blob: a6c03ead31e955e9acaafaf7548505d066aeca2d [file] [log] [blame]
Configuring The Device Cache File Path
Contents
A. Introduction and History
B. Device Cache File Format
1. Integrity Checks
2. The Setgid and Setuid-root States
C. Device Cache File Path Options
1. Path Named by ``-D''
2. Path Named in Environment Variable
3. Default System-wide Path
a. Build Procedure
4. Default Personal Path
5. Modified Default Personal Path
D. Displaying the Default Path
Appendix A, Unix Dialects Without a Device Cache
Appendix B, Lsof Dialects and Their Permissions
1. Setuid-root Lsof Dialects
2. Setgid Lsof Dialects That Surrender Setgid
Permission
A. Introduction and History
===========================
Lsof writes a file of information about the contents of the nodes
in /dev (or /devices) to reduce its startup overhead on later calls.
It does this for all Unix dialects, except those noted in Appendix A.
This file, called the device cache file, enables lsof to avoid
calling the kernel stat(2) function on every node in /dev (or
/devices) from which it builds a table of correspondence between
major/minor device numbers and device names.
A full scan of /dev (or /devices) on some systems may involve
calling the sometimes-slow stat(2) function 10,000 times or more.
Furthermore, each stat(2) call consumes space in the kernel's name
cache, forcing from it path name components that would be more
useful when lsof tries to associate them with open files.
While it's hard to question the usefulness of the device cache,
it's also hard to decide where it should be written. When the
feature was first added, the device cache file was written to /tmp,
and its ownership was set to that of the real user ID (UID) under
which the creating lsof process was run. However, to enable any
process to update it when /dev (or /devices) changed, lsof set its
modes to 0666, thus allowing anyone to read or write it.
The writing of a world-readable and world-writable device cache
file to any place has security weaknesses. A clever intruder who
carefully preserves the integrity of the file might be able to
remove devices that would prevent lsof from observing the intruder's
files. A clever intruder might also be able to put a symbolic link
in place and trick lsof into writing to the link's destination with
its effective permissions, thus bypassing the real user's (possibly
weaker) permissions.
Later the location of the device cache file was changed. It was
converted to a personal file, located in the home directory of each
real UID that executed lsof, and owned by that UID. Thus it was
no longer possible for one user to affect lsof's access to the
device cache file, nor was it possible for a user to mount a symbolic
link attack on a restricted file, but the result was that each lsof
user had a private copy of the device cache file.
The device cache file feature has undergone some further refinements
in path name formation to reach its present state. This documentation
describes the path name formation options open to the lsof builder
and user after those refinements, and how lsof attempts to insure
that none of the options presents a security risk.
B. Device Cache File Format
===========================
The device cache file is a flat file of ASCII text. It has an
initial statement of how many sections the file might contain --
the possible sections are character devices, block devices, clone
devices, pseudo devices, and checksum. The character devices and
checksum sections are always present.
Each section has a header that numbers the entries in the section.
The last section is a checksum section that contains a 16 bit cyclic
redundancy (CRC) checksum of everything in the file but the checksum
section itself.
Lsof always sets the permission modes of the device cache file to
0600, and the owner to the real UID of the process that executes
lsof; the group, the real group ID (GID) of the lsof process.
Setting the permission modes to 0600 means that a system-wide device
cache file won't be usable unless the procedure that builds it
changes the modes after lsof has written it. A suitable procedure
for building a system-wide device cache that shows how to adjust
these inadequate permission modes is given in the Default System-wide
Path section.
B.1. Integrity Checks
=====================
When lsof opens the device cache file it makes these integrity
checks:
1. Lsof must gain permission from access(2) to be able to
open the file for reading. If lsof is writing the file,
it usually cedes permission control to the applicable
directory and file modes and ownerships. (Some additional
checks apply and they're described in the sections on path
options.)
By explicit design lsof never writes to the system-wide
device cache file, even when the real UID of its process
is root. The system-wide device cache file must be written
with a root-owned procedure via the ``-D[b|u<path>'' options
-- i.e., under the system administrator's control. (See
the Build Procedure sub-section of the Default System-wide
Path section.)
2. The device cache file's modes must be 0600 (0644 if lsof
is reading a system-wide device cache file) and its size
must be non-zero.
3. There must be a correctly formatted section count line
at the beginning of the file.
4. Each section must have a header line with a count that
properly numbers the lines in the section. The first words
of legal section titles are "device", "block", "clone",
"pseudo", and "CRC".
5. The lines of a section must have the proper format.
6. All lines are included in a 16 bit CRC, and it is recorded
in a non-checksummed section line at the end of the file.
7. The checksum computed when the file is read must match the
checksum recorded when the file was written.
8. The checksum section line must be followed by end-of-
information.
9. Lsof must be able to get matching results from stat(2)
on a randomly chosen entry of the device section.
B.2. The Setgid and Setuid-root States
======================================
There are two fundamental ways in which lsof is granted access to
restricted system resources. Both access methods are related to the
effective permissions given the lsof binary or executable.
The first and preferable way to grant lsof access to system resources
through the permissions endowed on its executable is the giving of
set group ID (setgid) permission. The group is the one that has
permission to read the kernel memory and swap devices -- e.g., /dev/kmem,
/dev/mem, /dev/swap, etc.
This method of granting access is called setgid mode because it
enables lsof to run with an effective group ID set to the one
granted by the permissions of its executable file and by the group
that owns the executable file. See the getegid(2) man page for a
further discussion of effective group ID.
Usually lsof only needs setgid permission to open access to the
kernel memory files. After they're open, lsof drops its setgid
permission.
The second and least preferable way to grant lsof access to system
resources through the permissions endowed on its executable is the
giving of set user ID to root (setuid-root) permission. This is
much too strong a permission, but necessary: to use the -X option
fully for the version of lsof for AIX 5 and above; to use the
version of lsof for HP-UX 11.11 and above; and to use the version
of lsof for Linux 2.1.72 and above. These lsof implementations
require setuid-root permission to be able to access restricted
resources -- e.g., the individual files of the /proc file system.
(But note that the setuid-root Linux lsof doesn't need and has no
device cache support.)
Lsof never drops setuid-root permission, because it needs that
power throughout its execution. However, when the lsof process is
setuid-root, lsof disallows these device cache file path options:
1. It ignores the ``-D[b|r|u]<path>'' options. It accepts
only the ``-Di'' and ``-Dr'' options.
2. It refuses to recognize a path supplied via an environment
variable.
3. It refuses to accept an additional path component from an
environment variable to be inserted in the middle of a
personal device cache file path.
Each restriction is imposed because setuid-root power might allow
a malicious user to form a device cache file path that would give
read access to a normally inaccessible place (That's bad enough.),
or write access to a critical system file (That's the worst case.)
There is one further state that lsof can enter that is slightly
different from the setuid-root and setgid states. That state occurs
when lsof is being run from a root shell -- i.e., the lsof real
user ID is root. To avoid accidental complications, when lsof is
in this state, it ignores all environment variable options.
In the rest of this document you will find more detailed discussion
of the special restrictions caused by the type of permission that
has been given the lsof executable.
C. Device Cache File Path Options
=================================
Lsof offers five options for constructing the path to the device
cache file. Each has special conditions and safeguards that
surround its use. The options are:
1. A device cache file that is named in the <path> component
of the parameters of lsof's ``-D'' option.
=========================================================
* This is a default option of the lsof distribution. *
* *
* Paths specified with this option are read-only unless *
* the real UID of the lsof process is root (0), or the *
* lsof process is able to surrender setgid permission *
* (See Appendix B) and it is not setuid-root. *
=========================================================
2. A device cache file whose name is specified by an environment
variable.
=========================================================
* This is a default option of the lsof distribution. *
* *
* This option is enabled when the lsof dialect is able *
* to surrender setgid permission (See Appendix B.), and *
* the lsof process is not setuid-root. *
* *
* The environment variable path is read-only if the *
* lsof process does not surrender setgid permission *
* (See Appendix B.) *
=========================================================
3. A system-wide default device cache file, located at a path
determined by the builder of lsof. The lsof builder is also
responsible for building the device cache file, using a
different lsof path formation option at a suitable time --
e.g., when the system is booted.
=========================================================
* This is option is disabled by default in the lsof *
* distribution. *
* *
* The path specified with this option is read-only. *
=========================================================
4. A default personal device cache file, located in the UID's
home directory.
=========================================================
* This is a default option of the lsof distribution. *
=========================================================
5. A personal device cache file whose name is modified by an
environment variable.
=========================================================
* This is a default option of the lsof distribution. *
* *
* The modified personal path is read-only if the lsof *
* process does not surrender setgid permission. *
* *
* This option is disabled when the lsof process is *
* setuid-root or its real UID is root (0). *
=========================================================
When there are multiple choices for the device cache file path,
lsof chooses from the above list in the order the list is given,
subject to restrictions based on the effective group and user IDs
that are in effect.
Each possible path name is discussed in a later section that
describes the restrictions that apply to it and the method for
building lsof to use it.
In one special case lsof will use two paths in order. When a
system-wide device cache file is enabled, and lsof finds that it
doesn't exist, lsof will attempt to use a personal device cache
file.
C.1. Path Named by ``-D''
=========================
The ``-D[b|r|u]<path>'' option can name a path for the device cache
file where it is unconditionally built (`b'); read, but never
rebuilt (`r'); and read and rebuilt, if necessary (`u').
If the lsof process is setuid-root, no path may be specified with
the ``-D'' option -- i.e., only the `i' function is accepted. The
`r' option may be used if it doesn't have a path argument.
If the lsof process is not setuid-root, nor is the real UID of the
lsof process root, a path may accompany the `b', `r', and `u'
functions if the lsof process surrenders setgid permission. (See
Appendix B.) If the process doesn't surrender setgid permission,
then a path may accompany only `r'.
Lsof's permission to access a device cache file at a path specified
with ``-D[b|r|u]<path>'' depends completely on the permission modes
and ownerships of the file and its directory components.
When the real UID of the lsof process is root (0), paths may be
specified with ``-D[b|r|u]''.
====================================================================
* *
* The ``-D[b|r|u]<path>'' option is enabled by default in the lsof *
* distribution by the following definition in the dialect's *
* machine.h header file: *
* *
* #define HASDCACHE 1 *
* *
* To disable all device cache file options, including all ``-D'' *
* forms, change the above line in the dialect's machine.h file to: *
* *
* /* #define HASDCACHE 1 */ *
* *
* or remove it. *
* *
* The ``-D[b|r|u]<path>'' options are disabled when the lsof *
* process is setuid-root. If the lsof process isn't setuid-root, *
* nor is its real UID root (0), and if the lsof process surrenders *
* setgid permission, ``-D[b|r|u]'' may be accompanied by a path. *
* *
* A path may accompany ``-D[b|u]'' when the real UID of the lsof *
* process is root. *
* *
* ``-Dr'' without a path name argument is always acceptable. *
* *
====================================================================
C.2. Path Named in Environment Variable
=======================================
A device cache file path may be declared in an environment variable.
This option is defined in the dialect's machine.h header file with
the HASENVDC definition. The value of the HASENVDC definition is
the environment variable's name.
Lsof will use the value of the environment variable named by HASENVDC
for the device cache file path unless either of the following
conditions apply:
1. The lsof process is in the setuid-root state.
or
2. The effective and real UIDs of the lsof process are root
(0).
Lsof uses the value of the HASENVDC environment variable as the
device cache file path after it senses there is no path declared by
a ``-D'' option.
A path from an environment variable is read-only unless the lsof
process surrenders setgid permission. (See Appendix B.)
====================================================================
* *
* The path name environment variable option is enabled by default, *
* and the environment variable is named LSOFDEVCACHE in the lsof *
* distribution by the following definition in the dialect's *
* machine.h header file: *
* *
* #define HASENVDC "LSOFDEVCACHE" *
* *
* To disable the path name environment variable option, change *
* the above line in the dialect's machine.h header file to: *
* *
* /* #define HASENVDC "LSOFDEVCACHE" */ *
* *
* or remove it. To change the name of the environment variable, *
* change the quoted value of the HASENVDC definition -- e.g., this *
* form changes the environment variable name to "FOOBAR": *
* *
* #define HASENVDC "FOOBAR" *
* *
* You can disable the path name environment option by disabling *
* all device cache file processing when you remove or by disabling *
* the HASDCACHE definition in the dialect's machine.h header file. *
* *
* The path name environment option is disabled when the lsof *
* process is setuid-root or when the real UID of the lsof process *
* is root (0). *
* *
* The path named in an environment variable is read-only unless *
* the lsof process surrenders setgid permission. (See Appendix *
* B.) *
* *
====================================================================
C.3. Default System-wide Path
=============================
When a default system-wide device cache file path is defined (It's
not enabled by default in the lsof distribution.), lsof will use
it after it discovers no path has been specified by a ``-D'' option
and no path has been specified in the environment variable named
in the string #define HASENVDC of the dialect's machine.h header
file.
Lsof must be able to open the system-wide device cache file --
i.e., it must have read access to the file and search access to
the directories that lead it. As part of its integrity checks,
lsof requires that the system-wide device cache file's permission
modes be 0644.
When lsof discovers that the named system-wide device cache file
doesn't exist, it will attempt to open a personal device cache file
should that path formation option be enabled. This is the *only*
case where lsof will attempt to use two device cache file paths.
The system-wide device cache file is read-only; lsof will never
attempt to write to it. However, when the real UID of the lsof
process is root, that process may name the system-wide device
cache file with ``-D[b|u]<path>''.
====================================================================
* *
* The system-wide file path option is disabled by default in the *
* lsof distribution. This place-marking definition in a dialect's *
* machine.h header file may be altered to enable a system-wide *
* device cache file path: *
* *
* /* #define HASSYSDC "/your/choice/of/path" */ *
* *
* To enable the system-wide name option, declaring that its path *
* is ``/foo/bar/lsof.dc'', change the above line in the dialect's *
* machine.h header file to: *
* *
* #define HASSYSDC "/foo/bar/lsof.dc" *
* *
* or change the quoted string of the definition to the path of *
* your choice. *
* *
* You can disable the path name environment option by disabling *
* all device cache file processing when you remove or disable the *
* HASDCACHE definition in the dialect's machine.h header file. *
* *
* The system-wide device cache file is read-only. *
* *
====================================================================
C.3.a. Build Procedure
======================
The system administrator must build the system-wide device cache
file at an appropriate time -- e.g., each time the system is booted,
and each time a node is added, deleted or modified in /dev (or
/devices). The procedure that builds the system-wide device cache
file must use lsof's ``-D[b|u]<path>'' options to build the file,
and must change the file's permission modes to 0644 after it has
been built.
Here's a simple shell script procedure to build a system-wide device
cache file. It assumes:
1. The Unix dialect's kernel supports the interpreter script
execution option -- i.e., a script whose first line has
the form ``#!<path_to_interpreter>''.
2. The chmod, echo, rm, sh, and test programs are located
in ``/bin''.
3. The string value of the HASSYSDC definition in the dialect's
machine.h header file is the path ``/your/choice/of/path''.
4. The lsof executable is located in ``/usr/local/etc''.
#!/bin/sh
#
# Simple script to build a system-wide device cache file
# for lsof.
HASSYSDC=/your/choice/of/path
/bin/rm -f $HASSYSDC
/usr/local/etc/lsof -Du$HASSYSDC > /dev/null 2>&1
if /bin/test $? -ne 0
then
/bin/echo "WARNING: failed to create $HASSYSDC"
exit 1
fi
/bin/chmod 0644 $HASSYSDC
exit 0
The invocation of lsof uses the ``-Du$HASSYSDC'' option to read
the device cache file and recreate it if necessary. The invocation
can be made more efficient if a known process PID -- e.g., ``-p1''
-- can be specified. However, if that PID is not always active
when lsof is called, lsof might set its exit code non-zero, causing
the subsequent test to believe that the lsof call failed. When in
doubt, omit the PID specification and accept the extra lsof processing
time for reporting and discarding all open file information.
C.4. Default Personal Path
==========================
The default personal path option is defined by default in the lsof
distribution. The path is formed of the home directory of the real
UID of the lsof process, followed optionally by the contents of
the HASPERSDCPATH environment variable, followed by ``.lsof_'',
followed by the first component (characters up to the first period)
of the name returned by gethostname(2).
If gethostname(2) returns nothing, then nothing will follow the
``.lsof_'' string. If the first character of what gethostname(2)
returns is a `.', then all the gethostname(2) value will follow
the ``/lsof_'' string. (See the ``%l'' conversion for a way to
make lsof include the entire host name in the path.)
====================================================================
* *
* The personal path option is enabled by default in the lsof *
* distribution. The HASPERSDC #define in a dialect's machine.h *
* header is a format specification that tells lsof how to form the *
* personal device cache file path. The conversions in the format *
* specification begin with `%' , ala the printf(3) function of the *
* standard I/O library. These conversions are supported: *
* *
* ``%%'' causes a single `%' to appear in the path. *
* *
* ``%0'' is a separator that marks the beginning of a path *
* for a setuid-root lsof process or one whose real *
* UID is 0. When lsof reaches this conversion and *
* the process is setuid-root or has a real UID of *
* root, it erases any previously formed path and *
* restarts with the next HASPERSDC format character. *
* If lsof reaches this conversion and the process is *
* not setuid-root and its real UID is not root, path *
* formation is ended. *
* *
* ``%h'' causes the home directory of the real UID of the *
* lsof process to appear in the path. *
* *
* ``%l'' causes the full name returned by gethostname(2) to *
* appear in the path. *
* *
* ``%L'' causes the first component of the name returned by *
* gethostname(2) to appear in the path. The first *
* component is defined to be what appears to the *
* left of the first `.'. If nothing appears to the *
* left then everything will appear in the path. *
* *
* ``%p'' causes the value of (HASPERSDCPATH) from the *
* process environment to appear in the path. If the *
* (HASPERSDCPATH) value doesn't end in a '/', one *
* will be added. *
* *
* ``%u'' causes the login name associated with the real UID *
* of the lsof process to appear in the path. *
* *
* ``%U'' causes the real UID of the lsof process, converted *
* to a decimal string, to appear in the path. *
* *
* All other characters are copied from the format to the *
* path. CAUTION: THINK VERY CAREFULLY ABOUT THE EFFECT OF *
* USING CHARACTERS THAT FORM AN ABSOLUTE COMPONENT LIKE *
* ``/tmp'' IN THE FORMAT. Consider what power your dialect *
* might have (e.g., if it is setuid-root) when lsof must *
* create a device cache file at the path. Consider using a *
* ``%0'' conversion to declare an alternate path for lsof *
* processes that are setuid-root or whose real uid is root. *
* See the "How do I put the personal device cache file in *
* /tmp?" question and answer in 00FAQ for an explanation of *
* this example: *
* *
* #define HASPERSDC "/tmp/.lsof_%u_%l_pers%0%h/.lsof_%L" *
* *
* This is the format specification that appears in the machine.h *
* header files of the lsof distribution: *
* *
* #define HASPERSDC "%h/%p.lsof_%L" *
* *
* It causes the path to be formed from the home directory of the *
* real UID of the lsof process (``%h''), followed by `/', followed *
* by the contents of the environment variable named by *
* HASPERSDCPATH and a trailing `/', as needed (``%p''), followed *
* by the string ``.lsof_'', and terminated with the first *
* component of the host's name (``%L''). *
* *
* To change the personal path option, change the HASPERSDC string *
* and recompile lsof. To disable the personal path option, remove *
* or disable HASPERSDC. The personal path option is disabled when *
* HASDCACHE is not defined. *
* *
====================================================================
C.5. Modified Default Personal Path
===================================
The modified default personal path form is a special case of the
default personal path. In this form the value of the environment
variable named by the HASPERSDCPATH #define is inserted in the
personal path when the ``%p'' conversion appears in the HASPERSDC
format specification.
This allows, for example, the lsof user to move personal device
cache files to another branch of the home directory, perhaps to a
sub-directory where multiple device cache files may appear from
different machines that use the same NFS- mounted home directory.
The HASPERSDCPATH definition of the dialect's machine.h header file
names the environment variable. By default in the lsof distribution
it is LSOFPERSDCPATH.
The modified personal path component is ignored when lsof process
is setuid-root is root, lest it be maliciously or accidentally used in
some convoluted form to access paths the real UID cannot. The
modified personal path component is also ignored when the real UID
of the lsof process is root (0), so that lsof will not accidentally
use a personal environment value.
If the lsof process surrenders setgid permission (See Appendix B.),
lsof can read from and write to the modified personal path. If,
however, the lsof process doesn't surrender setgid permission, the
modified personal path is read-only.
If your dialect runs setuid-root or doesn't surrender its setgid
permission, and you want to use the LSOFPERSDCPATH environment
variable to address a collection of device cache files in a
subdirectory, you will have to gather the collection in the
subdirectory yourself with shell copy or move commands.
====================================================================
* *
* The modified personal path option is enabled by default in the *
* lsof distribution with these definitions in the dialect's *
* machine.h header file: *
* *
* #define HASPERSDCPATH "LSOFPERSDCPATH" *
* and *
* #define HASPERSDC "%h/%p.lsof_%L" *
* *
* The value of the definition is the name of the environment *
* variable that contains the modified personal path name *
* component that is inserted in the personal path when ``%p'' *
* appears in HASPERSDC. See the Default Personal Path section *
* for a complete description of the ``%p'' conversion. *
* *
* To disable the modified personal path name component, disable *
* the HASPERSDCPATH definition in the dialect's machine.h header *
* file -- e.g., change it to: *
* *
* /* #define HASPERSDCPATH "LSOFPERSDCPATH" */ *
* *
* or remove the definition altogether. If you do this, don't *
* forget to remove any ``%p'' conversion from HASPERSDC. *
* *
* The modified personal path option is disabled when HASDCACHE is *
* not defined. *
* *
* The modified personal path environment variable value is ignored *
* when the lsof process is setuid-root or when the real UID of *
* the lsof process is root (0). *
* *
* The modified personal path is read-only when the lsof process *
* doesn't surrender its setgid permission. *
* *
====================================================================
D. Displaying the Default Path
==============================
Whatever device cache file path formation options you decide to
use, remember that the lsof help output, displayed in response to
its ``-h'' or ``-?'' help options, will display the read-mode
default (the highest numbered) path that lsof has been enabled to
form from which it will read.
Since some paths are read-only, the path displayed in help option
output may not be the one to which lsof will write, should that
become necessary. To see the read-only and write device cache file
paths, environment variable names, and the personal device cache
file format specification (HASPERSDC), use the -D? option.
Appendix A, Unix Dialects Without a Device Cache
================================================
Linux lsof implementations that obtain their information from files
in the /proc file system do not have device cache support. Generally
lsof for Linux versions 2.1.72 and greater are /proc based.
Appendix B, Lsof Dialects and Their Permissions
===============================================
These are the permissions recommended in the lsof distribution.
Appendix B.1 Setuid-root Lsof Dialects
======================================
These dialect versions of lsof need root permission. For general
use they may have to be installed setuid-root.
Apple Darwin 9 and Mac OS X 10.[56]
HP-UX 11.11 and 11.23
Linux (no device cache support needed)
Appendix B.2 Setgid Lsof Dialects That Surrender Setgid Permission
==================================================================
Lsof versions for these dialects have WILLDROPGID defined in their
machine.h header files.
AIX 5.[12] and 5.3-ML1
FreeBSD 4.x, 4.1x, 5.x and [6789].x for x86-based systems
FreeBSD 5.x and [6789].x for Alpha, AMD64 and Sparc64-based
systems
HP-UX 11.00
NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based
systems
NEXTSTEP 3.[13]
OpenBSD 2.[89] and 3.[0-9] for x86-based systems
OPENSTEP 4.x
SCO OpenServer Release 5.0.4 for x86-based systems
SCO|Caldera UnixWare 7.1.4 for x86-based systems
Solaris 2.6, 8, 9 and 10
Tru64 UNIX 5.1
Vic Abell <abe@purdue.edu>
September 27, 2011