jueves, 24 de diciembre de 2009

How to see files hidden behind a mount

Hi!

It's been a while since I did my last technical post. Yesterday I saw myself in a situation where I had to see some files in a directory that was used to mount a partition so I wasn't able to see the files I needed, so to speak. After some hacking, I was able to see the files. Here's how it's done.

First, let's set an environment for our tests. I have some files in /mnt/D/ and /mnt/D/ is in the root partition:

# mount
/dev/sda6 on / type ext3 (rw,relatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
# ls /mnt/D/ -l
total 8
-rw-r--r-- 1 root root 6 2009-12-24 14:55 test2.txt
-rw-r--r-- 1 root root 5 2009-12-24 14:55 test.txt
# cat /mnt/D/test2.txt
adios

Now, I use this partition to mount a drive from a windows host, so after I do that mount:
# ls /mnt/D/ -l
total 884802
-rwxr-xr-x 1 antoranz root 1883 2009-11-27 09:42 20091125.html
-rwxr-xr-x 1 antoranz root 2150 2009-11-27 10:59 20091126.html
-rwxr-xr-x 1 antoranz root 110230 2009-10-17 19:56 3D400055.WAV
-rwxr-xr-x 1 antoranz root 0 2009-12-23 15:10 algodon.txt
drwxr-xr-x 1 antoranz root 0 2009-11-04 15:34 billnew
etc

so the files that were in /mnt/D are now hidden because of the new mount. What I did to see the files was to remount the root partition (as that's the partition where the files I need really are) in another mount point. Let's try to do it directly. As you can see from the mount I showed before, my root partition is in /dev/sda6 so:

# mount -o ro /dev/sda6 /mnt/tmp
mount: /dev/sda6 already mounted or /mnt/tmp busy
mount: according to mtab, /dev/sda6 is mounted on /

I knew it wasn't going to give itself up so easily. But don't panic... there's a way to fool the SO... really! Have you heard of loop devices? Now's a great moment to learn about them... but I won't go into the details. Let's just say they are very useful. Do your homework and find out about them. Let's link /dev/sda6 to a loop device:

# losetup -f -v /dev/sda6
Loop device is /dev/loop0

So /dev/sda6 is now linked to /dev/loop0. Let's try to remount the root partition again to see what happens:

# mount -o ro /dev/loop0 /mnt/tmp
#

The prompt is staring at me and the command didn't complain. Seems like it's done. Let's see what's in /mnt/tmp:

# ls -l /mnt/tmp/
total 108
drwxr-xr-x 2 root root 4096 2009-12-11 21:01 bin
drwxr-xr-x 3 root root 4096 2009-12-24 11:10 boot
lrwxrwxrwx 1 root root 11 2009-08-20 12:06 cdrom -> media/cdrom
etc

The content of the root partition... as expected. Well... let's see if the files I need are still there:
# ls -l /mnt/tmp/mnt/D
total 8
-rw-r--r-- 1 root root 6 2009-12-24 14:55 test2.txt
-rw-r--r-- 1 root root 5 2009-12-24 14:55 test.txt

As you can see, the new mount point is not fooled by the fact that there's something else mounted in /mnt/D. And now finally let's see if we can get the original content of the files:

# cat /mnt/tmp/mnt/D/test2.txt
adios

And there you are. Now, a little word of caution. I was able to see the files but the content of the other file appears to be corrupt (have to find out why) so be careful with what you get at the end. Take it as a nice start.

Merry Xmas, everyone!



Venezuelan Justice System used to be David Morales Bellos' before the revolution... Now it's Hugo Chavez's. At least David Morales Bello was never the president of Venezuela.

1 comentario:

  1. Cool trick. But you might try this instead:

    mount --bind /partiallyobscurredmount /mnt/temp

    E.g, if /home is on the root partition / and you set some stuff and then setup /home mount. Without unmounting /home, simply bind / to a new mount point.

    mount --bind / /mnt/temp
    cd /mnt/temp/home #accessible here!

    Probably a little safer than loopback devices.

    ResponderEliminar