Ext* Content Areas - Southern Oregon University

Download Report

Transcript Ext* Content Areas - Southern Oregon University 

Ext* Content Areas
Inodes, Directories & Files
Review
• Recall …the file system metadata
• The superblock describes the file system
• The group descriptor table describes the equally
sized block groups
• The block bitmap tracks group block allocation
Overview
• Today: The data metadata and contents
• The inode bitmap tracks inode allocation
• The inode table is a block that contains the inodes
– Inode 2 is the root directory
• Each inode contains metadata for, and points to, a
file
• Directories are just special files that point to inode
table entries
• File data is found in the content area blocks of the
block group
Inode Contents (I)
• File size (32 or 64 bit)
• 1st 12 content block addresses
– 1 single-indirect block address
– 1 double-indirect block pointer
• Group ID, user ID (not necessarily real)
– chown, chgrp
– User may not exist in /etc/password
• Last Access, modify, change, delete times
Inode Contents (II)
• Mode
– File type
• File, directory, named pipe, Unix socket, block & raw devices
– Permissions
– Special properties (sticky, SUID, SGID)
• Link counter
– 0  unallocated inode (or orphaned file, will be unallocated when
process ends)
• Many supported attributes
–
–
–
–
–
“don’t update the Access time for files”
Write-immediate
Append-only
Immutable
Don’t dump (backup)
• Extended attributes created by the user (custom attributes)
Inode Structure (I)
Bytes
Description
0-1
File mode (type & permissions)
2-3
UID lower 2 bytes
4-7
Size lower 4 bytes
8-11
Access Time
12-15
Change Time
16-19
Modification Time
20-23
Delete Time
24-25
GID lower 2 bytes
26-27
Link count
28-31
Sector count
32-35
Flags
36-39
unused
Inode Structure (II)
Bytes
Description
40-87
12 direct block pointers
88-91
1 single-indirect pointer
92-95
1 double-indirect pointer
96-99
1 triple-indirect pointer
100-103
Generation number
104-107
Extended attribute block address
108-111
Size upper 4 bytes OR Directory ACL
112-115
Fragment block address
116-117
Fragment size
118-119
unused
120-121
UID upper 2 bytes
122-123
GID upper 2 bytes
124-124
unused
Large Files – Indirect Pointers
• With only 12 block addresses, file size is limited (in the
basic case)
• Single-indirection supports larger files by pointing to a
block of addresses
• Addresses are 4 bytes, thus each block stores blocksize / 4 address
pointers
• Double-indirection supports huge files by pointing to a
block of single-indirection addresses
• Triple-indirection points to a block of double-indirection
pointers
• This scheme provides efficiency for smaller files, but the
ability to grow as large as space allows
Inode Usage
• Inodes 1 – 10 are reserved
– Inode 2 – root directory
– Inode 8 – lost+found
– Allocated blocks without an inode are “lost files”
– These are pointed to by the lost+found inode
• Inode 11 and after – content (files,
directories, devices, links, mount points,
etc.)
Typical Inode/File Relationship
• If the inode represents a Directory
– The inode points to a directory block
• Each directory entry points back to an inode
• If the inode represents a File
– The 12 inode block addresses point to the 1st 12
blocks of the file
– The single-indirect address points to a block of
addresses that are the next m blocks of the file
– Double-indirect address points to a block of singleindirect addresses that ultimately point to the next n
blocks of the file
– Triple-indirect address points to a block of doubleindirect addresses
Indirection
One Inode
(shows
pointers only)
1
2
3
…
10
11
12
Single-Indirect
Double-Indirect
Triple-indirect
Blocks in the Group
Blocks 4-9
Single-Indirect Block
Pointers to
content
blocks
Directory Entries
• A directory is just a special type file
– inode.file mode (type) = directory
– Creating a directory allocates blocks of directory entries
• Each block stores dynamically sized directory entries (the directory “table”),
each describing a file or directory
• Size of each entry is variable
– Variable filename length
– 8 bytes of static information
– Entry size is rounded-up to a multiple of 4
• Four entry attributes
–
–
–
–
Name length (1 byte)
Filename (1-255 chars)
Inode address of the file content
Pointer to next directory entry
• Unused entries are “jumped over”
Directory Example
• The first two entries are always . and ..
• Directory table for new directory
Name
.
..
Name length
1
2
Record length
12
4084
Name length
1
2
8
Record length
12
12
4072
• Add a file
Name
.
..
File1.dat
• Last entry always has the remaining length in the
directory block
Directory Entries
.
..
F1.txt
Old.txt
F2.txt
inode 75 inode 26 inode 95 inode 35 Inode 29
• Each entry points to the next active entry
• Old.txt has been deleted  the entry for F1.txt now
points to F2.txt
• F2.txt points to the end of the directory block  F2.txt is
the last file in the directory
Links
• Links are special types of directory entries
– They point to files that already have directory entries
• Hard Link
– another name for the file, in same file system
• The directory entries for . and .. are hard links
– OS creates a new directory entry pointing to the
original inode
• Increments the inode link count
• Soft link
– another name, points to another file system
– OS creates a file of the type “symbolic link”
• Each “file’s” inode link count = 1 (or unchanged)
Mount Points
• Mount points are special types of directory
entries that virtually replace the contents of a
directory by redirecting the directory to another
file system
– FS1 has /dir1/
– FS2 mounts /dir1/
– User cd’s to /dir1 and sees the contents of FS2
• Implication for CF investigations: know where file
systems are mounted, or you’ll miss the real
contents of /dir1/
Inode Time Changes
• Access (A-time)
– File: read contents, copy, move to new volume (no change on
same volume)
– Dir: list contents, open file or subdirectory
• Modify (M-time)
– File: copy (destination only), change contents
• When moving to network file system, might change ( new file)
– Dir: file create/delete
• Change (C-time) inode metadata
– Dir: content change, permissions/ownership change
– File: same as Dir, plus when moved
• Delete (D-time)
– Initially 0
– If D-time == C-time == M-time  likely a deleted file
Analysis Considerations
• Sparse blocks exist when the file allocated
space, but never used it
• A-Time & M-time are easily set to any value
using touch
• RAM slack space is typically 0’d
–  the only valuable slack is in unallocated blocks
• De-allocated inodes are purged of size &
allocation information
–  must analyze the unallocated blocks directly using
what is known of allocation algorithms and the file
system structures