Why does photorec keep finding files after I have filled the disk free space as root?












7















Before I lend my laptop for a while to my young and linux-savy nephew I want to make sure he's not able to carve into my personal data in the blank space of the drive. I have saturated the blank space in the drive several times with



sudo cat /dev/urandom > some-file


Note the use of sudo, so that the 5% blank space reserved is ignored and the file grows until there is an error.



However, I execute photorec in that partition and then hundreds of old files pop out into existence. So, at least out of curiosity, where are those files stored and why does the random noise not overwrite them?



(The only explanation I have so far is, they might be in the empty space between the end of a file and the end of the sector that contains it. Could that be?)






data-recovery forensics







share|improve this question

























  • @JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

    – frostschutz
    Feb 26 at 19:19











  • Just wanted to focus on the core of the question...

    – Jeff Schaller
    Feb 26 at 19:21






  • 1





    @JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

    – Uncle Billy
    Feb 26 at 19:39











  • @Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

    – Uncle Billy
    Feb 26 at 19:43













  • A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

    – Robert Riedl
    Feb 27 at 13:07


















7















Before I lend my laptop for a while to my young and linux-savy nephew I want to make sure he's not able to carve into my personal data in the blank space of the drive. I have saturated the blank space in the drive several times with



sudo cat /dev/urandom > some-file


Note the use of sudo, so that the 5% blank space reserved is ignored and the file grows until there is an error.



However, I execute photorec in that partition and then hundreds of old files pop out into existence. So, at least out of curiosity, where are those files stored and why does the random noise not overwrite them?



(The only explanation I have so far is, they might be in the empty space between the end of a file and the end of the sector that contains it. Could that be?)






data-recovery forensics







share|improve this question

























  • @JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

    – frostschutz
    Feb 26 at 19:19











  • Just wanted to focus on the core of the question...

    – Jeff Schaller
    Feb 26 at 19:21






  • 1





    @JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

    – Uncle Billy
    Feb 26 at 19:39











  • @Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

    – Uncle Billy
    Feb 26 at 19:43













  • A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

    – Robert Riedl
    Feb 27 at 13:07
















7












7








7


1






Before I lend my laptop for a while to my young and linux-savy nephew I want to make sure he's not able to carve into my personal data in the blank space of the drive. I have saturated the blank space in the drive several times with



sudo cat /dev/urandom > some-file


Note the use of sudo, so that the 5% blank space reserved is ignored and the file grows until there is an error.



However, I execute photorec in that partition and then hundreds of old files pop out into existence. So, at least out of curiosity, where are those files stored and why does the random noise not overwrite them?



(The only explanation I have so far is, they might be in the empty space between the end of a file and the end of the sector that contains it. Could that be?)






data-recovery forensics







share|improve this question
















Before I lend my laptop for a while to my young and linux-savy nephew I want to make sure he's not able to carve into my personal data in the blank space of the drive. I have saturated the blank space in the drive several times with



sudo cat /dev/urandom > some-file


Note the use of sudo, so that the 5% blank space reserved is ignored and the file grows until there is an error.



However, I execute photorec in that partition and then hundreds of old files pop out into existence. So, at least out of curiosity, where are those files stored and why does the random noise not overwrite them?



(The only explanation I have so far is, they might be in the empty space between the end of a file and the end of the sector that contains it. Could that be?)






data-recovery forensics




data-recovery forensics






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 27 at 2:21









Community

1




1










asked Feb 26 at 18:25









MephistoMephisto

331215




331215













  • @JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

    – frostschutz
    Feb 26 at 19:19











  • Just wanted to focus on the core of the question...

    – Jeff Schaller
    Feb 26 at 19:21






  • 1





    @JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

    – Uncle Billy
    Feb 26 at 19:39











  • @Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

    – Uncle Billy
    Feb 26 at 19:43













  • A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

    – Robert Riedl
    Feb 27 at 13:07





















  • @JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

    – frostschutz
    Feb 26 at 19:19











  • Just wanted to focus on the core of the question...

    – Jeff Schaller
    Feb 26 at 19:21






  • 1





    @JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

    – Uncle Billy
    Feb 26 at 19:39











  • @Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

    – Uncle Billy
    Feb 26 at 19:43













  • A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

    – Robert Riedl
    Feb 27 at 13:07



















@JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

– frostschutz
Feb 26 at 19:19





@JeffSchaller thanks, at least I'm not alone, makes me feel better ;-)

– frostschutz
Feb 26 at 19:19













Just wanted to focus on the core of the question...

– Jeff Schaller
Feb 26 at 19:21





Just wanted to focus on the core of the question...

– Jeff Schaller
Feb 26 at 19:21




1




1





@JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

– Uncle Billy
Feb 26 at 19:39





@JeffSchaller it does not open the file as superuser, but it does write to it as superuser.

– Uncle Billy
Feb 26 at 19:39













@Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

– Uncle Billy
Feb 26 at 19:43







@Mephisto some filesystems store the content of small files and directories directly in the free space from the inode. Or at least so was my impression -- I'll have to check ;-)

– Uncle Billy
Feb 26 at 19:43















A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

– Robert Riedl
Feb 27 at 13:07







A thing to note is that, photorec might find a lot of old files based on metadata, but is actually unable to fully restore them. Unsuccessfully restored files will just be garbage data or just chunks of files.

– Robert Riedl
Feb 27 at 13:07












3 Answers
3






active

oldest

votes


















16














There may be several misunderstandings here, so the command does not do what you perhaps expect it to.



sudo is superfluous since you don't need sudo to read from /dev/urandom. The > goddamnit part is a shell redirection and thus not covered by sudo at all. So your sudo is super ineffective. (Note: in this particular case, sudo might work as intended regardless, see comments. However, not using sudo this way is a pattern as it bites you in other cases.)



Then, you're writing into a regular file. That does fill up free space - of the filesystem that file happens to reside on. If you have multiple filesystems (one for /, one for /home, boot and swap partitions, etc.) then those are also unaffected.



At best this only overwrites free space. There is no guarantee that it will cover everything (depends on filesystem internals, root reserve, journal, otherwise packed/reserved/etc. sectors), and it does not overwrite any file that is still there regularly (and those can include files hidden away in trashcan / thumbnail / cache folders or just some subdirectory you forgot about).



All of those will still be picked up by photorec since it's never overwritten.



Furthermore, writing this file has to be completed first. So instead of deleting it directly afterwards, you'd have to sync first to make sure all that random data actually hit the disk, and not just some RAM write buffer and never gets written.



So with this method, there is no guarantee for anything. At the same time it's dangerous, as the filesystem will run out of free space, which in turn can cause write failures for all other programs and thus result in unintentional data loss.






share|improve this answer





















  • 4





    The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

    – Mephisto
    Feb 26 at 18:45











  • @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

    – frostschutz
    Feb 26 at 18:49








  • 4





    I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

    – Gilles
    Feb 26 at 19:02






  • 1





    Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

    – frostschutz
    Feb 26 at 19:04






  • 1





    @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

    – Nate Eldredge
    Feb 27 at 14:57



















10














How to get rid of all data, that your nephew should not see



I think there is only one way that is likely to overwrite all the locations, where 'deleted' data might remain.




  • Backup your system (a complete backup). One alternative is to make a cloned image with Clonezilla.


  • Wipe the whole drive (assuming one drive). If an HDD or SSD, there are special tools/methods, that work at a low level (change the mapping between logical and physical memory locations), and they are much faster than for example letting dd overwrite with zeros. You can often access such tools (built-in the drives) via hdparm.


  • Make a fresh installation and hand over the computer to the young and linux-savvy nephew.



The easy way



But if you can afford it, unplug your internal drive and replace it with a fresh drive. Let your nephew install his favourite linux distro :-)






share|improve this answer































    4














    Try using the sfill (Secure fill) tool in secure delete.



    sudo apt-get install secure-delete


    (from https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux )






    share|improve this answer



















    • 2





      This does not answer the question, which asks “why”.

      – Gilles
      Feb 26 at 18:51











    • But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

      – Mephisto
      Feb 26 at 18:52






    • 2





      Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

      – L. Scott Johnson
      Feb 26 at 18:53











    • @Gilles, since this is a XY Question/Problem, I think its still a good answer.

      – Robert Riedl
      Feb 27 at 13:05












    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503184%2fwhy-does-photorec-keep-finding-files-after-i-have-filled-the-disk-free-space-as%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    16














    There may be several misunderstandings here, so the command does not do what you perhaps expect it to.



    sudo is superfluous since you don't need sudo to read from /dev/urandom. The > goddamnit part is a shell redirection and thus not covered by sudo at all. So your sudo is super ineffective. (Note: in this particular case, sudo might work as intended regardless, see comments. However, not using sudo this way is a pattern as it bites you in other cases.)



    Then, you're writing into a regular file. That does fill up free space - of the filesystem that file happens to reside on. If you have multiple filesystems (one for /, one for /home, boot and swap partitions, etc.) then those are also unaffected.



    At best this only overwrites free space. There is no guarantee that it will cover everything (depends on filesystem internals, root reserve, journal, otherwise packed/reserved/etc. sectors), and it does not overwrite any file that is still there regularly (and those can include files hidden away in trashcan / thumbnail / cache folders or just some subdirectory you forgot about).



    All of those will still be picked up by photorec since it's never overwritten.



    Furthermore, writing this file has to be completed first. So instead of deleting it directly afterwards, you'd have to sync first to make sure all that random data actually hit the disk, and not just some RAM write buffer and never gets written.



    So with this method, there is no guarantee for anything. At the same time it's dangerous, as the filesystem will run out of free space, which in turn can cause write failures for all other programs and thus result in unintentional data loss.






    share|improve this answer





















    • 4





      The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

      – Mephisto
      Feb 26 at 18:45











    • @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

      – frostschutz
      Feb 26 at 18:49








    • 4





      I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

      – Gilles
      Feb 26 at 19:02






    • 1





      Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

      – frostschutz
      Feb 26 at 19:04






    • 1





      @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

      – Nate Eldredge
      Feb 27 at 14:57
















    16














    There may be several misunderstandings here, so the command does not do what you perhaps expect it to.



    sudo is superfluous since you don't need sudo to read from /dev/urandom. The > goddamnit part is a shell redirection and thus not covered by sudo at all. So your sudo is super ineffective. (Note: in this particular case, sudo might work as intended regardless, see comments. However, not using sudo this way is a pattern as it bites you in other cases.)



    Then, you're writing into a regular file. That does fill up free space - of the filesystem that file happens to reside on. If you have multiple filesystems (one for /, one for /home, boot and swap partitions, etc.) then those are also unaffected.



    At best this only overwrites free space. There is no guarantee that it will cover everything (depends on filesystem internals, root reserve, journal, otherwise packed/reserved/etc. sectors), and it does not overwrite any file that is still there regularly (and those can include files hidden away in trashcan / thumbnail / cache folders or just some subdirectory you forgot about).



    All of those will still be picked up by photorec since it's never overwritten.



    Furthermore, writing this file has to be completed first. So instead of deleting it directly afterwards, you'd have to sync first to make sure all that random data actually hit the disk, and not just some RAM write buffer and never gets written.



    So with this method, there is no guarantee for anything. At the same time it's dangerous, as the filesystem will run out of free space, which in turn can cause write failures for all other programs and thus result in unintentional data loss.






    share|improve this answer





















    • 4





      The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

      – Mephisto
      Feb 26 at 18:45











    • @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

      – frostschutz
      Feb 26 at 18:49








    • 4





      I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

      – Gilles
      Feb 26 at 19:02






    • 1





      Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

      – frostschutz
      Feb 26 at 19:04






    • 1





      @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

      – Nate Eldredge
      Feb 27 at 14:57














    16












    16








    16







    There may be several misunderstandings here, so the command does not do what you perhaps expect it to.



    sudo is superfluous since you don't need sudo to read from /dev/urandom. The > goddamnit part is a shell redirection and thus not covered by sudo at all. So your sudo is super ineffective. (Note: in this particular case, sudo might work as intended regardless, see comments. However, not using sudo this way is a pattern as it bites you in other cases.)



    Then, you're writing into a regular file. That does fill up free space - of the filesystem that file happens to reside on. If you have multiple filesystems (one for /, one for /home, boot and swap partitions, etc.) then those are also unaffected.



    At best this only overwrites free space. There is no guarantee that it will cover everything (depends on filesystem internals, root reserve, journal, otherwise packed/reserved/etc. sectors), and it does not overwrite any file that is still there regularly (and those can include files hidden away in trashcan / thumbnail / cache folders or just some subdirectory you forgot about).



    All of those will still be picked up by photorec since it's never overwritten.



    Furthermore, writing this file has to be completed first. So instead of deleting it directly afterwards, you'd have to sync first to make sure all that random data actually hit the disk, and not just some RAM write buffer and never gets written.



    So with this method, there is no guarantee for anything. At the same time it's dangerous, as the filesystem will run out of free space, which in turn can cause write failures for all other programs and thus result in unintentional data loss.






    share|improve this answer















    There may be several misunderstandings here, so the command does not do what you perhaps expect it to.



    sudo is superfluous since you don't need sudo to read from /dev/urandom. The > goddamnit part is a shell redirection and thus not covered by sudo at all. So your sudo is super ineffective. (Note: in this particular case, sudo might work as intended regardless, see comments. However, not using sudo this way is a pattern as it bites you in other cases.)



    Then, you're writing into a regular file. That does fill up free space - of the filesystem that file happens to reside on. If you have multiple filesystems (one for /, one for /home, boot and swap partitions, etc.) then those are also unaffected.



    At best this only overwrites free space. There is no guarantee that it will cover everything (depends on filesystem internals, root reserve, journal, otherwise packed/reserved/etc. sectors), and it does not overwrite any file that is still there regularly (and those can include files hidden away in trashcan / thumbnail / cache folders or just some subdirectory you forgot about).



    All of those will still be picked up by photorec since it's never overwritten.



    Furthermore, writing this file has to be completed first. So instead of deleting it directly afterwards, you'd have to sync first to make sure all that random data actually hit the disk, and not just some RAM write buffer and never gets written.



    So with this method, there is no guarantee for anything. At the same time it's dangerous, as the filesystem will run out of free space, which in turn can cause write failures for all other programs and thus result in unintentional data loss.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Feb 27 at 11:39









    Jeff Schaller

    44.4k1162143




    44.4k1162143










    answered Feb 26 at 18:38









    frostschutzfrostschutz

    27.6k15689




    27.6k15689








    • 4





      The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

      – Mephisto
      Feb 26 at 18:45











    • @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

      – frostschutz
      Feb 26 at 18:49








    • 4





      I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

      – Gilles
      Feb 26 at 19:02






    • 1





      Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

      – frostschutz
      Feb 26 at 19:04






    • 1





      @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

      – Nate Eldredge
      Feb 27 at 14:57














    • 4





      The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

      – Mephisto
      Feb 26 at 18:45











    • @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

      – frostschutz
      Feb 26 at 18:49








    • 4





      I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

      – Gilles
      Feb 26 at 19:02






    • 1





      Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

      – frostschutz
      Feb 26 at 19:04






    • 1





      @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

      – Nate Eldredge
      Feb 27 at 14:57








    4




    4





    The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

    – Mephisto
    Feb 26 at 18:45





    The sudo is there to ensure writing to the 5% (or some similar amount) reserved space, otherwise it will stop writing at the same time when the normal user file browsers report 0 bytes. With sudo, it does write an additional 50 GB more or less, don't ask me why.

    – Mephisto
    Feb 26 at 18:45













    @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

    – frostschutz
    Feb 26 at 18:49







    @Mephisto I admit I haven't tested it ( difficult for me since sudo is not installed here ) so I could be wrong about it, and shell redirection only is a problem when trying to write to a file already owned by root ( no permission to open / append as that's done by the shell before sudo runs ).

    – frostschutz
    Feb 26 at 18:49






    4




    4





    I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

    – Gilles
    Feb 26 at 19:02





    I confirm, we were wrong about the reserved space not filling up: what matters is the EUID of the file doing the writing, not the ownership of the file. It makes sense in retrospect — the way the restriction works is that the kernel returns ENOSPC on the write call, and the exception is based on who called write.

    – Gilles
    Feb 26 at 19:02




    1




    1





    Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

    – frostschutz
    Feb 26 at 19:04





    Thanks for confirming, I'd still argue it's bad style to use sudo this way, as it gives the wrong idea about how sudo normally works when writing to files. (I'd also argue that writing random data is better than writing zero, you never know if the filesystem or storage device compresses/deduplicates data.)

    – frostschutz
    Feb 26 at 19:04




    1




    1





    @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

    – Nate Eldredge
    Feb 27 at 14:57





    @larsks: Opening the file will be done as the original user ID (and so it will get the user's ID as its owner). Writing the file (i.e. write(2)) will be done as root, and as Gilles points out, this does in fact avoid the reserved space restriction.

    – Nate Eldredge
    Feb 27 at 14:57













    10














    How to get rid of all data, that your nephew should not see



    I think there is only one way that is likely to overwrite all the locations, where 'deleted' data might remain.




    • Backup your system (a complete backup). One alternative is to make a cloned image with Clonezilla.


    • Wipe the whole drive (assuming one drive). If an HDD or SSD, there are special tools/methods, that work at a low level (change the mapping between logical and physical memory locations), and they are much faster than for example letting dd overwrite with zeros. You can often access such tools (built-in the drives) via hdparm.


    • Make a fresh installation and hand over the computer to the young and linux-savvy nephew.



    The easy way



    But if you can afford it, unplug your internal drive and replace it with a fresh drive. Let your nephew install his favourite linux distro :-)






    share|improve this answer




























      10














      How to get rid of all data, that your nephew should not see



      I think there is only one way that is likely to overwrite all the locations, where 'deleted' data might remain.




      • Backup your system (a complete backup). One alternative is to make a cloned image with Clonezilla.


      • Wipe the whole drive (assuming one drive). If an HDD or SSD, there are special tools/methods, that work at a low level (change the mapping between logical and physical memory locations), and they are much faster than for example letting dd overwrite with zeros. You can often access such tools (built-in the drives) via hdparm.


      • Make a fresh installation and hand over the computer to the young and linux-savvy nephew.



      The easy way



      But if you can afford it, unplug your internal drive and replace it with a fresh drive. Let your nephew install his favourite linux distro :-)






      share|improve this answer


























        10












        10








        10







        How to get rid of all data, that your nephew should not see



        I think there is only one way that is likely to overwrite all the locations, where 'deleted' data might remain.




        • Backup your system (a complete backup). One alternative is to make a cloned image with Clonezilla.


        • Wipe the whole drive (assuming one drive). If an HDD or SSD, there are special tools/methods, that work at a low level (change the mapping between logical and physical memory locations), and they are much faster than for example letting dd overwrite with zeros. You can often access such tools (built-in the drives) via hdparm.


        • Make a fresh installation and hand over the computer to the young and linux-savvy nephew.



        The easy way



        But if you can afford it, unplug your internal drive and replace it with a fresh drive. Let your nephew install his favourite linux distro :-)






        share|improve this answer













        How to get rid of all data, that your nephew should not see



        I think there is only one way that is likely to overwrite all the locations, where 'deleted' data might remain.




        • Backup your system (a complete backup). One alternative is to make a cloned image with Clonezilla.


        • Wipe the whole drive (assuming one drive). If an HDD or SSD, there are special tools/methods, that work at a low level (change the mapping between logical and physical memory locations), and they are much faster than for example letting dd overwrite with zeros. You can often access such tools (built-in the drives) via hdparm.


        • Make a fresh installation and hand over the computer to the young and linux-savvy nephew.



        The easy way



        But if you can afford it, unplug your internal drive and replace it with a fresh drive. Let your nephew install his favourite linux distro :-)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 26 at 19:26









        sudodussudodus

        1,72349




        1,72349























            4














            Try using the sfill (Secure fill) tool in secure delete.



            sudo apt-get install secure-delete


            (from https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux )






            share|improve this answer



















            • 2





              This does not answer the question, which asks “why”.

              – Gilles
              Feb 26 at 18:51











            • But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

              – Mephisto
              Feb 26 at 18:52






            • 2





              Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

              – L. Scott Johnson
              Feb 26 at 18:53











            • @Gilles, since this is a XY Question/Problem, I think its still a good answer.

              – Robert Riedl
              Feb 27 at 13:05
















            4














            Try using the sfill (Secure fill) tool in secure delete.



            sudo apt-get install secure-delete


            (from https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux )






            share|improve this answer



















            • 2





              This does not answer the question, which asks “why”.

              – Gilles
              Feb 26 at 18:51











            • But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

              – Mephisto
              Feb 26 at 18:52






            • 2





              Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

              – L. Scott Johnson
              Feb 26 at 18:53











            • @Gilles, since this is a XY Question/Problem, I think its still a good answer.

              – Robert Riedl
              Feb 27 at 13:05














            4












            4








            4







            Try using the sfill (Secure fill) tool in secure delete.



            sudo apt-get install secure-delete


            (from https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux )






            share|improve this answer













            Try using the sfill (Secure fill) tool in secure delete.



            sudo apt-get install secure-delete


            (from https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux )







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 26 at 18:38









            L. Scott JohnsonL. Scott Johnson

            2006




            2006








            • 2





              This does not answer the question, which asks “why”.

              – Gilles
              Feb 26 at 18:51











            • But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

              – Mephisto
              Feb 26 at 18:52






            • 2





              Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

              – L. Scott Johnson
              Feb 26 at 18:53











            • @Gilles, since this is a XY Question/Problem, I think its still a good answer.

              – Robert Riedl
              Feb 27 at 13:05














            • 2





              This does not answer the question, which asks “why”.

              – Gilles
              Feb 26 at 18:51











            • But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

              – Mephisto
              Feb 26 at 18:52






            • 2





              Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

              – L. Scott Johnson
              Feb 26 at 18:53











            • @Gilles, since this is a XY Question/Problem, I think its still a good answer.

              – Robert Riedl
              Feb 27 at 13:05








            2




            2





            This does not answer the question, which asks “why”.

            – Gilles
            Feb 26 at 18:51





            This does not answer the question, which asks “why”.

            – Gilles
            Feb 26 at 18:51













            But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

            – Mephisto
            Feb 26 at 18:52





            But that thing, acording to man sfill will do a lot of passes of zeros, noise and special values. This is overwriting the same area I overwrite with one (actually 4 by now) pass. Those files must be stored somewhere else.

            – Mephisto
            Feb 26 at 18:52




            2




            2





            Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

            – L. Scott Johnson
            Feb 26 at 18:53





            Well, I would say it's overwriting the area you intend to overwrite but are not quite successfully overwriting.

            – L. Scott Johnson
            Feb 26 at 18:53













            @Gilles, since this is a XY Question/Problem, I think its still a good answer.

            – Robert Riedl
            Feb 27 at 13:05





            @Gilles, since this is a XY Question/Problem, I think its still a good answer.

            – Robert Riedl
            Feb 27 at 13:05


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503184%2fwhy-does-photorec-keep-finding-files-after-i-have-filled-the-disk-free-space-as%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How do I know what Microsoft account the skydrive app is syncing to?

            Image
            up vote 4 down vote favorite 1 Some time ago, I set up skydrive for my wife on her mac. But now she wants to access the files online, I cannot remember what Microsoft account I setup and linked her skydive app to and nor can I see anything in the skydrive app settings to tell me either? How can I see the name of the Microsoft account the skydive app is currently linked to? I would like to know this for skydrive app for Mac and PC onedrive share | improve this question asked Feb 25 '13 at 4:52 Gary Barrett 260 2 5 12
            Read more

            When does type information flow backwards in C++?

            Image
            up vote 62 down vote favorite 19 I just watched Stephan T. Lavavej talk at CppCon 2018 on "Class Template Argument Deduction", where at some point he incidentally says: In C++ type information almost never flows backwards ... I had to say "almost" because there's one or two cases, possibly more but very few . Despite trying to figure out which cases he might be referring to, I couldn't come up with anything. Hence the question: In which cases the C++17 standard mandates that type information propagate backwards? c++ language-lawyer c++17 share | improve this question edited 7 hours ago scohe0
            Read more

            Grease: Live!

            Image
            A tradução deste artigo está abaixo da qualidade média aceitável. É possível que tenha sido feita por um tradutor automático ou por alguém que não conhece bem o português ou a língua original do texto. Caso queira colaborar com a Wikipédia, tente encontrar a página original e melhore este verbete conforme o guia de tradução. Grease: Live! Grease: Live!  (PRT/BRA)  Estados Unidos 2016 •   cor •   130 min. min   Direção Thomas Kail Alex Rudzinski Produção Marc Platt Adam Siegel Roteiro Allan Carr Robert Cary Warren Casey Jim Jacobs Jonathan Tolins Bronte Woodard Baseado em Grease (musical) Grease (filme) Elenco Julianne Hough Aaron Tveit Vanessa Hudgens Carlos Pena Jr. Keke Palmer Carly Rae Jepsen Kether Donohue Jordan Fisher David Del Rio Andrew Call Gênero Musical Música Tom Kitt Figurino William Ivey Long Companhia(s) produtora(s) Warner Bros. Studios Distribuição Fox Lançamento 31 de Janei
            Read more