0

What happens if I create a file using vim in the /dev directory. How will the file be created as the /dev is not a standard file system. I can see a file being created but standard Kernel file operation create was not called. Now I am not sure how this file was created by kernel. Will it use some udev bound Kernel API to create this file.

Note : I can see the file in /dev after creation. Look at the ls output below.

crw-rw-rw- 1 root tty 5, 0 Aug 24 17:32 tty
-rw-r--r-- 1 root root 35 Aug 24 17:37 abc
-rw-r--r-- 1 root root 0 Aug 24 17:37 ght
-rw-r--r-- 1 root root 0 Aug 24 17:51 ioiu

I want to find this out to determine what will happen if some illegal SW forcefully writes to /dev directory , how can I find that out.

kenlukas
  • 3,616
  • 9
  • 25
  • 36
proudengineer
  • 68
  • 9
  • `I can see file being created by standard Kernel file operation create was not called` What does that mean? What do you "see" exactly and what are the basis of you deduction? `what will happen if some illegal SW forcefully writes to /dev directory` What is a "forcefull write"? There is no such thing. I do not understand what you are asking - this is too broad. If something does something in `/dev` directory, it will happen. `how this file was created by kernel` Normally, what do you mean by "how"? `/dev` is usually mounted to `devtmpfs` - it's a filesystem that exists in memory. – KamilCuk Aug 24 '21 at 13:26
  • The main consequence is that if the kernel wants to create a file with the same name as one of those added files, then it will fail to do so. – Ian Abbott Aug 24 '21 at 15:27
  • `devtmpfs` is just an ordinary filesystem - basically just a `tmpfs` that the kernel populates initially. Most of the magic comes because its inodes refer to devices (which most other filesystems can do as well). – o11c Aug 24 '21 at 19:24
  • @KamilCuk: I put kernel Hooks in "ext4_file_inode_operations" "create " API to dump whenever a new file is being created. Whenever I create a new file is /home, /etc like directories I get appropriate logs. but when i generate a file in /dev/ directory "create" API of inode_operations is never called. So I want to know will it use some other inode_operations, can i put similar hooks there to check for file being created. – proudengineer Aug 25 '21 at 05:58
  • Just `inotifywait /dev`. – KamilCuk Aug 25 '21 at 06:59
  • THanks for your comment while this approach works, but it doesn;t tell which process has made this change. i.e. Process and user responsible for this modification. – proudengineer Sep 13 '21 at 09:44

1 Answers1

0

If you try in MacOS it won't work even as root.
If you try in CentOS 8 it will work if you're root.
Other Linux flavors your mileage may vary.

It is a very interesting directory that highlights one important aspect of the Linux filesystem - everything is a file or a directory.

Example

[root]# date > /dev/date
[root]# cat /dev/date
Tue Aug 24 19:13:04 UTC 2021

All that being said, your concern about nefarious software creating a file in this specific directory seems too specific. If the software has the ability to write to /dev it can write to anywhere and hide in plain site. If you're really concerned about this, install a file integrity monitoring (FIM) package to monitor file CRUD.

References
dev filesystem

kenlukas
  • 3,616
  • 9
  • 25
  • 36