LA.pm: how perl saved my life

Samy Kamkar [CommPort5] CommPort5 at LucidX.com
Sun Oct 14 14:59:38 CDT 2001 

Just about ten minutes ago, I screwed up.  I was working on my 
compression program (and I have a lot of it finished) and then something 
just popped into my head that..something in HTML I wanted to try, so I 
did.  I opened up /webdir/other/tmp.html and played around for a bit 
then when I was finished I wanted to get rid of it, so instead of rm 
/webdir/other/tmp.html, I did rm tmp<TAB> (having bash complete the 
file).  Funny thing was, I wasn't in /webdir/other/, I was in the 
compression code directory and I just happened to name the program 
'tmpbzip'.

bash-2.03$ rm tmpbzip

Bang, I'm dead.

Now I knew the data was still somewhere on the partition, but wouldn't 
be there for long since it would be overwritten very quickly.  So I had 
to think of something fast and didn't want to run any commands or 
anything that would happen to overwrite that data in the partition.  I 
then su'd root for whatever I would need to do and then did a `df`:
su-2.03# df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/ad0s1a     49583    29898    15719    66%    /
/dev/ad0s1f   1893575  1430752   311337    82%    /usr
/dev/ad0s1e     19815    11976     6254    66%    /var
procfs              4        4        0   100%    /proc

The file I deleted happened to be on /usr, so I knew that partition was 
/dev/ad0s1f.
The pressure was on, heart was beating *buh-boom..buh-boom*

I also remembered in the header of the program I was working on, a few 
lines after #!/usr/bin/perl, I had the usage statement which went 
something like: bzip [ -fvV123456...
And I also knew /var was on a different fs.  This is good to know if I 
need to write data anywhere because if I write something to /usr, 
there's a big chance my data (program still in the filesystem) will be 
overwritten.

So bam:
su-2.03# perl -e 
'open(X,"/dev/ad0s1f");while(sysread(X,$x,4096)){if($l==1){print 
$x}if($x=~/-fvV123/){$l=1;print $x;}}' > /var/data
... a few minutes go by ...
Oct 14 12:31:49 LucidX /kernel: pid 7643 (perl), uid 0 on /var: file 
system full

We found something!
I ^C and head /var/data:
su-2.03# head -n 30 /var/data
#!/usr/bin/perl

#
# bzip 0.1
#
# usage: bzip [ -fvV12345679 ] <file>

Perl saved my life.

Just thought this would be cool to share with all of you, just in case 
any of you run into the same problem (I believ ext2 has some type of 
recovery thing you can use but this was on FreeBSD)...

So simply, how the program works, so you all know....(here's a 
nice-a-fied version, I wasn't looking for a clean program at the time :)

open(X, "</dev/ad0s1f"); # we open the partition for reading, the data 
is still somewhere in it
while (sysread(X, $x, 4096)) { # we read 4096 bytes in a loop of the 
partition
    if ($l == 1) { # if $l was already set...
        print $x;    # let's get the data
    }
    if ($x =~ /-fvV123/) { # if our data contains the -fvV123 from the 
usage...
        $l = 1;                    # we'll set $l for reading after this 
4096 bytes
        print $x;                  # and we'll print what we have so far
    }
}

Back to working on compression :)
-Samy

More information about the Losangeles-pm mailing list