MacOS – File or directory called ~ (tilde) in the root of the startup volume

findermacosterminal

I just noticed that I've got a mysterious file simply called ~ in the root of my harddrive. I suspect that I've created it by accident while using terminal.

I know about using ~ as an alias to quickly get to the current user and I use it extensively, so there is a reasonable chance that I've been wanting to create a new file and possibly been in the process of writing something in the lines of touch ~/new_filebut changed my mind and accidentally pressed enter after touch ~?

But that does not explain the fact that the file is 3.1MB?

Furthermore, the file appears as a file in Finder, but if I try doing either cat ~ or vim ~on it in terminal I'm told that it is actually a directory. But doing an ls -l suggests something else:

-rw-------    1 root  wheel   3.0M Apr  3 13:37 ~

And have a look at the creation date …today at 13:37 (ie. LEET).

I discovered that there are a couple of threads where people experience the same thing and the answer seems to be some application failing to write to the user directory, but the timestamp is what makes me suspicious (tin foil hat?).

  1. Could this be something malicious?
  2. Can I log what or who wrote the
    file somehow?
  3. Can I figure out what's inside it?
  4. How can I make sure
    it is safe to delete this file/directory or whatever it is?

Edit: Regarding this question being marked as a duplicate, I explicitly mention that I've read the original thread and none of my four questions above have been answered in that thread, so please read the entire question before flagging.

Best Answer

  1. Could this be something malicious?

No, this is simply a file on your computer that happens to be named the same as a shell expansion. It doesn't have the execute bit set, so can't be executed as a binary file by Terminal. A malicious app probably won't be creating a ~ file in the root of your hard disk.

  1. Can I log what or who wrote the file somehow?
  2. Can I figure out what's inside it?

You won't be able to find out what wrote the file unless it was a process which wrote to the console (/Applications/Utilities/Console.app). You can look for processes which are currently accessing the file with sudo opensnoop -f "/~".

Seeing which processes (if any) are accessing the file may give you an indication as to what is inside the file, or you can open it with a text editor or hex editor and certain phrases might be recognisable to you, which may give you an indication as to

  1. How can I make sure it is safe to delete this file/directory or whatever it is?

If opensnoop says that nothing's currently accessing it and nothing accesses it whilst you use your computer, then you're not breaking anything by removing it. It's not a file that should be there, or is required by the system to function.

For more information about this subject, see this related question:

Related Question