Chapter 9: The Extended Filesystem Family
Two main actions are needed to delete a directory:
- First, the entry in the directory inode of the parent directory is deleted.
- Then the data blocks assigned on the hard disk (an inode and the associated data blocks with
the directory entries) are released.
As the code flow diagram in Figure 9-21 shows, this is done in a few steps.
Decrement usage counterext2_rmdirext2_empty_dirext2_unlinkext2_find_entryext2_delete_entryFigure 9-21: Code flow diagram for
ext2_rmdir.To ensure that the directory to be deleted no longer contains any files, the contents of its data block are
checked using theext2_empty_dirfunction. If the kernel finds only the entries for.and..,thedirectory
is released for deletion. Otherwise, the action is aborted, and an error code (-ENOTEMPTY)isreturned.
Removal of the directory entry from the parent directory is delegated to theext2_unlinkfunction. This
entry is found in the directory table using theext2_find_entryfunction, which scans the individual
directory entries one after the other (the scheme adopted for storing entries is described in Section 9.2.2).
If a matching entry is found, thefunction returns an instance ofext2_dir_entry_2to identify it uniquely.
ext2_delete_entryremoves the entry from the directory table. As described in Section 9.2.2, the data
are not physically deleted from the table. Instead, therec_lenfield of theext2_dir_entry_2structure
is set in such a way that the entry is skipped when the table is traversed. As already noted, this approach
yields substantial benefits in terms of speed, as actual deletion would necessitate rewriting a large
amount of data.
This has both advantages and disadvantages. By inspecting the filesystem structures on the hard
disk (assuming the corresponding permissions to read and write raw data on the partition) it is
possible to recover a deleted file by reactivating the directory entry by resetting therec_lenfield of
its predecessor — if, of course, the allocated blocks have not been overwritten with other data in the
meantime. If sensitive data are deleted, this can prove to be a final lifeline and, of course, a source of
danger because a little technical know-how is all that is needed to access the data if the data blocks have
not yet been overwritten.^20
The kernel has now removed the directory entry from the filesystem, but the data blocks for the inode
and directory contents are still marked as occupied. When are they released?
(^20) Explicitly overwriting the file with null bytes before deletion is a remedy.