/dev/null permissions

Elan Ruusamäe glen at delfi.ee
Thu May 22 12:20:39 CEST 2014

this has "escalated" to one of my vservers.
which is weird as i thought vservers can't alter permissions of device 

crw-rw---- 1 root root 1, 3 Jul  8  2008 /dev/null

i'm suspecting bash being the cause of the poison, as it was recently 
updated there

# rpm -q bash --blink
         <= bash-4.3.0-1.i686.rpm

On 19.05.2014 21:39, Elan Ruusamäe wrote:
> something funny is happening on one of my machine
> /dev/null permissions get reset to 660 (which is common for root umask 
> 7 i'm using)
> i have not found pattern in how or when it gets changed
> i have stopped crond and still /dev/null premissions get reset to 660 
> opposed to sane 666 permission
> i've added auditd rule to track this, but unfortunately it's not 
> giving any useful information how the permissions get reset to 660
> my /etc/audit/audit.rules:
> -D
> -b 320
> -w /dev/null -p a
> any ideas:
> 1) wtf causes this?
> 2) how to try to audit system to figure it out?
> i'm thinking something running as root is "fixing" it's own 
> permissions via fchmod which is "accidentally" linked to /dev/fd/2 => 
> /dev/null
> i've tried to mv /dev/null /dev/null1; mknod /dev/null, but that did 
> not stop the activities in that system


More information about the pld-devel-en mailing list