[vox-tech] Identifying the directory that contains the
currently running executable?
ME
dugan at passwall.com
Fri Aug 27 11:21:13 PDT 2004
Ken Bloom said:
> I guess that solves the C program problem, because I can use getpid()
> to fill in the blank, and readlink(2) to find the elf executable.
>
> That is one wierd symlink. ME wrote in May
> (http://www.lugod.org/mailinglists/archives/vox-tech/2004-05/msg00247.html)
> about deleting the executable file, then recovering it from
> /proc/$PID/exe, so I had assumed it wasn't a symlink. Looking at it
> harder, symlinks can't usually point to deleted files [1], but this one
> can! You can recover the exe with cat, but not with cp. Really wierd.
Well, the /proc filesystem is not a "normal" filesystem, but is more like
a kind of collection of data stored in memory and "pointers" to other
data.
("Normal" meaning it is not used so much to create files on a disk as we
think files exists on disks.)
I think that the behavior you see when accessing the symlink is one of two
properties or a combination of two properties:
1) A file is not actually deleted until all link to the file are destroyed
(not talking symlinks) and all processes that have opened that file, close
the file. (The file may not be listed as available for opening if all the
links to it are gone, but I do not think the file space is freed by the
filesystem until the last process with the file open closes it-- could be
wrong here.)
2) The file that is loaded into memory can effectively be written fromm
memory back out to a file. The thing that looks like a symlink in proc may
not actually be a conventional symlink.
I have not looked at proc in detail enough as of late to see how much each
of these play a role in grabbing copies of deleted applications from proc
if they are still running on the system.
More information about the vox-tech
mailing list