[Discuss] recover contents of deleted but still open file on a Linux system.

[bogstad at pobox.com (Bill Bogstad)]

On Wed, Jul 8, 2020 at 12:07 PM Rich Pieri <richard.pieri at gmail.com> wrote:
>
> On Tue, 7 Jul 2020 19:44:37 -0400
> Bill Bogstad <bogstad at pobox.com> wrote:
>
> > But not all UNIX-like systems have a /proc/PID/fd directory that makes
> > it easy to access the contents of
> > such an unlinked file.   I don't know if the *BSDs do or not.
>
> True, but it should be possible to find the file descriptor somehow if
> the process is still running. /proc just makes that easier.

I'm not sure I'm following you here.   /proc not only lets me easily discover on
what fd # the file is opened.  It also gives me an easy way to reopen
the file so I can copy its contents.  How would you go about recovering the file
easily without it?

 Just theorizing here, maybe if you attached a debugger to the
the process that had the file open, you might be able to craft some code which
could be inserted into the memory space of that process which would copy the
deleted file to a newly opened file.   I'm sure that people who use buffer
overflows to hack programs have the skills to do something like that,
but I certainly don't.

Maybe something easier could be done with the linkat() system call,
but the Linux manual page
seems to suggest using /proc to re-link the file.  But that seems to
be Linux specific and
still would involve inserting code into the running process.  The
POSIX man page for linkat()
makes it seem less useful for this purpose.

Bill Bogstad

>
> --
> Rich Pieri
> _______________________________________________
> Discuss mailing list
> Discuss at lists.blu.org
> http://lists.blu.org/mailman/listinfo/discuss