You could use sysdig or similar tracing software $ sudo sysdig 'fd.name contains /tmp'Īnd let that run for a while to learn what software uses /tmp in what way. Kerberos for example may place ticket files under /tmp, so removing that directory may then cause all user logins to fail (hopefully root has a local password, or.). This depends wildly on the version of unix, and what exact software is running on that unix.