Quote Originally Posted by jmozdzen View Post
Hi Matthias,

can you pinpoint *when* this happens? It might be worth to correlate this with package installations (i.e. via /var/log/zypp/history) to see if some post-install script causes these changes.

As often, the problem was a mixture of two or more. The /dev/urandom modification was caused by a wrong udev-rule. The /dev/null was more sofisticated.
I identified the start script (launched at system boot as user root); the script, which brings up one of our application servers, could even modify the
permissions of /dev/null when started by a normal user; this is ofc impossible for this proc. But, the proc was doing syslog with facility local5 and
someone configured in /etc/syslog-ng/*.conf as target file /dev/null; a strace shows that the syslog-ng was changing the perms of the file:

# cat /tmp/syslog-ng.tr
3088  open("/dev/null", O_WRONLY|O_CREAT|O_NOCTTY|O_APPEND|O_NONBLOCK, 0640) = 11
3088  fcntl(11, F_GETFD)                = 0
3088  fcntl(11, F_SETFD, FD_CLOEXEC)    = 0
3088  fchown(11, 0, 4294967295)         = 0
3088  fchown(11, 4294967295, 0)         = 0
3088  fchmod(11, 0640)                  = 0
We can close the thread.

Thanks, Matthias