Create fifo in linux

Creating temporary named fifo in *nix system

I have some tasks requiring massive temporary named pipes to deal with. Originally, I just simply think that generate random numbers, then append it as .fifo be the name of named pipe. However, I found this post: Create a temporary FIFO (named pipe) in Python? It seems there is something I don’t know that may cause some security issue there. So my question here is that, what’s the best way to generate a named pipe? Notice that even though I am referencing a Python related post, I don’t really mean to ask only in Python. UPDATE: Since I want to use a named pipe to connect unrelated processes, my plan is having process A call process B first via shell, and capture stdout to acquire the name of pipe, then both know what to open. Here I am just worrying about whether leaking the name of pipe will become an issue. Before I never thought of it, until I read that Python post.

What security issues are you thinking of? Where would you store the name of the fifos? Why can’t you use plain anonymous pipes?

@BasileStarynkevitch because it requires IPC between processes have no relationship. the security problem here seems to be malicious attacker? i don’t quite understand actually. i worry because i found that post.

But you could use random names, and the issue is how do you share (or where do you store) these names. You should edit your question to explain more.

@BasileStarynkevitch i am confused after reading that post. it seems randomization may be error-prone too. i updated my question.

BTW, I am skeptical about the massive usage of mkfifo . Do you need a dozen of them or a million of them? (at some given moment, I guess that the kernel is limiting the number of fifos to several hundred thousands).

2 Answers 2

If you have to use named FIFOs and need to ensure that overlap/overwriting cannot occur, your best bet is probably to use some combination of mktemp and mkfifo .

Although mktemp itself cannot create FIFOs, it can be used to create unique temporary directories, which you can then put your FIFOs into.

The GNU mktemp documentation has an example of this.

The trouble with using mktemp() is that some systems warn about its use at link time, and that is a nuisance if you’re aiming for no warnings in your build. I got here looking for a solution to that problem; this wouldn’t meet my requirements.

I concluded that creating a function int mkptemp(char *pattern, mode_t mode) would likely be best, doing roughly the same job as mkdtemp() does — creating a ‘pipe’ (FIFO) with a random name, which would be stored in the pattern argument. I’ve not implemented it, but could easily modify an implementation of mkstemp() to create a FIFO instead of a file. The mkfifo() system call won’t create a FIFO at the end of a broken symlink — like the mkdir() system call, it fails if the name exists in the file system. I’d use p for ‘pipe’ rather than f for ‘fifo’ because f suggests ‘file’ too.

Alternatively, you could create some name containing well random letters. You could read from /dev/random (or /dev/urandom , read random(4)) some random bytes to e.g. seed a PRNG (e.g. random(3) seeded by srandom ), and/or mix the PID and time, etc.

And since named fifo(7) are files, you should use the permission system (and/or ACL) on them. In particular, you might create a command Linux user to run all your processes and restrict the FIFOs to be only owner-readable, etc.

Of course, and in all cases, you need to «store» or «transmit» securely these FIFO names.

If you start your programs in some bash script, you might consider making your fifo names using mktemp(1) as:

fifoname=$(mktemp -u -t yourprog_XXXXXX).fifo-$RANDOM-$$ mkfifo -m 0600 $fifoname 

(perhaps in some loop). I guess it would be secure enough if the script is running in a dedicated user (and then pass the $fifoname in some pipe or file, not as a program argument)

The recent renameat2(2) syscall might be helpful (atomicity of RENAME_EXCHANGE ).

BTW, you might want some SElinux. Remember that opened file descriptors -and that includes your fifos- are available as symlinks in proc(5) !

PS. it all depends upon how paranoid are you. A well sysadmined Linux system can be quite secure.

Источник

Create fifo in linux

NAME

mkfifo - make a FIFO special file (a named pipe)

SYNOPSIS

#include  #include  int mkfifo(const char *pathname, mode_t mode); 

DESCRIPTION

mkfifo() makes a FIFO special file with name pathname. mode specifies the FIFO's permissions. It is modified by the process's umask in the usual way: the permissions of the created file are (mode & ~umask). A FIFO special file is similar to a pipe, except that it is created in a different way. Instead of being an anonymous communications channel, a FIFO special file is entered into the filesystem by calling mkfifo(). Once you have created a FIFO special file in this way, any process can open it for reading or writing, in the same way as an ordinary file. However, it has to be open at both ends simultaneously before you can proceed to do any input or output operations on it. Opening a FIFO for reading normally blocks until some other process opens the same FIFO for writing, and vice versa. See fifo(7) for nonblocking handling of FIFO special files.

RETURN VALUE

On success mkfifo() returns 0. In the case of an error, -1 is returned (in which case, errno is set appropriately).

ERRORS

EACCES One of the directories in pathname did not allow search (execute) permission. EDQUOT The user's quota of disk blocks or inodes on the filesystem has been exhausted. EEXIST pathname already exists. This includes the case where pathname is a symbolic link, dangling or not. ENAMETOOLONG Either the total length of pathname is greater than PATH_MAX, or an individual filename component has a length greater than NAME_MAX. In the GNU system, there is no imposed limit on overall filename length, but some filesystems may place limits on the length of a component. ENOENT A directory component in pathname does not exist or is a dangling symbolic link. ENOSPC The directory or filesystem has no room for the new file. ENOTDIR A component used as a directory in pathname is not, in fact, a directory. EROFS pathname refers to a read-only filesystem.

CONFORMING TO

SEE ALSO

mkfifo(1), close(2), open(2), read(2), stat(2), umask(2), write(2), mkfifoat(3), fifo(7)

COLOPHON

© 2019 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.

Источник

How to Use mknod Command in Linux

With the mknod command in Linux, you can create device files that function differently from the usual files. The mknod system call helps users create a filesystem node or special device files with mode and dev specified attributes.

The term mknod , which stands for make node, is derived from the word inode, which refers to index node. When we talk about the inode, we’re looking at the fundamental unit of the metadata for file system entities in any UNIX-based system.

Although inodes in most cases describe plain disk files, the same in UNIX depict things more like network sockets. The mknod command in Linux helps build and make a directory entry and the related inode for any special file.

As already mentioned, the mknod is a command-line utility that helps create filesystem nodes and named pathname, with mode and dev set attributes. The mode argument in mknod helps specify permission to create a node alongside defining the type.

The node you create is governed by the user ID that is in effect during the process. However, if the node’s directory has the preset group-ID bit, the newly created node inherits the group ownership from the root directory.

In this article, we’ll make you learn different ways to employ the mknod command, but before that, let us have a quick look at the command’s syntax.

mknod Command in Linux: Syntax

The basic structure of mknod command looks something like this:

Using mknod Command in Linux

Having discussed the syntax and other aspects of the mknod command in Linux, let us now learn how it works.

Indicating the Special File as Block Oriented Device

The mknod command in Linux can be used to indicate the special files. These usually include disk, tape, or diskette. For that, all you need to do is pass the b flag. Running the mknod command with the b flag will display the block-oriented device files.

Indicating the Special File as Character Oriented Device

In case you want to display the special file as a character-oriented device using the mknod command, pass the c flag.

Creating FIFOs

The based usage of the mknod command in Linux is to create named pipes or FIFOs. To build a FIFO, you just need to use the p flag alongside the mknod command.

How does the mknod Command in Linux Works?

To help you understand the working of the mknod command in Linux, here are a few examples to look at. Walking through the following set of examples will help you figure out the best ways to invoke mknod on your Terminal.

Creating a New Diskette Drive

Suppose you want to create a new diskette drive, /dev2/fd3 . In that case, launch the Terminal and run the following command:

Running the command mentioned above will create a special file /dev2/fd3 . It will be a special block file with 1 being the major device number and 2 being the minor.

Creating FIFO file

Creating a FIFO file with the mknod command in Linux is super simple. Launch the Terminal using the Ctrl+Alt+T key combination and run the command as:

Creating the Special File for New Character Drive

For instance, if you’re willing to create a special file /devnew/fdnew for the character drive, run the command like this:

Here, 2 and 1 represent the major device number and the minor device number, respectively.

mknod Command: Return Value

The mknod command in Linux returns 0 on being executed successfully. In other words, 0 as return value indicates the success status of mknod command, while it displays -1 in case an error has occurred. Talking about errors in mknod , there are several tags with varied meanings altogether.

EACCES : You’ll get this error-tag when the provided parent directory does not allow the write permission to the involved process.

EEXIST : It indicates that the pathname already exists.

EFAULT : It indicates that the pathname provided points outside the accessible address space in your system.

EINVAL : The requested mode creation of something intended other than any normal file, device, special file(s), FIFO, or the socket.

ELOO : The system shows ELOO when too many symbolic links are encountered while resolving pathname.

ENAMETOOLONG : It indicates that the provided pathname was too long.

ENOENT : In mknod, it represents that a directory component in the provided pathname does not exist, or else it is a dangling symbolic link.

ENOMEM : It indicates that an insufficient kernel memory was available during the process.

ENOSPC : The device that contains the pathname has no room for any new node.

ENOTDIR : When this tag gets displayed, you need to understand that a component that is used as a directory in the pathname is, in fact, not a directory.

EPERM : The mode requested the yield of something other than a standard file, or FIFO (the named pipe), or the Unix domain socket, and at the same time, the caller is not privileged.

The error message is also displayed if the filesystem that consists of the pathname doesn’t support the type of node you’ve requested.

(Keep in mind: Linux doesn’t have the CAP_MKNOD ability)

EROFS : The provided pathname refers to the file that sits on a read-only filesystem.

mknod Command Arguments

-m , —mode : It sets the file permission bites to MODE

-Z : You can set the SELinux security context to the default type by using the Z argument

Other mknod Command Options

—help flag: It displays the help-related information about the mknod command.

—version flag: Passing this flag will display the mknod command version information.

This is pretty much everything about the mknod command in Linux. In this article, we tried our best to familiarize you with the command and make you learn the best possible ways of using it. We employed easily understandable examples so that you can have no issues whatsoever.

If this guide helped you, please share it.

Husain is a staff writer at Distroid and has been writing on all things Linux and cybersecurity for over 10 years. He previously worked as a technical writer for wikiHow. In his past time, he loves taking tech apart and see what makes them tick, without necessarily putting it all back together. LinkedIn

Leave a Reply

You must be logged in to post a comment.

Источник