In order to maintain overall operating system stability it is important to check that directories/file systems being used as temporary storage space by applications should get full. This is because a temporary file system out of space could cause a server to go into hung state and under extreme circumstances even a kernel panic might occur.  Have you ever wondered why most files inside the /tmp directory get deleted over some time if they are left unused? If you have then this article is for you. In this article we will explain how and why the /tmp directory gets emptied over a period of time on Linux systems.

We will explaining the concept on Centos 6/RHEL 6 systems. The mechanism is different in case of Centos 7/RHEL 7 systems.

A program named tmpwatch is responsible for periodically cleaning up the /tmp and /var/tmp directories on Centos 6/RHEL 6 systems. tmpwatch recursively removes files which haven’t been accessed for a given time. Normally, it’s used to clean up directories which are used for temporary holding space such as /tmp. It does not follow symbolic links in the directories when it’s cleaning up the directory, will not switch file systems, skips lost+found and directories owned by the root user. The tmpwatch program should be installed on the system by default and you confirm the same by performing a query on it using the rpm command as shown below:

[sahil@linuxnix:~] $ rpm -qa | grep -i tmpwatch

This utility provides a couple of files which includes the tmpwatch binary itself along with other files the most important one being /etc/cron.daily/tmpwatch.

[sahil@linuxnix:~] $ rpm -ql tmpwatch

The cronjob or script defined in /etc/cron.daily/tmpwatch executes once every day at 3:05 a.m. The time of execution of the script is defined by the values mentioned in the /etc/anacrontab file. Given below is the content of the file on a Centos 6 system:

[root@linuxnix ~]# cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

# the maximal random delay added to the base delay of the jobs
# the jobs will be started during the following hours only

#period in days delay in minutes job-identifier command
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly

This states that every script contained in the /etc/cron.daily directory will be executed once every day at 3:05 a.m. Given below is the /etc/cron.daily/tmpwatch script:

[root@linuxnix ~]# cat /etc/cron.daily/tmpwatch
#! /bin/sh
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
-x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \
-X '/tmp/hsperfdata_*' -X '/tmp/.hdb*lock' -X '/tmp/.sapstartsrv*.log' \
-X '/tmp/pymp-*' 10d /tmp
/usr/sbin/tmpwatch "$flags" 30d /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
if [ -d "$d" ]; then
/usr/sbin/tmpwatch "$flags" -f 30d "$d"

Given below is a description of the options used in the above script

-u, –atime
Make the decision about deleting a file based on the file’s atime (access time). This is the default.

Note that the periodic updatedb file system scans keep the atime of directories recent.

-m, –mtime
Make the decision about deleting a file based on the file’s mtime (modification time) instead of the atime.

-c, –ctime
Make the decision about deleting a file based on the file’s ctime (inode change time) instead of the atime; for directories, make the decision based on
the mtime.

-x, –exclude=path
Skip path; if path is a directory, all files contained in it are skipped too. If path does not exist, it must be an absolute path that contains no symbolic links.

-X, –exclude-pattern=pattern
Skip paths matching pattern; if a directory matches pattern, all files contained in it are skipped too. pattern must match an absolute path that contains no symbolic links.

The time argument is a number with an optional single-character suffix specifying the units: m for minutes, h for hours, d for days. If no suffix is specified, time is in hours. 30d and 10d refer to the time interval after which tmpwatch will perform a clean up of the target directory.



We do not need to rely on the defaults that have been provided with the cron.daily script for tmpwatch. In case we require a different setup as compared to the default then we could implement our requirement with ease. Just to demonstrate how we could use this, I’ve created a couple of files in the /tmp file system

[root@linuxnix tmp]# ls -l
total 12
-rw-r--r--. 1 sahil sahil 4 Feb 20 16:02 file1
-rw-r--r--. 1 sahil sahil 4 Feb 20 16:02 file2
-rw-r--r--. 1 sahil sahil 0 Feb 20 16:02 file3
-rw-r--r--. 1 sahil sahil 0 Feb 20 16:02 file4
-rw-r--r--. 1 sahil sahil 0 Feb 20 16:02 file5
drwx------. 2 root root 4096 Feb 20 15:47 ssh-NjfmTj3097

After a couple of minutes I executed the following command:

[root@linuxnix tmp]# /usr/sbin/tmpwatch 2m /tmp

This resulted in the removal of files and directories in the /tmp file systems that had not been accessed in the last 2 minutes. The invocation of this command resulted in the removal of the five recently created files.

[root@linuxnix tmp]# ls -l
total 4
drwx------. 2 root root 4096 Feb 20 15:47 ssh-NjfmTj3097
[root@linuxnix tmp]#


In this article, we explained how the contents of the /tmp file system get removed over time and we also showed you a quick demonstration of using the tmpwatch command. We hope that you’ve found this article to be useful and we look forward towards your suggestions and feedback.

The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.