Wednesday, April 25, 2007

[Tip 0.3] ln: do you like it soft or hard?

ln is a linux command to create a symbolic link to a file. The link could be hard or soft.

Hard Link:
- create another file (or entry to directory file) that reference to the same inode number (or disk block/s).
- attributes/permissions are carried out when the file has been changed/removed
- apply for files only (not directory)
- can not span hard drives (ie. hard link in /dev/hda/ that points to a file from /dev/hdb)

Example:
How to create a hard link 'tlink' that points to test (must be file only, NOT directory):
rex@rexubuntu:~$ ln test tlink

How to create another hard link 'tlink'2 that points to test (must be file only, NOT directory):
rex@rexubuntu:~$ ln test tlink2

How to identify hard links? Issue the command below and check for the same inode numbers:
rex@rexubuntu:~$ ls -il
8437999 -rw-r--r-- 2 rex rex 0 2007-04-25 15:02 test
8437999 -rw-r--r-- 2 rex rex 0 2007-04-25 15:02 tlink
8437999 -rw-r--r-- 2 rex rex 0 2007-04-25 15:02 tlink2

Having the same inode numbers means that the files: test, tlink and tlink2 are three files pointing to the same inode/s or disk blocks. Just think of them as 2 copies of test.

Soft Link:
- analogous to Windows shortcut file. It contains the path of the target file, and when the target file has been removed/deleted, the soft link is broken.
- file that contains the path of another file

Example:
How to create a soft symbolic link named 'slink' that points to file 'test' (could be a file or directory):
rex@rexubuntu:~$ ln -s test slink
rex@rexubuntu:~$ ls -il
8438031 lrwxrwxrwx 1 rex rex 4 2007-04-25 15:18 slink -> test

Note: test file should be existing

How to display soft links? Symlinks end with @ when you use the command:
$ ls -F
slink@

or

$ ls -l
lrwxrwxrwx 1 rex rex 4 2007-04-25 15:18 slink -> test

What if..a malicious software (malware) creates multiple (random) hard links to itself to avoid being completely deleted from the system. How would you completely clean the infection? Ok, lets say you were able to spot the file and terminate the process and delete the file. Then the next morning, you see another instance/copy of the malware. You suspect that there could be more other copies of itself that are still lurking in your system. So in order to remove all the copied files of the malware in your system you gotta be able to find all of its copies. So the next question would be: how would you know all of its instances or copies when you got one of its hard links or copies manually?

Well, first lets define inode. inode is the data structure that stores information about a file in Unix file system. Its number uniquely identifies the file. Its a basic building block of the file. So a file must have atleast one inode that also contains info about the data, permission,etc of the file. A file contains the (a) data and (b) filename parts. The data part is associated with inode structure and the filename is associated to name of the file and the inode number.

How to identify all hard links pointing to the same inode? There's no single command that would do this. It requires a little scripting and filtering. So its your choice. But basically, you have to search from the root directory and checking their inode number with the inode you identified as your input. I've found a simple solution from googling and it worked:

find <location> -samefile foobar
where foobar is a found link(whether original or not) and <location> is where you want to search. (ie. / to get all of them).

Another approach is:

find <location> -inum nnnnnn
where nnnnnn is the inode number of the known file that you established with "ls -li".

How to remove a link:
$ rm <linkname>
Remember that in *NIX world, everything is a file or directory. So rm would work.


No comments: