I Have a query. In one of my server I just came to know that there was /dev/null file which is a not a character file. Its just a normal file. I know the command to create the character file \(/dev/null\) but what is the procedure. Like should i delete /dev/null and create or anything else. I have a doubt that we can't remove /dev/null right ?
Expected format:
crw-rw-rw- 1 root system 2, 2 Feb 25 15:13 /dev/null
Format in my server:
-rw-rw-rw- 1 root system 0 Feb 25 15:22 /dev/null
Take my advice with a grain of salt since I'm not an AIX expert, but: Having a /dev/null that is not a character device could be a big problem, yes! Things might create huge files in it, expecting them to go into the bit bucket, but actually ending up on disk instead... Some memory mapping things might not work right... etc.
You're generally not supposed to delete anything in /dev/, no. But when things are messed up like this, don't know what else you're supposed to do.
See those numbers there, 2,2? They're what make /dev/null act like /dev/null and not be some other device. You give those to mknod when you create it, and also give it c to tell it it's a character device and not a block one.
Disclaimer: I have never used AIX. Everything I say below is based on the OP's statement that /dev/null is a regular file.
Although a less common scenario, there are times when using /dev/null for reading is useful. One example that comes to mind is with grep, to force its output to include filenames, you may explicitly list /dev/null in a find -exec predicate or an xargs invocation, to ensure that grep is never called with a single file argument. If /dev/null does not yield nothing but EOF ... woe.
I think a more AIX way of recreating /dev/null on AIX is:
# rm /dev/null
# cfgmgr
I would be curious to know how it became a character file (implies someone with write perms on /dev removed it, and the first person to write to /dev/null (would be the new owner) recreated it as a regular file. I would expect that there is a script being run by root that is deleting it, and writing it again. Since you show 0 bytes, it is also being truncated as well.
So, your second security issue is when is it being removed? If you cannot answer this, the issue will come back and haunt you.
Was/is the file really "/dev/null" or is it rather "/dev/nulll" (3 "l"s!) ? The latter is a residue of some typo in an AIX script, i believe. I have seen it at various customers even in newly installed systems, so i suppose some IBM script, maybe in the HACMP installation procedure, is the culprit.