

You will now report an error.You notice that the socket file has disappeared when you use the socket reading and writing function, and of course not when it disappeared.In other words, I don't know when it disappeared.I have no idea who's erasing it.

By the way, if you look at the man of tmux, it says that if you send SIGUSR1 to the tmux process, it will recreate the socket file (but it will fail without the parent directory), so I was able to revive it by doing the following.

$mkdir-m700/private/var/folder/<Abbreviated >/T/tmux-501
$ killall-SIGUSR1tmux

The tmuxls should now appear normal.

The reason why I set the directory permission to 700 is because the directory originally created by tmux was like that and they didn't recreate it if it stayed at the default of 755, so it doesn't mean much.

In practical terms, I think there is no problem except that it is troublesome, but I can't help but feel uncomfortable about who is turning it off.I think it will be a clue to the solution if we can identify who is turning it off and when.Is there any way to identify it?

January 28, 2016 11:54 Add

I checked every second to see if the file disappeared, and when it disappeared, I was turning the shell script to record the time, and I caught the time when it disappeared.Today at 11:42:56, I searched the log on the console.app and found something like this.

January 28, 2016 11:42:56.581 sandboxd[132]: ([52708]) PluginProcess (52708) deny file-write-unlink/private/var/folder/<omitted>/C/com.apple.sandbox
January 28, 2016 11:42:56.588 sandboxd [132]: ([52708]) PluginProcess (52708) deny file-write-unlink/private/var/folder/<omitted>/C/com.apple.sandbox
January 28, 2016 11:42:56.597 sandboxd [132]: ([52708]) PluginProcess (52708) deny file-read-data/private/var/folder/<omitted>/C/com.apple.sandbox
January 28, 2016 11:42:56.975 launchservicesd [79]: SecTaskLoadEntitlements failed error=22
January 28, 2016 11:42:56.981 launchservicesd [79]: SecTaskLoadEntitlements failed error=22
January 28, 2016 11:42:56.983 launchservicesd [79]: SecTaskLoadEntitlements failed error=22

Each of the three entries from the beginning has been told by the console.app that there is more information, and if you show it for the first entry, it looks like this:

PluginProcess (52708) deny file-write-unlink/private/var/folder/<omitted>/C/com.apple.sandbox

Process: PluginProcess [52708]
Path: /System/Library/Frameworks/WebKit.framework/Version/A/PluginProcess.app/Contents/MacOS/PluginProcess
Load Address: 0x2000
Identifier: com.apple.WebKit.PluginProcess
Version: 11601.4.4 (11601)
Build Info:1 - WebKit2 to 760100400400000000
Code Type: i386 (Native)
Parent Process: Safari [331]

Date/Time: 2016-01-28 11:42:56.401+0900
OS Version: Mac OS X 10.11.3 (15D21)
Report Version—8


The call stack appears to be continuing since the following:As far as I can see, it looks like a file related to webkit, and I wonder if it failed to erase deny and unlink.Was the tmux socket turned off when you got involved? It's all a guess.I don't remember what I was doing at safari.

I'm trying to use the words recorded in the log, but I can't find any good information.First of all, I'll just write that there was a fact like this.Next, I'll try to bully safari while monitoring the socket.

January 28, 2016 23:57 Add

The unix domain socket on the Emacs server that starts with (server-start) will also be erased.I don't know if it was the same crime, but I don't think there are so many people who turn off the socket.Anyway, it's a very annoying story. Oh, my God.I wish I could do M-x server-start as well...

macos tmux

2022-09-30 12:08

2 Answers

I haven't actually tried it, but how about around here?

The opensnoop command is a convenient utility that restores processes that have accessed specific files and folders.


Launchd WatchPaths File Monitoring


"If you go through ""mac file audit"", you'll find it quite often."

2022-09-30 12:08

Checked netstat

 netstat-an | greptmux
40a70ef2516d600f stream 0 0 40a70ef2566b2197 00/private/var/folder/j7/0w59t0zs7vs1j4r5x0trywy80000gq/T/tmux-503/default

Try stat

16777220 51632361 srwxrwx --- 1knoguchi staff 00" Jan 28 10:40:22 2016" Jan 28 10:40:22 2016" Jan 28 10:40:22 2016" Jan 28 10:40:22 2016" 409600/private/var/folder/j7/0w59t0zs7vs1j4r5x0trywy800gq/twy800gq/t/tm/tufult3

st_dev=16777220st_ino=51632361st_mode=0140770st_nlink=1st_uid=503st_gid=20st_rdev=0st_size=0st_atime=1454006422st_ctime=1454006422st_ctime=1454006422st_birthtime=1454006422st_st_blocks=0ks=40440064_blocks=0blocksize0ks st406

According to the manual, it is a temporary file and cache for each user./var/folder///T is temporary, and C is cache.


     /var/multi-purpose log, temporary, transparent, and spool files
                   folders/per-user temporary files and caches

grep/var/folder of Darwin source code seems to create and set various permissions if it does not exist at launchctl startup.

{"/var/folder", 0, 0, S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH, S_ISUID|S_ISGID, true},

and dirhelper.This refers to the environment variable specified in /System/Library/LaunchDaemons/com.apple.bsd.dirhelper.plist and is


I'm supposed to erase the old file.The Coates are suspicious!

Locate the source code referencing the environment variable.

        structure timeval now;
        long days = 3;
        const char*str=getenv("CLEAN_FILES_OLDER_THAN_DAYS");
            days = strtol(str, NULL, 0);
        (void) gettimeofday (&now,NULL);
        for (i=0; args->dirs[i];i++)
            asl_log(NULL, NULL, ASL_LEVEL_INFO, "Cleaning %solder than %ld days", args->dirs[i], days);


MachineBoot is set when you pass the -machineBoot option to the dirhelper command line.If you specify this option at startup, when = 0, it appears to be unconditionally deleted.

Looking further, you are about to delete the /var/folder///* directory.For the first tmux socket, /var/folder/j7/0w59t0zs7vs1j4r5x0trywy80000gq/T seems to have been handed over to clean_files_older_than.The comments say that only regular files will be deleted.

    // /var/folders/*
        // /var/folders/*/*
                        const char*name = args->dirs[i];
                             "%s of %s of %s of %s", path, e2->d_name, name);
                            // at boot time we clean all files,
                            // otherwise only clean regular files.
                            clean_files_older_than(dirbuf, when);

If you look at clean_files_older_than, open the directory first, check if it is a regular file one after another, and delete it if it is old.S_ISREG is a regular file verification macro with /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/usr/include/sys/stat.h here.

        case FTS_DEFAULT:
                (ent->fts_statp->st_atime<when)) {

Hmmm, nothing particularly suspicious...?Try handing over -cleanTemporaryItems to the command line, machineBoot will run false.

Set #atime, birthday time to 1/1 and make it more than 3 days ago

# dirhelper execution

# try statting
16777220 51632361 srw-rw ----- 1knoguchi staff 00"Jan 100:00:00 2016"Jan 100:00:00 2016"Jan 29 14:48:47 2016"Jan 100:00:00 2016"409600/private/var/folder/j7/0w59t0zs7vs1j4r5x0trywy80000gq/tmq/tux-tufult3

There's nothing left, so dirhelper wasn't the culprit.Sunmasen (^^;;;

2022-09-30 12:08

If you have any answers or tips

© 2023 OneMinuteCode. All rights reserved.