System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

/dev/null changes to ordinary file

/dev/null changes to ordinary file

could you guys help me to create a script to check which process is modifying /dev/null from a character device to an ordinary file?

 

thanks in advance!!

2 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: /dev/null changes to ordinary file

Hi:

 

The 'root' user should be the only one capable of removing '/dev/null'.  The recreation is likely a consequence of a subsequent redirection to '/dev/null' after the device file has been removed.

 

You might be able to pin-point the time and by inference the person responsible by looking at a command history ('${HOME}/.sh_history').  You should also examine all scripts that 'root' runs (e.g. crontasks) to look for errant 'rm' commands.

 

Regards!

 

...JRF...

Dennis Handly
Acclaimed Contributor

Re: /dev/null changes to ordinary file

If JRF's suggestions don't help you find the cause, you may have to turn on auditing.

 

You can also look at the time stamp of /dev to see when null was removed: ll -d /dev