Examining all members of the /dev (or /devices) node tree with
stat(2) functions can be time consuming. What's more, the
information that lsof needs - device number, inode number, and
path - rarely changes.
Consequently, lsof normally maintains an ASCII text file of
cached /dev (or /devices) information (exception: the /proc-based
Linux lsof where it's not needed.) The local system
administrator who builds lsof can control the way the device
cache file path is formed, selecting from these options:
Path from the -D option;
Path from an environment variable;
System-wide path;
Personal path (the default);
Personal path, modified by an environment variable.
Consult the output of the -h, -D? , or -? help options for the
current state of device cache support. The help output lists the
default read-mode device cache file path that is in effect for
the current invocation of lsof. The -D? option output lists the
read-only and write device cache file paths, the names of any
applicable environment variables, and the personal device cache
path format.
Lsof can detect that the current device cache file has been
accidentally or maliciously modified by integrity checks,
including the computation and verification of a sixteen bit
Cyclic Redundancy Check (CRC) sum on the file's contents. When
lsof senses something wrong with the file, it issues a warning
and attempts to remove the current cache file and create a new
copy, but only to a path that the process can legitimately write.
The path from which a lsof process may attempt to read a device
cache file may not be the same as the path to which it can
legitimately write. Thus when lsof senses that it needs to
update the device cache file, it may choose a different path for
writing it from the path from which it read an incorrect or
outdated version.
If available, the -Dr option will inhibit the writing of a new
device cache file. (It's always available when specified without
a path name argument.)
When a new device is added to the system, the device cache file
may need to be recreated. Since lsof compares the mtime of the
device cache file with the mtime and ctime of the /dev (or
/devices) directory, it usually detects that a new device has
been added; in that case lsof issues a warning message and
attempts to rebuild the device cache file.
Whenever lsof writes a device cache file, it sets its ownership
to the real UID of the executing process, and its permission
modes to 0600, this restricting its reading and writing to the
file's owner.
