| Walt Mankowski on 6 Dec 2007 17:29:39 -0000 |
|
On Thu, Dec 06, 2007 at 12:01:41PM -0500, Art Alexion wrote: > On Thursday 06 December 2007 11:41:42 Mark Dominus wrote: > > But I'm not sure exactly what you're getting at here. > > That's OK, because you have answered my question. > > What I envisioned was opening the directory as an editable file, not renaming, > but deleting the link to obscure the file. My theory was that the file would > still exist because the inode data that you described would still exist, but > the file could not be opened because it had no name. > > I could then keep the link data off the computer. If I wanted to open the > file, I could re-edit the directory and add the link. > > I figured this would not be safe from someone with forensics scanning > expertise, but from 99.9% of other users, including those who know about > standard hidden dot files. > > What I didn't anticipate was that fsck on boot would ruin this scheme for me. The inode doesn't get deleted until all all its links are remove *and* all its open filehandles are closed. So one trick for creating hidden files is have a program open the file, and then remove all its links. Now it won't show up in any directory listings, but you still have access to all its data. Of course there are a few drawbacks. It will still appear if you run something like lsof(8). And the inode really will be deleted when your program exits, for example the next time the system reboots. It's also not clear how you could relink it, since the parameters to the link(2) system call are pathnames, not inodes. Walt Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|