Weblog entry #1 for Dimon

See all weblog entries made by Dimon.

XML logo

#1
/dev/null permissions problem
Posted by Dimon on Sun 18 Mar 2007 at 11:30
Tags: none.
I'm using Debian 3.1 with 2.6.8-2-386 kernel and experience the following problem: my /dev/null permissions are 0600; if I set permissions to correct 666, something is changing them back to 0600 after some time :(
Is it some process that changes /dev/null permissions?? I don't run any 'unusual' program, just a basic set like apache, exim4, imapd etc
[ 6 Comments | Add Comment | XML logo ]
Next >>>

 

Comments on this Entry

#1
Re: /dev/null permissions problem
Posted by JulienV (86.213.xx.xx) on Sun 18 Mar 2007 at 11:38
[ Send Message | View Weblogs ]
Does your system run udev? If yes, you might have a look at https://launchpad.net/ubuntu/+bug/63031 (not a Debian bug, but might also happen on Debian).

Cheers,
Julien

[ Parent | Reply to this comment ]

#2
Re: /dev/null permissions problem
Posted by Dimon (193.125.xx.xx) on Sun 18 Mar 2007 at 11:48
[ Send Message | View Weblogs ]
Thanks, but it seems that I found the problem. I'm not running udev, but somebody has linked history file into /root/.mc directory to /dev/null, so each time I exited mc started as root, /dev/null was chmoded to 0600 :) Btw, is it standard feature of mc or somebody has created this symlink manually in the past?
--
SoftAria: Prime grade software development

[ Parent | Reply to this comment ]

#3
Re: /dev/null permissions problem
Posted by Anonymous (87.127.xx.xx) on Sun 18 Mar 2007 at 21:44
The ~/.mc/history file shouldn't be a symlink to /dev/null. It should be a text file, chmod'd 0600...

The only time I've seen history files (such as ~/.bash_history) symlinked to /dev/null is when someone has compromised an account/entire machine and they're attempting to hide their tracks.

[ Parent | Reply to this comment ]

#4
Re: /dev/null permissions problem
Posted by Utumno (66.234.xx.xx) on Mon 19 Mar 2007 at 06:30
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
history file linked to /dev/null ? Very suspicious....

[ Parent | Reply to this comment ]

#5
Re: /dev/null permissions problem
Posted by daemon (155.232.xx.xx) on Mon 19 Mar 2007 at 19:21
[ Send Message | View Weblogs ]

I would have thought so too, until today. Odd how things happen like this sometimes -- last night I read this thread, and today I had to look at a SuSE a co-worker of mine is working with, and guess what I find -- /root/.bash_history -> /dev/null

Maybe it's a weird SuSE root safety thing. Still, I don't think I like it particularly much...

Cheers.

[ Parent | Reply to this comment ]

#6
Re: /dev/null permissions problem
Posted by Anonymous (87.127.xx.xx) on Mon 19 Mar 2007 at 19:39
Did you find this on the same machine where you found the mc history file symlinked to /dev/null?

If you did, I'd pull the network cable and go through the machine with a fine tooth comb. If it is the same machine, you're probably looking at a compromise where someone has gained root.

I don't use SuSE but I'd be 101% sure that symlinking .bash_history to /dev/null is *not* normal. As I've said previously, the only time I've seen this is when a machine has been compromised.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Mail Filtering

Quick Site Search