[X-Unix] /dev/fd/*

Tue Feb 17 10:35:12 PST 2004

On Feb 17, 2004, at 5:41 pm, Jeep Hauser wrote:
>
> A friend's box was broken into (a Raq, not MOSX), and one of the 
> commands the intruder did was:
> ...
> If I understand this correctly, it will traverse the entire filesystem 
> (when executed as root) and list (in -ls format) every file that has 
> been modified in the last 180 minutes (though I'm not sure wh...

It looks like you were about to say "I'm not sure why" there - in case 
you haven't realised, it's probably because he was logged in for 3 
hours & wanted to check what files he'd changed, and probably, also, 
cover his tracks. Silly of him not to edit .bash_history.

> For kick, I ran this on my MOSX box and found a *ton* of stuff in 
> various /dev/fd/* subdirectories, notably .jpg files that are mirrored 
> in my /Users/<username>/Photos/iPhoto Library directory. I can't seem 
> to find a pattern as to why these files are still in /dev/fd (not all 
> of my iPhoto files are in there, just some), nor why the output of the 
> find command doesn't seem to limit itself to the last 180 minutes.

They're not really "in" /dev/fd/*. /dev is a special directory for 
hardware devices & other magic stuff.

For instance:
   $ head -1 /dev/random
   NšzMÜþ”qPÍþ,_ü&O
                 7
showed something different next time I tried it, and will show 
something different nearly [1] every time you try it, too. This is a 
useful source of random (or perhaps pseudo-random, I don't know) 
numbers for programmers.

Back to /dev/fd/*... `man fd` says:

DESCRIPTION
      The files /dev/fd/0 through /dev/fd/# refer to file descriptors 
which can
      be accessed through the file system...
      Opening the files /dev/stdin, /dev/stdout and /dev/stderr is 
equivalent
      to the following calls...

Which means about as much to me as it does to you, however these links 
are perhaps enlightening:

<http://www.macobserver.com/tips/macosxcl101/2002/20020607.shtml>
"A file descriptor is a low-level Unix I/O concept that is really only 
interesting to systems programmers. (What can I say, we're easily 
entertained.)"

and:

<http://www.cs.nmsu.edu/~lking/kernserv.html>
File descriptors provide per-process unique, non-negative integers that 
are used to identify an open file (or socket). For user processes, all 
interaction with files is done via file descriptors. File descriptors 
are also used for access and manipulation of POSIX semaphores and POSIX 
shared memory.

My best guess is that you had iPhoto open at the time. I suspect that 
if you rebooted & tried this `find` command again with  minimal 
applications open it would find far fewer results. But to avoid such 
spurious matches you should probably use something like `find / -mmin 
-180 -not -path /dev -ls`  [2]

> On the Raq (sorry, but I don't know the shell used), it truly returns 
> files modified within 180 minutes. On my MOSX (10.3.2) tsch shell, it 
> returns files going back to last summer.

Try it again, excluding /dev (if the command I just gave doesn't work, 
then just pipe the output to `grep -v /dev`   ;-])

> When using '180' instead of '-180' it returns nothing at all. I don't 
> know the difference, and the man pages aren't helping me figure that 
> out.

It doesn't help that the BSD man page for `find` is pants. The GNU one 
(on my Linux system) seems to answer your question:

    TESTS
        Numeric arguments can be specified as
        +n     for greater than n,
        -n     for less than n,
        n      for exactly n.

So:
- `find / -mmin +180 means "find files modified more than 180 ago."
- `find / -mmin -180 means "find files modified within the last 180 
minutes."
-  `find / -mmin 180` means "find files modified exactly 180 minutes 
ago."

If it's any consolation man pages DO generally get easier to read, once 
you're familliar with their quirks. Chapter 3 of The UNIX HATERS 
Handbook <http://www.simson.net/ref/ugh.pdf> is a good read, tho'.

> Soooo... is find misbehaving? Is it MOSX?

Neither. Perhaps the Raq has a different approach to file-descriptors, 
doesn't use the /dev/ file-system &/or has a version of `find` which is 
clever enough to ignore /dev.

> How about all those files in /dev/df/* -- are those really just 
> pointers to the actual files...

Erm... something like that.

Stroller.