lsof - one hell of a command. Is it safe ?

Ocky · Jul 5, 2009

http://linux.about.com/library/cmd/blcmdl8_lsof.htm

One hell of a command with lots of options.
First time I have come across this, and just wondering about the security concerns mentioned viz:

"Lsof has three features that may cause security concerns. First, its default compilation mode allows anyone to list all open files with it. Second, by default it creates a user-readable and user-writable device cache file in the home directory of the real user ID that executes lsof. (The list-all-open-files and device cache features may be disabled when lsof is compiled.) Third, its -k and -m options name alternate kernel name list or memory files."

This seems to be rather useful:-

Show all open TCP files - Will return what service is running, who is running it, the process ID and the connections on all TCP ports:
# lsof -i TCP

Show open TCP files on port 80 -
# lsof -i TCP:80

returns --> httpd2-wo 7010 wwwrun 3u IPv6 14787 TCP *:http (LISTEN)

Show open LDAP connections on TCP -
# lsof -i TCP:636

Want to know what files are open by a particular command (substitute your command after the c, and yes you can abbreviate it matches the closest command)-
# lsof -c mysq

returns -->
mysqld 991 admin cwd DIR 8,3 240 148743 /home/admin/novell/idm/mysql/data
mysqld 991 admin rtd DIR 8,3 536 2 /
mysqld 991 admin txt REG 8,3 5464060 148691 /home/admin/novell/idm/mysql/bin/mysqld
mysqld 991 admin 0r CHR 1,3 41715 /dev/null
mysqld 991 admin 1w REG 8,3 1250 149954 /home/admin/novell/idm/mysql/mysql.log
mysqld 991 admin 2w REG 8,3 1250 149954 /home/admin/novell/idm/mysql/mysql.log
mysqld 991 admin 3u IPv4 86990 TCP *:63306 (LISTEN)...

Want to know what files are open by a particular device?
#lsof /dev/cdrom

returns --> bash 30904 admin cwd
DIR 3,0 2048 63692 /media/cdrecorder/linux/user_application_provisioning

You can change TCP to UDP and narrow down your requests to very specific items you want to target (i.e. is there an established connection from xyz.somesite.com?).
# lsof -i TCP@192.168.0.2:636 (lists LDAP connections to my server)

returns --> java 890 root 18u IPv6 8365030
TCP myserver.somecompany.com:42936->myserver.somecompany.com:ldaps (ESTABLISHED)

ndsd 6520 root 262u IPv4 8390927
TCP myserver.somecompany.com:ldaps->myserver.somecompany.com:43123 (ESTABLISHED)
Click to expand...

Mrkvonic · Jul 5, 2009

lsof is one of my breads and butters, it's one of the more useful commands along with strace and all sorts of /proc/* thingies. It is safe, as long as you know what you're doing, as anything in life ...

I'm planning a tutorial or three on the basic sys admining topics, so expect lots of goodies.

Mrk

Ocky · Jul 7, 2009

Mrkvonic said:

lsof is one of my breads and butters, it's one of the more useful commands along with strace and all sorts of /proc/* thingies. It is safe, as long as you know what you're doing, as anything in life ...

I'm planning a tutorial or three on the basic sys admining topics, so expect lots of goodies.

Mrk
Click to expand...

Great stuff - looking forward.

Log in or Sign up

lsof - one hell of a command. Is it safe ?

Ocky Registered Member

Mrkvonic Linux Systems Expert

Ocky Registered Member

Log in or Sign up

lsof - one hell of a command. Is it safe ?

Ocky Registered Member

Mrkvonic Linux Systems Expert

Ocky Registered Member

Useful Searches