Modified /dev/null by MailScanner?

Furnish, Trever G TGFurnish at herffjones.com
Wed Jan 17 20:38:26 CET 2007


Whoa!  You have a bigger problem than you think -- your ls output shows
that /dev/null has been replaced by a normal file.  The null device is
supposed to be a character special device file that discards anything
written to it.
 
The exact major and minor number (and potentially the requirements to
create it) are specific to your platform (Linux, Solaris, HPUX) and
possibly your kernel version.  If you're using Linux, you probably have
a manual page for "null", so see "man null".
 
On my Redhat Enterprise systems, /dev/null is always like so:
# ls -l /dev/null
crw-rw-rw-    1 root     root       1,   3 Jun 24  2004 /dev/null

Notice the 'c' in the first column -- that means it's a character
special file.
 
Notice the "1, 3" after the group ownership -- those are the major and
minor numbers.
 
If you're running a linux system, you probably need to do the following:
rm -f /dev/null
mknod -m 666 /dev/null c 1 3
chown root:root /dev/null
 
Lots of things write to /dev/null.  Having that be a special file WILL
break things and will probably cause the / filesystem to fill
eventually.  Once /dev/null becomes completely unwriteable (as would
happen if the filesystem fills), the machine will probably not boot up
cleanly.
 
Back to WHY this occurred, I would not for something that *changes*
/dev/null, but rather for something that *removes* /dev/null by mistake.
Once it's been removed, whatever attempts to write to that file next
will create a file and the ownership will be set depending on the
writing process' uid/gid/umask.
 
This is actually a common thing.  I used an ftp library once that asked
for a log file, and at some point I decided to discard the logs by
setting the log file to "/dev/null".  Unfortunately for me, the library
actually unlinked the log file (/dev/null) instead of just opening it
and seeking to the beginning of the file.  A few weeks after I made the
change, / was filled and lots of things started to fail.
 
Hope that helps,
Trever
 


________________________________

	From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of den gon
	Sent: Monday, January 15, 2007 9:45 PM
	To: mailscanner at lists.mailscanner.info
	Subject: Modified /dev/null by MailScanner?
	
	
	Hi again to all,
	
	I noticed that when I login on my system using non-root account,
its says
	"-bash: /dev/null: Permission denied". I checked it permission
and it owned by 
	root and smmsp. Is it the MailScanner/sendmail process changed
it? 
	
	"-rw-------    1 root     smmsp       23448 Jan 16 10:35
/dev/null"
	
	admin at server's password:
	Last login: Tue Jan 16 10:10:38 2007 from x.x.x.x
	-bash: /dev/null: Permission denied
	-bash: /dev/null: Permission denied 
	-bash: /dev/null: Permission denied
	-bash: /dev/null: Permission denied
	-bash: /dev/null: Permission denied
	-bash: /dev/null: Permission denied
	[admin at server admin]$ su -
	Password:
	[root at server root]#          
	
	Regards,
	
	ned
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070117/f7444ea1/attachment.html


More information about the MailScanner mailing list