Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

[scott () Disclosure COM (Scott Barman)]

On Thu, 24 Aug 1995, Dr. Frederick B. Cohen wrote:

> Joy of joys.
>
> After running lsof (the security program identified by the CERT that
> lists open file) I found the following file:
>
> -rw-rw-rw-  1 root           8025 Aug 24 04:10 /tmp/.lsof_dev_cache
>
> This file appears to hold pointers into device files, memory maps, etc.
> which lsof reads the next time around.  It could be very dangerous since
> lsof normally runs as root.  Please tell me I'm wrong and it's not a hazard.

If you installed it right, lsof does not run as root.  In fact, on a Sun
running SunOS 4.1.3_U1 I have it installed as setgid to kmem.  Under
SunOS, that's sufficient permissions to allow it to read /dev/kmem.

Also, it creates the file as the real user who invoked it when it had to
build the cache.  If I do an "ls -lg" on the one created here:

-rw-rw-rw-  1 scott    research    11465 Aug 25 12:37 /tmp/.lsof_dev_cache

Both the user and group are correct for my login.  Our root is not in
group "research."

Finally, according to the 00FAQ file in the source directory (and I
picked up my copy from CERT, too), the reading of this file has 10
checks for validity.  If it fails one of them, then the cache is
rebuilt.  Amongst the checks is a checksum and checking the information
on the file using stat().

Otherwise, it does give you a way to turn this feature off, if you are
still unconvinced this is not so much of a problem.

I would suggest you RTFF (Read The Fine FAQ) for more information.

scott barman
--
scott barman                  DISCLAIMER: I speak to anyone who will listen,
scott () disclosure com                      and I speak only for myself.
barman () ix netcom com
  "Micro$oft and Windoze/NT will be the cause of the de-evolution of
   network security just as the original PC and BASIC was the cause of
   the de-evolution of programming."