Previously, I mentioned that I had run across fsdb and planned to spend some time playing around with it. I had some time last week, so here's a few simple notes on it.
There are 2 automagic variables in fsdb: ";" and ".". ";" represents the current i-node, and "." is the current location on disk. Between the two of them, you can do things like "go to i-node X and read the first 16 bytes." Then, since "." has been updated, you can readily read the next 16 bytes from the file, and so on until you hit the end of the file or disk.
All commands (except "shell escape") must begin with an i-node specification. ":" is the current i-node, but you can specify another i-node with "#:inode". The third part of the command tells fsdb how to update the value of ":". "inode mode" updates the value to the given inode, as long as it's already allocated. "dir mode" updates : to the given directory entry, ordered by inode (this is not the same order as the directory listing is in). This makes it much easier to modify directory entries than trying to fill over the correct bytes in the directory.
"?" is the "formatted output" command. It is similar in feel to gdb's "print" command, but there are file-system specific formats, such as "inode" and "dir." ("/" is unformatted output).
Some examples:
/dev/lofi/1 > 2:inode?ino
i#: 2 md: d---rwxr-xr-x uid: 29b7 gid: 12c
ln: 6 bs: 2 sz : c_flags : 0 200
db#0: 170
accessed: Mon Nov 30 16:31:46 2009
modified: Mon Nov 30 16:26:25 2009
created : Mon Nov 30 16:26:25 2009
inode 2 is special in UFS; it is always the root of the filesystem (inode 3 seems to always be lost+found, as well). The output format looks curiously like the output from stat, except that it doesn't actually stat() the file.
/dev/lofi/1 > 2: /dev/lofi/1 > :ls -l /: i#: 2 ./ i#: 2 ../ i#: 4 bin/ i#: d etc/ i#: 3 lost+found/ i#: 5 sbin/
:ls is a shorthand for listing the current directory or inode. There is also :cd which is easier than listing the current directory, finding the entry you want, and then updating the value of : to it.
Note that all the inodes are in hex. There is a :base command to change both the input and output bases (:base=0xa is decimal; :base=0x8 is octal, etc).
Updating a directory entry is done with N:dir=M. This sets directory slot N (starting from 0) to inode M. For example:
/dev/lofi/1 > :cd bin /dev/lofi/1 > :ls -l /bin: i#: 4 ./ i#: 2 ../ i#: 9 alink? i#: a blink? i#: b clink@ i#: 6 cp* i#: 8 ls* i#: 7 mv* /dev/lofi/1 > 6:dir:nm,10/c 58454: b l i n k \0 \0 \0 \0 \0 \0 \? \? \? \0 \? /dev/lofi/1 > 6:dir=0x09 i#: 9 blink /dev/lofi/1 > :ls -l /bin: i#: 4 ./ i#: 2 ../ i#: 9 alink? i#: 9 blink? i#: b clink@ i#: 6 cp* i#: 8 ls* i#: 7 mv*
So, what have we done here? Since blink and alink now share the same inode number, they are hard links of the same symlink. Running 9:inode?ino reveals that fsdb updated the link count for the inode automatically, so we don't have to worry about file system corruption if we unlink one of these later.
N:dir:nm,10/c outputs the first 16 characters of the name of directory slot N (directory slot N's name to ". plus 0x10", unformatted output, characters). The man page seems to point to outputting the name of a file being possible by N:dir:nm,*/c, but that reads to the end of the block, not to the first terminating null.
Renaming a file is done by writing to the "nm" value. This won't allocate any extra space for the filename, so the filename is truncated if it is longer than the already allocated space. Here is the hard way to re-name those nasty files named "\008\008\008\008...".
/dev/lofi/1 > :ls -l /bin: i#: 4 ./ i#: 2 ../ i#: 9 alink? i#: 9 blink? i#: b clink@ i#: 6 cp* i#: 8 ls* i#: 7 mv* /dev/lofi/1 > 7:dir:nm,10/c 58464: c l i n k \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 /dev/lofi/1 > 7:dir:nm="dlink" i#: b dlink /dev/lofi/1 > :ls -l /bin: i#: 4 ./ i#: 2 ../ i#: 9 alink? i#: 9 blink? i#: 6 cp* i#: b dlink@ i#: 8 ls* i#: 7 mv*
Now you can impress all your sysadmin friends by creating hard links and renaming files.
But what about something you can't do with normal shell tools?
/dev/lofi/1 > :cd /dev/lofi/1 > :cd etc /dev/lofi/1 > :ls -l /etc: i#: d ./ i#: 2 ../ i#: e etc@ /dev/lofi/1 > 2:dir:nm,10/c 178c20: e t c \0 t \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 /dev/lofi/1 > 2:dir=0xd i#: d etc /dev/lofi/1 > :ls -l /etc: i#: d ./ i#: 2 ../ i#: d etc/
Exit fsdb and remount the file system to see changes (yes, this is required; I suspected caching, but this occurs even with files that haven't been looked at yet).
$ ls -lain etc
total 6
13 drwxr-xr-x 2 10679 300 512 Nov 30 16:26 .
2 drwxr-xr-x 6 10679 300 512 Nov 30 16:26 ..
13 drwxr-xr-x 2 10679 300 512 Nov 30 16:26 etc
And there you have it, a hard-linked directory. ln has been lying to you this entire time.
:wq
No comments:
Post a Comment