# 实验内容

1. 在自己终端上，选定一个100m左右的任意文件，如何根据文件路径找到文件管理信息（簇号，文件索引）和文件内容.要求给出寻找的过程，截图，已经原因.
2. 如何安全删除该文件？
3. 该文件删除后，该如何恢复它？
4. 对该文件设置访问权限，该设置会修改该文件在文件系统中的哪些内容？

• ubuntu16.04

• ext4文件系统

• debugfs工具

• hexdump工具

# 文件查找实录

## 目标文件

/home/yahweh/largefile


Group 0 Padding ext4 Super Block Group Descriptors Reserved GDT Blocks Data Block Bitmap inode Bitmap inode Table Data Blocks
1024 bytes 1 block many blocks many blocks 1 block 1 block many blocks many more blocks
ext4 standard layout

## ext4 super block

goup 0 padding是一个大小为1024字节全为0的空间，略过，直接查看block group 0 的super block信息.读取超级块：

</a>

block_size = 0x1000 = 4096

blocks_per_group = 0x8000 = 32786

group_size = block_size * blocks_per_group = 0x8000000

s_inodes_per_group = 0x2000

s_inode_size = 0x100

s_desc_size = 0x0000 即descriptor中未开启64位模式

Starting in ext4, there is a new feature called flexible block groups (flex_bg). In a flex_bg, several block groups are tied together as one logical block group; the bitmap spaces and the inode table space in the first block group of the flex_bg are expanded to include the bitmaps and inode tables of all other block groups in the flex_bg. For example, if the flex_bg size is 4, then group 0 will contain (in order) the superblock, group descriptors, data block bitmaps for groups 0-3, inode bitmaps for groups 0-3, inode tables for groups 0-3, and the remaining space in group 0 is for file data. The effect of this is to group the block metadata close together for faster loading, and to enable large files to be continuous on disk. Backup copies of the superblock and group descriptors are always at the beginning of block groups, even if flex_bg is enabled. The number of block groups that make up a flex_bg is given by 2 ^ sb.s_log_groups_per_flex.

## group 0的描述符结构

Group 0 Descriptor

Descriptor layout

## 根目录的inode

The inode table is a linear array of struct ext4_inode. The table is sized to have enough blocks to store at least sb.s_inode_size * sb.s_inodes_per_group bytes. The number of the block group containing an inode can be calculated as (inode_number - 1) / sb.s_inodes_per_group， and the offset into the group’s table is (inode_number - 1) % sb.s_inodes_per_group. There is no inode 0.

(2-1)%0x2000[s_inodes_per_group]*0x100[s_inode_size]+0x421000[inode_table]
= 0x421100


inode table中inode说明了目标文件的除文件名外所有的信息，包括权限\时间\属主等信息，该结构的数据结构如下(请查看完整表项)：

inode table layout

</a>

## 根目录的i_block分析

i_block是inode中存储树形结构或目的块组.

i_blocks

ext4 extend tree

directory entry

## /home分析

(((0xE0)/0x10) * 0x10*0x8000[block_per_group] + 16 * (inode_map_size + block_map_size)) * 0x1000[block_size]= 0x700020 * 0x1000
= 0x700020000


/home inode_table

(0x1c0001 -1) % 0x2000 * 0x100
= 0x0


/home block

## /home/yahweh的分析

/home/yahweh block

## /home/yahwh/largefile分析

(0x1cc71e-1) % 0x2000
= 0xc71d


0xc71d * 0x100 + 0x700020000
= 0x700c91d00


/home/yahwh/largefile inode

Traditional, Unix-derived, file systems, like Ext3, use a indirect block mapping scheme to keep track of each block used for the blocks corresponding to the data of a file. This is inefficient for large files, especially during large file delete and truncate operations, because the mapping keeps an entry for every single block, and big files have many blocks -> huge mappings, slow to handle. Modern file systems use a different approach called “extents”. An extent is basically a bunch of contiguous physical blocks. It basically says “The data is in the next n blocks”. For example, a 100 MiB file can be allocated into a single extent of that size, instead of needing to create the indirect mapping for 25600 blocks (4 KiB per block). Huge files are split in several extents. Extents improve the performance and also help to reduce the fragmentation, since an extent encourages continuous layouts on the disk.

/home/yahwh/largefile block

0x877800 	包含block数为0x800
0x87c000 	包含block数为0x800
0x87e800 	包含block数为0x800
0x879000 	包含block数为0x1000
0x87d000 	包含block数为0x1000
0x89b800 	包含block数为0x2000
0x89f000 	包含block数为0xc00


# 文件的删除

## 正常删除

• a) super block中系统剩余inode数量+1

• b) group descriptor中组内剩余inode数量 + 1

• c) 解除文件对应inode 在group inode map中的占用

• d) 借出文件对应block在group block map 中的占用

• e) 将目录项中文件信息覆写

## 安全删除

• a) 将inode覆写（防止根据inode找到block和文件相关信息）

• b) 将文件所占的块全部覆写（防止小文件被攻击者根据文件格式特征找到数据块）

# 文件权限

linux相关系统中，文件权限的储存策略比较简单，inode包含了文件的所有信息，也包含了文件的权限信息，在inode结构中，0x0处的双字代表了文件的权限，包括针对属主、组、其他的的权限设置，文件的属主、组信息则存储在0x2、0x18处.

[1] Ext4 layout

[2] Ext4 wiki