James Youngman <[EMAIL PROTECTED]> wrote about recovering the
executable for a running process after the file it was run from has
been removed:
> ls -l /proc/429/exe
> might say:-
> blah blah .... exe -> [0806]:100075
> Where 0806 is the device (in this case /dev/sda6) and the 100075 is
> the inode. You should be able to track down the file with
> find /usr -inum 100075 -print
...
> If there is no name referring to that inode (i.e. the name has been
> deleted), then you will need to create a link to that inode.
...
> Basically, you run debugfs and use
You could avoid the need to muck about with debugfs by doing something
simpler:
cp /proc/429/exe nasty-executable
However, thanks to James' posting, I've learned more about debugfs. :-)
Cheers,
Eric
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
