George R Goffe wrote: > This tactic would fail if there was no partition mounted but the specific > mount point was the culprit like when a user gets root (not uncommon in > the environments I work in) and goofs by copying data to a mount point but > has NOT mounted a partition first.
There's no way to find such shadowed files. The kernel hides those files as long as the filesystem is mounted - unless your process still has the mount point as working directory. The following snippet demonstrates that by mounting a filesystem with $(pwd) as mountpoint: linux:/mnt # mkdir d && cd d linux:/mnt/d # dd if=/dev/zero of=shadowed bs=1M count=20 20+0 records in 20+0 records out 20971520 bytes (21 MB) copied, 3.34181 s, 6.3 MB/s linux:/mnt/d # dd if=/dev/zero of=../fs.img bs=1M count=20 20+0 records in 20+0 records out 20971520 bytes (21 MB) copied, 0.495561 s, 42.3 MB/s linux:/mnt/d # mkfs.ext2 -F ../fs.img >/dev/null 2>&1 linux:/mnt/d # mount -o loop -t ext2 ../fs.img $(pwd) linux:/mnt/d # ls shadowed linux:/mnt/d # find . -size +10000000c -ls 151725 20480 -rw-r--r-- 1 root root 20971520 Feb 14 13:09 ./shadowed linux:/mnt/d # cd /mnt/d linux:/mnt/d # ls lost+found linux:/mnt/d # find . -size +10000000c -ls linux:/mnt/d # cd .. linux:/mnt # umount d linux:/mnt # find . -size +10000000c -ls 151725 20480 -rw-r--r-- 1 root root 20971520 Feb 14 13:09 ./d/shadowed 73888 20480 -rw-r--r-- 1 root root 20971520 Feb 14 13:13 ./fs.img Have a nice day, Berny
