Can't read /dev/mem

olive · 2011-07-02 13:53:14

When I try to read /dev/mem (as root), I have the following error:

[xxxxxx@xxxxxxxxx ~]$ sudo dd if=/dev/mem of=test
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.102811 s, 10.2 MB/s

Does someone know how to read it. I imagine it is a security protection but is there a possibility to disable it?

I used to use it as a last resort when I want to recover some pierce of text that I typed somewhere and loose it for some reason (crash, error of manipulation, etc...). Quite often just make a copy of /dev/mem and grep it allows me to recover my lost text.

bangkok_manouel · 2011-07-02 14:16:25

most likely:

$zgrep -i devmem /proc/config.gz 
CONFIG_STRICT_DEVMEM=y

CONFIG_STRICT_DEVMEM:
│
│ If this option is disabled, you allow userspace (root) access to all
│ of memory, including kernel and userspace memory. Accidental
│ access to this is obviously disastrous, but specific access can
│ be used by people debugging the kernel. Note that with PAT support
│ enabled, even in this case there are restrictions on /dev/mem
│ use due to the cache aliasing requirements.
│
│ If this option is switched on, the /dev/mem file only allows
│ userspace access to PCI space and the BIOS code and data regions.
│ This is sufficient for dosemu and X and all common users of
│ /dev/mem.
│
│ If in doubt, say Y.
│
│ Symbol: STRICT_DEVMEM [=y]
│ Type : boolean
│ Prompt: Filter access to /dev/mem
│ Defined at arch/x86/Kconfig.debug:8
│ -> Kernel hacking

/edit: crappy formatting

Last edited by bangkok_manouel (2011-07-02 14:19:18)

olive · 2011-07-02 14:33:53

It's a compile time option? No possibility to disable it at run time?

bangkok_manouel · 2011-07-02 15:02:19

olive wrote:

It's a compile time option?

yes

olive wrote:

No possibility to disable it at run time?

few minutes of googling did not give me any positive answer

GI Jack · 2011-07-05 02:55:47

I remember seeing a joke about server Russian roulette. went something like this(off top of head)

# dd if=/dev/zero of=/dev/kmem bs=1 seek=random

crash you loose.

I guessing this wreaked of major security hole?

olive · 2011-07-05 06:19:38

GI Jack wrote:

I remember seeing a joke about server Russian roulette. went something like this(off top of head)
# dd if=/dev/zero of=/dev/kmem bs=1 seek=random

You will crash the system, but after that, all will normally be in order after a (possibly forced) reboot. If you are root, there is much worse to do: try rm -rf / for example.

rowdog · 2011-07-07 18:59:15

GI Jack wrote:

I remember seeing a joke about server Russian roulette. went something like this(off top of head)
# dd if=/dev/zero of=/dev/kmem bs=1 seek=random
crash you loose.
I guessing this wreaked of major security hole?

Not anymore.

$ ls -l /dev/kmem
ls: cannot access /dev/kmem: No such file or directory

/dev/kmem was removed because the primary use was in rootkits.
http://lwn.net/Articles/147901/

When you consider the question of rootkits, you can see why /dev/mem is so restricted and also why there's no way to override it with boot parameters: the rootkit would just rewrite your grub.cfg and it's game over when you reboot.

Arch Linux

#1 2011-07-02 13:53:14

Can't read /dev/mem

#2 2011-07-02 14:16:25

Re: Can't read /dev/mem

#3 2011-07-02 14:33:53

Re: Can't read /dev/mem

#4 2011-07-02 15:02:19

Re: Can't read /dev/mem

#5 2011-07-05 02:55:47

Re: Can't read /dev/mem

#6 2011-07-05 06:19:38

Re: Can't read /dev/mem

#7 2011-07-07 18:59:15

Re: Can't read /dev/mem

Board footer