Re: [PLUG] "What's a File?" talk slides now online

Art Alexion on 6 Dec 2007 17:45:31 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] "What's a File?" talk slides now online

From: Art Alexion <art.alexion@verizon.net>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] "What's a File?" talk slides now online

Date: Thu, 6 Dec 2007 12:45:00 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: KMail/1.9.6 (enterprise 0.20070907.709405)

On Thursday 06 December 2007 12:29:30 Walt Mankowski wrote: > On Thu, Dec 06, 2007 at 12:01:41PM -0500, Art Alexion wrote: > > On Thursday 06 December 2007 11:41:42 Mark Dominus wrote: > > > But I'm not sure exactly what you're getting at here. > > > > That's OK, because you have answered my question. > > > > What I envisioned was opening the directory as an editable file, not > > renaming, but deleting the link to obscure the file. My theory was that > > the file would still exist because the inode data that you described > > would still exist, but the file could not be opened because it had no > > name. > > > > I could then keep the link data off the computer. If I wanted to open > > the file, I could re-edit the directory and add the link. > > > > I figured this would not be safe from someone with forensics scanning > > expertise, but from 99.9% of other users, including those who know about > > standard hidden dot files. > > > > What I didn't anticipate was that fsck on boot would ruin this scheme for > > me. > > The inode doesn't get deleted until all all its links are remove *and* > all its open filehandles are closed. So one trick for creating hidden > files is have a program open the file, and then remove all its links. > Now it won't show up in any directory listings, but you still have > access to all its data. > > Of course there are a few drawbacks. It will still appear if you run > something like lsof(8). And the inode really will be deleted when > your program exits, for example the next time the system reboots. > It's also not clear how you could relink it, since the parameters to > the link(2) system call are pathnames, not inodes. Thanks for the further explanation. My idea was triggered by Mark's remark that all of the "ls -l columns" are stored in the inode, while the inode-filename linking data was stored in the directory. It got me thinking that the inode file identification would persist even if the name link in the directory was deleted. My idea did not involve using the link command to restore the link, but just using the same method to manually edit the directory entry to type the link data back in. Looks like it can't be done. Now I understand this a bit more.
Attachment: signature.asc
Description: This is a digitally signed message part.

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

Re: [PLUG] "What's a File?" talk slides now online
From: Mark Dominus <mjd-list-plug2@plover.com>

Re: [PLUG] "What's a File?" talk slides now online
From: Art Alexion <art.alexion@verizon.net>

Re: [PLUG] "What's a File?" talk slides now online
From: Walt Mankowski <waltman@pobox.com>

Prev by Date: Re: [PLUG] Eating Crow with OOO

Next by Date: Re: [PLUG] Eating Crow with OOO

Previous by thread: Re: [PLUG] "What's a File?" talk slides now online

Next by thread: Re: [PLUG] "What's a File?" talk slides now online

Index(es):

Date

Thread