Recipe 9.10 Securing Device Special Files

9.10.1 Problem

You want to check for potentially insecure device special files.

9.10.2 Solution

To list all device special files (block or character):

$ find /dir -xdev \( -type b -o -type c \) -ls

To list any regular files in /dev (except the MAKEDEV program):

$ find /dev -type f ! -name MAKEDEV -print

To prohibit device special files on a filesystem, use mount -o nodev or add the nodev option to entries in /etc/fstab.

Be aware of the important options and limitations of find, so you don't inadvertently overlook important files. [Recipe 9.8]

9.10.3 Discussion

Device special files are objects that allow direct access to devices (either real or virtual) via the filesystem. For the security of your system, you must carefully control this access by maintaining appropriate permissions on these special files. An intruder who hides extra copies of important device special files can use them as backdoors to read?or even modify?kernel memory, disk drives, and other critical devices.

Conventionally, device special files are installed only in the /dev directory, but they can live anywhere in the filesystem, so don't limit your searches to /dev. Our recipe looks for the two flavors of device special files: block and character (using -type b and -type c, respectively). We use the more verbose -ls (instead of -print) to list the major and minor device numbers for any that are found: these can be compared to the output from ls -l /dev to determine the actual device (the filename is irrelevant).

It is also worthwhile to monitor the /dev directory, to ensure that no regular files have been hidden there, either as replacements for device special files, or as rogue (perhaps setuid) programs. An exception is made for the /dev/MAKEDEV program, which creates new entries in /dev.

The mount option nodev prevents recognition of device special files. It is a good idea to use this for any filesystem that does not contain /dev, especially network filesystems mounted from less trusted servers.

9.10.4 See Also


    Chapter 9. Testing and Monitoring