Skip to content

Who or what deleted /dev/null

January 10, 2006

Here is one that comes up time and again. Who keeps deleting “/dev/null”?

With dtrace this is a snip to answer:

#!/usr/sbin/dtrace -s  syscall::unlink:entry / ((this->x = copyinstr(arg0)) == "null" && cwd == "/dev") ||         this->x == "/dev/null" / {         self->y = 1; } syscall::unlink:return / self->y && arg0 == 0 / {         printf("%s\n", stringof(curthread->t_procp->p_user.u_psargs));         printf("zone %s UID %d PPID %d %s\n",                  stringof(curthread->t_procp->p_parent->p_cred->cr_zone->zone_name),                 curthread->t_procp->p_parent->p_cred->cr_uid,                 ppid,                 curthread->t_procp->p_parent->p_user.u_comm); }

Leave that running and when /dev/null disappears it will output the process that deleted it and it’s parent (I always blame the parents). This leaves 2 cases where /dev/null can go missing that are not covered., unlink and rename. In practice I’ve never seen a case where either was to blame but for completeness it should check them as well. Easier in OpenSolaris than in 10.

Tags: topic:[dtrace] topic:[Solaris]


From → Solaris

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: