Is it really impossible to recover files that have been deleted by mistake under Linux?
Mistakenly deleted files can be restored in two cases
- One is that deletion information exists in the process after deletion
- One is to delete the process can not be found, only with the help of tools to restore.
Today we will only analyze the process that exists after the file has been deleted
This is usually the case when an active process has continuous standard input or output and the process PID persists after the file is deleted. This is why some servers delete files but do not release disks
Case presentation
Create a file
> vim rumenz. TXT 123 // Save and exit > cat rumenz. TXT 123Copy the code
withtail -f
Open therumenz.txt
file
The purpose is to make rumenz.txt exist even after it is deleted
> tail -f rumenz.txt
Copy the code
Delete a new terminalrumenz.txt
> rm -f rumenz.txt
Copy the code
Find a footprintrumenz.txt
The process of
- Lsof Checks whether the deleted file process still exists.
- Yum install lsof apt-get install lsof
> lsof | grep delete | grep rumenz tail root 3 r REG 253, 1 10222 4 70911074 / root/test/rumenz. TXT (does)Copy the code
The process ID is 10222, and the current file status is deleted.
Restore files
- /proc/10222/fd: file descriptor directory for process operations
> cd /proc/10222/fd > ls -al dr-x------ 2 root root 0 May 11 21:41 . dr-xr-xr-x 9 root root 0 May 11 21:41 .. lrwx------ 1 root root 64 May 11 21:41 0 -> /dev/pts/1 lrwx------ 1 root root 64 May 11 21:41 1 -> /dev/pts/1 lrwx------ 1 root root 64 May 11 21:41 2 -> /dev/pts/1 lr-x------ 1 root root 64 May 11 21:41 3 -> /root/test/rumenz.txt (deleted) lr-x------ 1 root root 64 May 11 21:41 4 -> anon_inode:inotifyCopy the code
Start restoring files
> cp 3 /root/test/rumenz.txt
> cat /root/test/rumenz.txt
123
Copy the code
The root cause of recovery
When program is running, the system will set up a memory area, provide for the use of the current process, depending on the file, the operating system will issue a file descriptor, so as to read and write files, when we perform rm -f deleting files, actually just delete the file directory index node, for the file system is not visible, However, it is still visible to the process that opened it, that is, the file can still be read and written using the previously issued file descriptor, so we can use I/O redirection to restore the file.
Original link :rumenz.com/rumenbiji/l… Wechat official account: entry station