System Administration
Showing results for 
Search instead for 
Did you mean: 

/dev/null changes to ordinary file


/dev/null changes to ordinary file

could you guys help me to create a script to check which process is modifying /dev/null from a character device to an ordinary file?


thanks in advance!!

James R. Ferguson
Acclaimed Contributor

Re: /dev/null changes to ordinary file



The 'root' user should be the only one capable of removing '/dev/null'.  The recreation is likely a consequence of a subsequent redirection to '/dev/null' after the device file has been removed.


You might be able to pin-point the time and by inference the person responsible by looking at a command history ('${HOME}/.sh_history').  You should also examine all scripts that 'root' runs (e.g. crontasks) to look for errant 'rm' commands.





Re: /dev/null changes to ordinary file

If JRF's suggestions don't help you find the cause, you may have to turn on auditing.


You can also look at the time stamp of /dev to see when null was removed: ll -d /dev