Wednesday, February 4, 2009

The Linux/Unix SysAdmin Covert File Storage Method Number 57

Hey there,

Today's post is the 57th installment of a two or three part series of posts that refuses to play by the rules. Look for Volume 3 and Issue 437 in the near future ;)

This post's trick (actually it's more of a gimmick - or a way any one of us has probably screwed up at some point in time ;) is fairly simple and, as is generally the case, inversely proportionate in complexity to the work I'm currently gettting paid to do so my wife, kids and 5 animals don't go hungry. I'm somewhat obsessive-compulsive and tend to forget to eat more often than I remember to. Metabolism, of course, is just another one of life's cruel jokes. I'm not gigantic, but my waistline implies a lavish and sedentary lifestyle I don't enjoy. Actually, my fitness-oriented friends tell me that I'd lose the spare-tire if I just ate more regularly. While this makes perfect sense, I generally don't ;) ...and then, every once in a while, I digress...

This little goof is pretty simple to pull off (assuming you're a sysadmin and/or have the access, privilege and opportunity to do it) and can be a life-saver. Technically, you shouldn't ever need to do this, but sometimes convenience trumps sanity...

You may recall a post we did a long long time ago, in a galaxy just down the block, regarding finding space hogs on multiple overlay-mounted filesystems. This little way to hide bits of information works relatively along the same lines. The one serious limitation it has is that, while you'll be secretly storing your information, you won't be hiding the actual disk space it consumes, so this method of packing away all the stuff you're not supposed to have on the company's production web server has its limitations.

For today, we'll use a /usr/local mount point that we have on a Solaris machine (independent of the /usr mount point) to demonstrate.

Step 1: Take a lay of the land. In order for this to work, you need to have enough space to stow away what you need to and, hopefully, enough space to make your addition barely noticeable. Our setup isn't bad, especially since the "actual" filesystem that's going to be impacted will be the /usr filesystem underneath /usr/local (If it were /usr/local, the change might be noticed since the filesystem is so "empty")

host # ls /usr/local
PKG-Get etc lib lost+found pkgs share
bin info libexec man sbin
host # df -k /usr/local
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s5 51650439 167184 50966751 1% /usr/local
host # df -k /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s3 5233086 3550979 1629777 69% /usr


Step 2: Peel back the carpet. This is where you have to be quick, and is the essence of our little shell-game. First, we'll unmount the /usr/local filesystem, leaving us with this (df -k for /usr/local now shows that it's just a simple directory on /usr):

host # umount /usr/local
host # df -k /usr/local
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s3 5233086 3550979 1629777 69% /usr
host # ls /usr/local


Under normal circumstances, this directory should now be empty (unless someone else is doing the same thing as you, or just forgot to clean up before they created the separate /usr/local overlay mount).

Step 3: Sweep your non-work-related-stuff under the rug, or into the /usr/local directory, as it were:

host # mv non-work-related-stuff /usr/local/
host # ls /usr/local
non-work-related-stuff


Step 4: Make sure things look normal. See if your addition makes a noticeable difference in your df output (It probably won't unless you're going to try and sack-away your mp3 collection ;)

host # df -k /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s3 5233086 3550981 1629775 69% /usr


Step 5: Pretend nothing happened. Once you're satisfied (which should be as soon as possible), remount /usr/local and verify that everything looks the same (excepting your modification of the /usr filesystem):

host # mount /usr/local
host # ls /usr/local
PKG-Get etc lib lost+found pkgs share
bin info libexec man sbin
host # df -k /usr/local
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s5 51650439 167184 50966751 1% /usr/local
host # df -k /usr
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s3 5233086 3550981 1629775 69% /usr


And you're all set. You can get your stuff back eventually (even sooner if you don't care what people think ;)

Of course, that's an old trick, but one we've never covered here. As this blog gets larger, we're going to try and devote a little less time to being original. Of course, we mean that in a good way :) Since this is essentially a knowledge-dumping-ground, meant for users and admins of all skill levels, every post can't be about some crazy way to do something you'd have to be insane to want to do in the first place!

Come on in; the mediocrity's fine ;)

Cheers,

, Mike




Discover the Free Ebook that shows you how to make 100% commissions on ClickBank!



Please note that this blog accepts comments via email only. See our Mission And Policy Statement for further details.