[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rkhunter found this...



On Thu, 2009-03-26 at 18:03 -0700, Rick Stevens wrote:
> Daniel B. Thurman wrote:
> > Tom Horsley wrote:
> >> On Thu, 26 Mar 2009 20:07:54 -0400
> >> brian wrote:
> >>
> >>  
> >>>> It means some script somewhere did an rm -f on /dev/null
> >>>> then later some other script redirected output to /dev/null
> >>>> thus creating it as a regular file.
> >>>>         
> >>> It looks more like a typo, as another poster said (one L).
> >>>     
> >>
> >> Could be, but I had /dev/null deleted on a machine once and
> >> the ensuing fun was really spectacular :-).
> >>
> >> Doing "whatever > /dev/null" wasn't too bad, but when
> >> someone said "whatever < /dev/null" amazingly random things
> >> could happen.
> >>
> >>   
> > The point is, it is not MY scripts doing this!  I have had
> > this bugger for quite some time on F9 and it does not
> > go away!  Grr.  I just deleted it every time rkhunter
> > reports it.  Probably just ignore the darn thing....
> 
> Do NOT ignore it.  I don't think you quite understand what /dev/null
> is.  It is supposed to be a device, not a file.  Somehow it got deleted
> and now whenever a script or something does a redirect of its output to
> /dev/null, instead of going to a device (and thence into the bit 
> bucket), it creates a file called /dev/null.
> 
> To fix it:
> 
> 1. Do an "ls -Z /dev/null" and make sure there is no _regular_ file,
> directory, symlink, pipe or anything else called "/dev/null".  Check the
> first character of the permissions.  If it's anything other than a "c"
> then delete the file (you may need to do an "rm -rf /dev/null" to kill
> it).
> 
> 2. As root, run "MAKEDEV -x null".  That should recreate the device
> file.
> 
> 3. Run "ls -Z /dev/null" again and you should see something like:
> 
> crw-rw-rw-  root root system_u:object_r:null_device_t:s0 /dev/null
> 
> displayed.  If the first character of the permissions is NOT a "c", it
> didn't work.
You didn't ask if he was running selinux. ls -Z is overkill over ls -l
and will not work if selinux in disabled.
--
=======================================================================
Q: What is purple and concord the world? A: Alexander the Grape.
=======================================================================
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam sbcglobal net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]