Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

[abe () vic cc purdue edu (Vic Abell)]

In message <9508241734.AA16279 () all net> you write:
> Joy of joys.
>
> After running lsof (the security program identified by the CERT that
> lists open file) I found the following file:
>
> -rw-rw-rw-  1 root           8025 Aug 24 04:10 /tmp/.lsof_dev_cache
>
> This file appears to hold pointers into device files, memory maps, etc.
> which lsof reads the next time around.  It could be very dangerous since
> lsof normally runs as root.  Please tell me I'm wrong and it's not a hazard.

I forgot to comment on two misconceptions in this last paragraph.
First, lsof does not normally run as root -- whatever that means.
If it means setuid root, lsof only needs to run that way under V88
R40V4.x and UnixWare.  Everywhere else it can run setgid to the
group that can read /dev/kmem.

Second, the file /tmp/.lsof_dev_cache (I call it the device cache
file) does not contain any etc.  It is strictly a file of information
about the nodes in /dev.  That's documented in the lsof distribution
package.

One other note -- and this appears in the lsof documentation, too --
the writing of the device cache file to /tmp can be disabled when
lsof is built or when lsof is run.  The penalty is increased startup
time.  I've encountered a system with over 10,000 nodes in /dev
and it takes a lot of work to stat() them all.  May Unix dialects
impose an additional time penalty when the object of a stat() call
is in /dev or /devices.

So, if you're really worried about this file, my advice (again,
documented in the lsof distribution :-) is to build lsof with the
device cache feature disabled.  Just edit machine.h for your dialect
(or dialects) and disable the definition of HASDCACHE.

Vic Abell, lsof author