Creating special devices to solve problems
With tax season coming up I have been asked to set up a certain centralized tax service for a company. I won't mention the company nor the well known tax program involved as this post isn't about flaming a product but just to show you how cool commands in Linux can be used to solve, what would originally seem like, complicated problems.
Here's the scenario. The software runs on JBoss (a java app server) and it has log output. During client testing with fake social security numbers I noticed that they were getting output into the log. For security purposes this is unacceptable. After thinking for a while the solution I came up with was this... I want to output the log into /dev/null. But how? How indeed, and here's what I did.
I remember that the mknod command is used for special devices so I looked at the man documentation.
The relevant portions of the man page are...
Now let's look at the file listing for /dev/null.
The first character in the permissions is the filetype. Normally you see d for directory, - for file, or l for a symbolic link as an example. Here specifically it is a character special file.
Also notice the "1, 3" in the file listing. Those are the device special major and minor numbers. I'm not sure where there's a list of all of the different types of numbers but if you know please post in the comments. Here though we basically know how we want the file to behave and had a file we could analyze to get the major and minor numbers so that mknod knows what kind of special device we're creating.
So now I just go to where the log file is outputting and create a null special device in the file name where the log name would normally be. Let's say, hypothetically, that our offending log output file is located at /opt/jboss/log/program.log. Here's the commands to create the special device and match it be the same type as /dev/null.
My jboss instance runs under user jboss but my program.log special device is owned by root with permissions 666. That's because I don't want jboss or the app to be able to rename or move the special device.
Now when log output is written to the log file it will simply be going into a null-like file which isn't recorded. Of course if you ever need to troubleshoot you'll have to remove this special file so that it can write to a log file again for output. But for normal usage of the app I'd say this is a pretty good solution to a closed source proprietary program which was simple for the problem at hand.
SAM
Here's the scenario. The software runs on JBoss (a java app server) and it has log output. During client testing with fake social security numbers I noticed that they were getting output into the log. For security purposes this is unacceptable. After thinking for a while the solution I came up with was this... I want to output the log into /dev/null. But how? How indeed, and here's what I did.
I remember that the mknod command is used for special devices so I looked at the man documentation.
The relevant portions of the man page are...
Code:
--- *snip* ---
SYNOPSIS
mknod [OPTION]... NAME TYPE [MAJOR MINOR]
DESCRIPTION
--- *snip* ---
c, u create a character (unbuffered) special file
--- *snip* ---
Code:
$ ls -l /dev/null crw-rw-rw- 1 root root 1, 3 2012-01-12 10:12 /dev/null
Also notice the "1, 3" in the file listing. Those are the device special major and minor numbers. I'm not sure where there's a list of all of the different types of numbers but if you know please post in the comments. Here though we basically know how we want the file to behave and had a file we could analyze to get the major and minor numbers so that mknod knows what kind of special device we're creating.
So now I just go to where the log file is outputting and create a null special device in the file name where the log name would normally be. Let's say, hypothetically, that our offending log output file is located at /opt/jboss/log/program.log. Here's the commands to create the special device and match it be the same type as /dev/null.
Code:
cd /opt/jboss/log/ rm program.log mknod program.log c 1 3 chmod 666 program.log
Now when log output is written to the log file it will simply be going into a null-like file which isn't recorded. Of course if you ever need to troubleshoot you'll have to remove this special file so that it can write to a log file again for output. But for normal usage of the app I'd say this is a pretty good solution to a closed source proprietary program which was simple for the problem at hand.
SAM
Total Comments 0
