On Wed, Jul 8, 2020 at 12:07 PM Rich Pieri <[email protected]> wrote: > > On Tue, 7 Jul 2020 19:44:37 -0400 > Bill Bogstad <[email protected]> wrote: > > > But not all UNIX-like systems have a /proc/PID/fd directory that makes > > it easy to access the contents of > > such an unlinked file. I don't know if the *BSDs do or not. > > True, but it should be possible to find the file descriptor somehow if > the process is still running. /proc just makes that easier.
I'm not sure I'm following you here. /proc not only lets me easily discover on what fd # the file is opened. It also gives me an easy way to reopen the file so I can copy its contents. How would you go about recovering the file easily without it? Just theorizing here, maybe if you attached a debugger to the the process that had the file open, you might be able to craft some code which could be inserted into the memory space of that process which would copy the deleted file to a newly opened file. I'm sure that people who use buffer overflows to hack programs have the skills to do something like that, but I certainly don't. Maybe something easier could be done with the linkat() system call, but the Linux manual page seems to suggest using /proc to re-link the file. But that seems to be Linux specific and still would involve inserting code into the running process. The POSIX man page for linkat() makes it seem less useful for this purpose. Bill Bogstad > > -- > Rich Pieri > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
