The 'Swiss Army Knife' security tool

The LiSt Open Files (lsof) command is referred to in many articles on Unix security. Many Unix admins I know have mentioned trying to use it only to find it is not part of their Linux (or other Unix) distribution. This is an often-true statement, because the code is maintained by Victor Abell, of the Purdue University Computing Center, and it is not included in all distributions. Even if it is shipped with the distribution you are using, consider getting the latest release; there have been security issues in various releases (lsof runs setuid to root).

You can easily locate the source via a Web search for 'lsof'. Note that reverse DNS lookup must work for the machine downloading if you go directly to Purdue for the source (highly recommended: Who wants a suspicious security tool?). You can also do the PGP verification in the documentation if you download from a mirror site. Configuration and installation have been simple for all releases (4.5 is current as of this writing), so we will not go there in this short tip. Instead, let's look at the power of, and some uses for, this tool.

For starters, just using lsof without options will list all 'thingies' open, probably way more than you want to sift through, other than for a baseline reference. An important point here is that lsof lists more than just regular files (thus the 'thingie' reference above). The default output includes regular files (denoted by REG), sockets, and memory-mapped files. Using various options, you

    Requires Free Membership to View

can select which open files you want listed.

Using lsof as an intrusion-detection tool, you might want to see which files a particularly suspicious or unknown process is using. For example:

   lsof -p pid                (lsof -p 23102)

  Or perhaps a program:
 lsof -c commandname        (lsof -c netscape)

  Or a user:
 lsof -u user-or-uid        (lsof -u sfeet)

  Or even a socket:
 lsof -i protocol:socket    (lsof -i tcp:23)

As a basic precautionary security technique (rather than postmortem or paranoia work), use the -i option without an argument. It lists all open files associated with network connections. The output includes fields for the command or program involved, PID, USER, file descriptor, connection type, device number, protocol used and name (similar to 'netstat -i' naming). This is a good way of finding out connections listening for input that you either are not using, or do not understand (and thus might consider suspicious). Use this data to shut down unused daemons (and listening sockets, which are unnecessary security risks).

For non-security uses, lsof is still worth its disk space and compile time. Example: You want to unmount a filesystem, but unmount reports it in use. To determine 'who' is using it, or which files are in use, try the '+D >directory<' option. This option returns a list of open files, including which user is using each, thus knowing whom to pester if you really need to dismount that filesystem.

If any of this information sounds like something you might want to know, do a Web search for 'lsof', if you want to look into more capabilities before taking the time to download/compile, search for 'lsof manpage'. If this information doesn't interests you at all, then please drop an e-mail about what does interest you.

Fred Mallett is founder of FAME Computer Education, which provides standup delivery of educational classes on a variety of Unix, Linux and Win32 related subjects. Reach him at fredm@famece.com.

This was first published in June 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.