The dot in ... --- ...
Chris Gerhard's Weblog
access_hours
automount
automounter
blogging
bonk
books
boot
brompton
camp
campagnolo
camping
commuting
crash
cron
ctc
cycling
cyclosportif
dads
disk
dtrace
dynamo
email
exim
find
firefox
fixer
gaim
good+morning+build
goodmorningbuild
helmetcam
helmets
highway_code
holiday
homeserver
hub
humour
im
keyboard
korn
ksh
laptop
law
lights
london
mdb
media
memory
molesey-bbt
nautilus
nawk
nevada
nfs
nis+
nwam
one-liner
opensolaris
panic
pidgin
play
politics
rain
ray
rbac
road
samba
santa
scsi
scsi.d
service
shared-shell
shell
smb
smf
snapshot
solaris
son
sportif
ssh
sun
sun+ray
suncec2007
sunray
sysadmin
tecra
toshiba
tour
travel
triplet
ufs
unix
usb
video
virtualbox
wifi
windows
windsor
work
zfs
zigzag
zones
Tuesday January 10, 2006
Who or what deleted /dev/null Here is one that comes up time and again. Who keeps deleting “/dev/null”?
With dtrace this is a snip to answer:
#!/usr/sbin/dtrace -s
syscall::unlink:entry
/ ((this->x = copyinstr(arg0)) == "null" && cwd == "/dev") ||
this->x == "/dev/null" /
{
self->y = 1;
}
syscall::unlink:return
/ self->y && arg0 == 0 /
{
printf("%s\n", stringof(curthread->t_procp->p_user.u_psargs));
printf("zone %s UID %d PPID %d %s\n",
stringof(curthread->t_procp->p_parent->p_cred->cr_zone->zone_name),
curthread->t_procp->p_parent->p_cred->cr_uid,
ppid,
curthread->t_procp->p_parent->p_user.u_comm);
}Leave that running and when /dev/null disappears it will output the process that deleted it and it's parent (I always blame the parents). This leaves 2 cases where /dev/null can go missing that are not covered., unlink and rename. In practice I've never seen a case where either was to blame but for completeness it should check them as well. Easier in OpenSolaris than in 10.
( Jan 10 2006, 09:15:27 AM GMT ) Permalink
Comments:
Post a Comment:
Comments are closed for this entry.
Except where otherwise noted, this site is
licensed under a Creative Commons License 2.0
This is a personal weblog, I do not speak for my employer.
