1. Why can the files in the rm-rf directory be recovered after being deleted?
650) this. width = 650; "title =" ind.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2493401-0.jpg "alt =" 105317164.jpg"/>
First, create an empty directory test. The blocksize of the directory is 4096 bytes.
650) this. width = 650; "title =" dir.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2494635-1.jpg "alt =" 100805859.jpg"/>
For an empty directory or 4096? First, the directory size depends on the inode access time of the file it contains, the number of bytes of the file, uid and gid). The size of 4096 is planned when the file system is created. You can use dumpe2fs to view
650) this. width = 650; "title =" 4096.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/1F24a219-2.jpg" alt = "101617189.jpg"/>
The default blocksize of the root partition is 4096.
Next, we will continue to create 1000 files in the new test directory.
for ((i=0; i<1000; i++)); do touch file$i; done
650) this. width = 650; "width =" 943 "height =" 93 "title =" 28.jpg" style = "width: 716px; height: 97px; "src =" http://www.bkjia.com/uploads/allimg/131227/1F24921G-3.jpg "alt =" 102127989.jpg"/>
Because 1000 new files are created, the blocksize of the test directory also increases. Then, we delete all the files under the test directory and check the test directory again. The directory is empty, but the bocksize of the Directory itself remains unchanged, which is the principle of "data recovery": Because rm-rf only deletes the descriptor dirfd related to the directoryentry) and datablocks, inodes and metadata are still in the disk.
650) this. width = 650; "title =" test.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2495140-4.jpg "alt =" 102453701.jpg"/>
You can use stace to check my thoughts. During the rm-rf process, two systemcalls are called: unlinkat () and fstatat64 ().
650) this. width = 650; "title =" rm.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2494920-5.jpg "alt =" 1105252.16.jpg"/>
The systemcall function of fstatat () is getfilestatusrelativetoadirectoryfiledescriptor.
Unlinkat () The systemcall function is removeadirectoryentryrelativetoadirectoryfiledescriptor.
It can be seen that the deletion process only obtains the state of the file related to the description of the directory file and deletes the file descriptor corresponding to the directoryentry. In fact, the content of the "directory" is a long string of data structures of the directoryentry, directoryentry is used to describe the file name and inode address. Because datablocks, inodes, and the metadata files stored in inodes are still in the disk, therefore, the directory size remains unchanged after the files in the directory are deleted.
Therefore, it is easy to use photorec to restore the deleted files.
2. About using vim to edit the file size
We create a file, and vim opens the input content "1234567" in 7 bytes.
650) this. width = 650; "title =" vi.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2492b6-6.jpg "alt =" 143058110.jpg"/>
Check that the file size is 8 bytes.
If you use od to view data, vim will automatically add a byte \ n line break, so 7 bytes will be changed to 8 bytes.
650) this. width = 650; "title =" vi2.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2493H7-7.jpg "alt =" 143642274.jpg"/>
3. soft connection size
First, create a soft connection named install for the install. log File to check that the soft connection install is 11 bytes in size. Why is it 11 bytes? The number of file names in the original file is 11 bytes, which is correct.
650) this. width = 650; "title =" ln.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F24964M-8.jpg "alt =" 144723127.jpg"/>
4. How to delete an object
1. delete the file descriptor filedescriptor). You can see from the first question that the deleted file can be recovered after executing rm-rf *, that is, the file data can still be accessed, it is because datablocks, inodes, and inodes store metadata on disks.
2. Delete metadata). You can use> filename. The actual data in datablock remains in the disk.
3. Delete the real data datablock. Some random number filling files need to be generated before deleting the files.
The order is ddif =/dev/randomof = filename and then rm-rffilename
In this way, the real data will be deleted. The faster method is to use the device/dev/urandom. However, although there is no/dev/random randomness, it can be used to erase disk data.
Why is it better to use the/dev/random device than to use the/dev/zero device?
Both devices read the previous data record datatrace). Using/dev/zero will make it easier to read the previous data record datatrace than using the/dev/random Device ).
This article is from the "Old Xu's Private food" blog and will not be reposted!