[2161] in bugtraq
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
daemon@ATHENA.MIT.EDU (Vic Abell)
Tue Aug 29 01:08:07 1995
Date: Thu, 24 Aug 1995 16:45:10 -0500
Reply-To: abe@cc.purdue.edu
From: Vic Abell <abe@vic.cc.purdue.edu>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of Thu, 24 Aug 95 13:34:46 -0400.
<9508241734.AA16279@all.net>
In message <9508241734.AA16279@all.net> you write:
>
>Joy of joys.
>
>After running lsof (the security program identified by the CERT that
>lists open file) I found the following file:
>
>-rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
>
>This file appears to hold pointers into device files, memory maps, etc.
>which lsof reads the next time around. It could be very dangerous since
>lsof normally runs as root. Please tell me I'm wrong and it's not a hazard.
I forgot to comment on two misconceptions in this last paragraph.
First, lsof does not normally run as root -- whatever that means.
If it means setuid root, lsof only needs to run that way under V88
R40V4.x and UnixWare. Everywhere else it can run setgid to the
group that can read /dev/kmem.
Second, the file /tmp/.lsof_dev_cache (I call it the device cache
file) does not contain any etc. It is strictly a file of information
about the nodes in /dev. That's documented in the lsof distribution
package.
One other note -- and this appears in the lsof documentation, too --
the writing of the device cache file to /tmp can be disabled when
lsof is built or when lsof is run. The penalty is increased startup
time. I've encountered a system with over 10,000 nodes in /dev
and it takes a lot of work to stat() them all. May Unix dialects
impose an additional time penalty when the object of a stat() call
is in /dev or /devices.
So, if you're really worried about this file, my advice (again,
documented in the lsof distribution :-) is to build lsof with the
device cache feature disabled. Just edit machine.h for your dialect
(or dialects) and disable the definition of HASDCACHE.
Vic Abell, lsof author
