Wednesday, 20 April 2011

Accessing a deleted file which is still open in Linux.

As you may know, Linux does not actually delete a file from a disk until
1) all the (hard) links to it are deleted in the file system
2) no programs still use that file (i.e. there are no open file descriptors)

For example, if you delete a video file from a disk but still have an open media player with it, the file won't be deleted until you close the app or open a new movie instead of it. To access the file you've got to know the PID of the program using it (you can get it with "ps") and its file descriptor in it. Linux provides a simple interface to access open files through the /proc pseudo-file system: /proc/<pid>/fd/<fd>.

How can this be useful?

Apart from the case shown above, the last versions of the Flash plugin seem to use this trick to prevent the user from easily copying video files from the /tmp directory. In fact, the videos are still created, but they are deleted as soon as Flash opens them. This trick makes it possible to save the "deleted" .flv files nevertheless.

Finally, the very way Linux makes access through file descriptors possible for a user just looks like a very neat and simple solution of a rather complex issue. ♥

P.S. Seems to be a popular issue with many howtos and step-by-step tutorials, but oh well.

No comments:

Post a Comment