Re: Quasi-(un)deletion question
On Sun, Feb 15, 2004 at 10:41:41AM -0800, Paul Johnson wrote:
> On Sun, Feb 15, 2004 at 09:20:55AM -0500, Tim Otten wrote:
> > The other day, I did something really stupid. I started a download with
> > BitTorrent, and, half-way through, deleted the file it was downloading.
>
> > Is it possible to access the file using a utility or small C program?
> > Would you have to write code for the kernel?
>
> You're boned.
Care to back that up?
As long as a running process has the file open, it's a well-known Unix
semantic that the data's still on the filesystem: cp from
/proc/<pid>/fd/<foo> will recover whatever's currently in the file, for
instance. The tricky bit is getting a copy just as the download
finishes, which implies either recreating a link to the deleted inode or
perhaps some evil ptrace(2) hackery (PTRACE_SYSCALL, check for close()
and if so copy contents of fd, otherwise PTRACE_SYSCALL again).
I have a nagging feeling that there ought to be a better way, but the
only other way I can think of to recreate a link to a deleted inode
would involve a kernel module. A flink() syscall has been proposed, but
designing and implementing it correctly would be complicated. You can
easily create security holes if you get it slightly wrong.
> Word to the wise: Think twice, delete once.
This, of course, is always good advice.
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: