executable ELF is rm-ed from disk, but still running RAM..
Jonathan Neuschäfer
j.neuschaefer at gmx.net
Mon May 30 12:26:33 EDT 2011
On Mon, May 30, 2011 at 09:49:29PM +0700, Mulyadi Santosa wrote:
> Hi all..
>
> As the subject says, I was thinking about that issue.
>
> I know that rm-ing a file doesn't delete the data block from the
> backing device, thus the executable could still survive and running.
>
> But logically, we usually expect that once a file is rm-ed, it should
> also "stop", right? What does POSIX say about this case anyway? Anyone
> could kindly give his/her opinion?
I think the point is that the file is still "open", i.e. mapped into the
the processes virtual memory, and thus the inode whose seemingly last
reference you've just removed is still referenced.
I'm guessing that from unlink(2): "If the name was the last link to a
file but any processes still have the file open the file will remain in
existence until the last file descriptor referring to it is closed." A
mapping is not a file desciptor but I believe that it behaves similiarly.
But I'm not sure.
Thanks,
Jonathan Neuschäfer
More information about the Kernelnewbies
mailing list