Web lists-archives.com

Re: Upgrade Problem




On Fri, Jan 04, 2019 at 05:04:49PM -0500, songbird wrote:
> Roberto C  Sánchez wrote:
> ...
> > It might also indicate files that exist (i.e., occupy blocks) without
> > having directory entries.  For example, this is the case when a program
> > creates a temporary file, gets the descritor back from the syscall, then
> > immediatley calls unlink on it [...]

Even easier: you rm a file which is still held open by some program
(a log file may be a typical example). The file will continue existing
until the last program which has an open file descriptor to it closes
it. If you think of it, it just makes sense.

[...]

>   wouldn't fsck clean that up?

No, definitely not. Terminating the processes keeping the file open
will help (i.e. reboot will most definitely help).

>   if it might be potential useful information you were missing
> and wanted to get back you could copy the entire partition and
> then run a recovery/forensics program on it to see what it all
> was.

There are tricks to it: open files are to be found in /proc/<PID>/fd:
there are some amusing war stories of clever sysadmins recovering
things from there after some mess-up.

Cheers
-- tomás

Attachment: signature.asc
Description: Digital signature