On Fri, Jan 04, 2019 at 05:04:49PM -0500, songbird wrote: > Roberto C Sánchez wrote: > ... > > It might also indicate files that exist (i.e., occupy blocks) without > > having directory entries. For example, this is the case when a program > > creates a temporary file, gets the descritor back from the syscall, then > > immediatley calls unlink on it [...]
Even easier: you rm a file which is still held open by some program (a log file may be a typical example). The file will continue existing until the last program which has an open file descriptor to it closes it. If you think of it, it just makes sense. [...] > wouldn't fsck clean that up? No, definitely not. Terminating the processes keeping the file open will help (i.e. reboot will most definitely help). > if it might be potential useful information you were missing > and wanted to get back you could copy the entire partition and > then run a recovery/forensics program on it to see what it all > was. There are tricks to it: open files are to be found in /proc/<PID>/fd: there are some amusing war stories of clever sysadmins recovering things from there after some mess-up. Cheers -- tomás
signature.asc
Description: Digital signature
