Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Phantom Deleted Files in NT 4.0 SP4
From: Peter da Silva (peterGRENDEL.ENG.BAILEYNM.COM)
Date: Wed Jun 28 2000 - 08:56:56 CDT

> In Unix, if I have a file open in some program, like vi for instance, and
> someone deletes it, the file doesn't mysteriously disappear in vi. The
> decision in Unix is not to display the file when doing directory listings
> and allow files with the same path and name to be created. This can cause
> problems if the program that is still holding the original writes out the
> old contents. So the trade-off under Unix is a potential race condition
> on the filename.

This is a misinterpretation of the way UNIX handles file deletion. The
underlying directory structure is subtly different from NT: a directory
entry is just a pointer to the file. You can have as many directory entries
as you want, basically, and they are all identical. All "deleting" a file
does is remove the link. When the number of links to the file and the
number of open file handles on the file reach zero, the file is really

So there's no race condition. If the program that has the file open writes
out the old contents nothing untoward happens.

I suspect you're confused because "vi" doesn't hold a file open while it's
editing it. So if you delete the file and then save it from "vi", "vi" will
happily recreate it when it opens it again. You can argue that this is a
problem with "vi" (though I would argue otherwise, this isn't the
vi-versus-emacsLISTSERV.NTBUGTRAQ.COM mailing list :->), but it's not
a problem with UNIX (after all, a Windows program that reopened the file
would do the same thing).

There is a similar problem in UNIX where (in some variants, at least) you
can't delete a program that's being executed (due to a silly design choice
where having a file open for execution didn't count as an open file handle,
but they didn't want the file going away while it was running). The solution
in UNIX is to rename the file before creating a new one, and deleting the
old one later after the program has exited. I suspect the same thing would
work in NT.

Delivery co-sponsored by eEye Digital Security
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)

Retina is the first security software application with state-of-the-art
artificial intelligence features that allow it to think like a hacker. Other
security scanners search for known vulnerabilities, Retina uses built-in
features designed to handle 'what if' scenarios. Retina gives you the most
comprehensive network security analysis available. Available for download;