Recovering an unlink-ed, but still opened file
Julian Elischer
julian at freebsd.org
Sat Nov 28 09:58:16 UTC 2015
On 28/11/2015 7:17 AM, Mikhail T. wrote:
> A deleted file, that's still opened by a process is "there" on the
> filesystem.
>
> Is there any way -- with an existing command-line utility or a new
> program using an existing API -- to give the still-valid inode a name
> again? Wouldn't that be a wonderful feature to have? Thanks!
well, I've done this in the distant past:
(there may be easier ways involving /proc if you have it mounted etc.)
touch /tmp/anyfile
gdb cp
break main
run /tmp/anyfile /tmp/saved
(program breaks)
break open
{step until you get the open of anyfile}
place a breakpoint just after the open.
continue
{program stops with file opened)
take note of file descriptor.
kgdb /boot/kernel/kernel /dev/mem
{find procedd descriptors of both processes.. (the one you have with
the file you want, and the 'cp' above.
follow links to file descriptors
swap vnode pointers in the descriptors you want.
set a breakpoint at 'close' in the 'cp'
continue the 'cp'
swap pointers back within kernel.
continue cp so that it exits.
go read contents of file
>
> -mi
>
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>
More information about the freebsd-fs
mailing list