Skip to main content

Bring back deleted files with lsof

There you are, happily playing around with an audio file you've spent all afternoon tweaking, and you're thinking, "Wow, doesn't it sound great? Lemme just move it over here." At that point your subconscious chimes in, "Um, you meant mv, not rm, right?" Oops. I feel your pain -- this happens to everyone. But there's a straightforward method to recover your lost file, and since it works on every standard Linux system, everyone ought to know how to do it.

Briefly, a file as it appears somewhere on a Linux filesystem is actually just a link to an inode, which contains all of the file's properties, such as permissions and ownership, as well as the addresses of the data blocks where the file's content is stored on disk. When you rm a file, you're removing the link that points to its inode, but not the inode itself; other processes (such as your audio player) might still have it open. It's only after they're through and all links are removed that an inode and the data blocks it pointed to are made available for writing.

This delay is your key to a quick and happy recovery: if a process still has the file open, the data's there somewhere, even though according to the directory listing the file already appears to be gone.

This is where the Linux process pseudo-filesystem, the /proc directory, comes into play. Every process on the system has a directory here with its name on it, inside of which lies many things -- including an fd ("file descriptor") subdirectory containing links to all files that the process has open. Even if a file has been removed from the filesystem, a copy of the data will be right here:

/proc/process id/fd/file descriptor

To know where to go, you need to get the id of the process that has the file open, and the file descriptor. These you get with lsof, whose name means "list open files." (It actually does a whole lot more than this and is so useful that almost every system has it installed. If yours isn't one of them, you can grab the latest version straight from its author.)

Once you get that information from lsof, you can just copy the data out of /proc and call it a day.

This whole thing is best demonstrated with a live example. First, create a text file that you can delete and then bring back:

$ man lsof | col -b > myfile

Then have a look at the contents of the file that you just created:

$ less myfile

You should see a plaintext version of lsof's huge man page looking out at you, courtesy of less.

Now press Ctrl-Z to suspend less. Back at a shell prompt make sure your file is still there:

$ ls -l myfile  -rw-r--r--  1 jimbo jimbo 114383 Oct 31 16:14 myfile  $ stat myfile    File: `myfile'    Size: 114383          Blocks: 232        IO Block: 4096   regular file  Device: 341h/833d       Inode: 1276722     Links: 1  Access: (0644/-rw-r--r--)  Uid: ( 1010/    jimbo)   Gid: ( 1010/    jimbo)  Access: 2006-10-31 16:15:08.423715488 -0400  Modify: 2006-10-31 16:14:52.684417746 -0400  Change: 2006-10-31 16:14:52.684417746 -0400  

Yup, it's there all right. OK, go ahead and oops it:

$ rm myfile  $ ls -l myfile  ls: myfile: No such file or directory  $ stat myfile  stat: cannot stat `myfile': No such file or directory  $  

It's gone.

At this point, you must not allow the process still using the file to exit, because once that happens, the file will really be gone and your troubles will intensify. Your background less process in this walkthrough isn't going anywhere (unless you kill the process or exit the shell), but if this were a video or sound file that you were playing, the first thing to do at the point where you realize you deleted the file would be to immediately pause the application playback, or otherwise freeze the process, so that it doesn't eventually stop playing the file and exit.

Now to bring the file back. First see what lsof has to say about it:

$ lsof | grep myfile  less      4158    jimbo    4r      REG       3,65   114383   1276722 /home/jimbo/myfile (deleted)  

The first column gives you the name of the command associated with the process, the second column is the process id, and the number in the fourth column is the file descriptor (the "r" means that it's a regular file). Now you know that process 4158 still has the file open, and you know the file descriptor, 4. That's everything you have to know to copy it out of /proc.

You might think that using the -a flag with cp is the right thing to do here, since you're restoring the file -- but it's actually important that you don't do that. Otherwise, instead of copying the literal data contained in the file, you'll be copying a now-broken symbolic link to the file as it once was listed in its original directory:

$ ls -l /proc/4158/fd/4  lr-x------  1 jimbo jimbo 64 Oct 31 16:18 /proc/4158/fd/4 -> /home/jimbo/myfile (deleted)  $ cp -a /proc/4158/fd/4 myfile.wrong  $ ls -l myfile.wrong  lrwxr-xr-x  1 jimbo jimbo 24 Oct 31 16:22 myfile.wrong -> /home/jimbo/myfile (deleted)  $ file myfile.wrong  myfile.wrong: broken symbolic link to `/home/jimbo/myfile (deleted)'  $ file /proc/4158/fd/4  /proc/4158/fd/4: broken symbolic link to `/home/jimbo/myfile (deleted)'  

So instead of all that, just a plain old cp will do the trick:

$ cp /proc/4158/fd/4 myfile.saved

And finally, verify that you've done good:

$ ls -l myfile.saved  -rw-r--r--  1 jimbo jimbo 114383 Oct 31 16:25 myfile.saved  $ man lsof | col -b > myfile.new  $ cmp myfile.saved myfile.new  

No complaints from cmp -- your restoration is the real deal.

Incidentally, there are a lot of useful things you can do with lsof in addition to rescuing lost files.

source: http://archive09.linux.com/articles/58142

Popular posts from this blog

How To Setup FTP server on centos 7 ( VSFTP )

From :  http://www.krizna.com/centos/setup-ftp-server-centos-7-vsftp/ FTP server is used to exchange files between computers over network . This guide helps you to setup ftp server on centos 7 . This guide contains configuration steps for both FTP and SFTP as well as user creation . Here i've used VSFTP package which is secure and less vulnerable . 1.  FTP Server 2.  SFTP Server 3.  User creation Setup FTP server on centos 7 Step 1 »  Update your repository and install VSFTPD package . [root@krizna ~]# yum check-update [root@krizna ~]# yum -y install vsftpd Step 2 »  After installation you can find  /etc/vsftpd/vsftpd.conf  file which is the main configuration file for VSFTP. Take a backup copy before making changes . [root@krizna ~]# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/ vsftpd.conf.org Now open the file and make changes as below [root@krizna ~]# nano /etc/vsftpd/vsftpd.conf Find this line  anonymous_enable=YES  ( Line no : 12 ) and change value to NO to disable anonymous FTP ac...

15 Linux lsof Command Examples (Identify Open Files)

lsof stands for List Open Files. It is easy to remember lsof command if you think of it as "ls + of", where ls stands for list, and of stands for open files. It is a command line utility which is used to list the information about the files that are opened by various processes. In unix, everything is a file, ( pipes, sockets, directories, devices, etc.). So by using lsof, you can get the information about any opened files. 1. Introduction to lsof Simply typing lsof will provide a list of all open files belonging to all active processes. # lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 / init 1 root txt REG 8,1 124704 917562 /sbin/init init 1 root 0u CHR 1,3 0t0 4369 /dev/null init 1 root 1u CHR 1,3 0t0 4369 /dev/null init 1 root 2u CHR ...

Privacy Policy

Another Pratama Privacy Statement What follows is the Privacy Statement for all Another Pratama websites (a.k.a. blogs) including all the websites run under the computer.pratama.us domain. Please read this statement regarding our blogs. If you have questions please ask us via our contact form. Email Addresses You may choose to add your email address to our contact list via the forms on our websites. We agree that we will never share you email with any third party and that we will remove your email at your request. We don’t currently send advertising via email, but in the future our email may contain advertisements and we may send dedicated email messages from our advertisers without revealing your email addresses to them. If you have any problem removing your email address please contact us via our contact form. Ownership of Information Another Pratama is the sole owner of any information collected on our websites. Comments/Message Boards Most Another Pratama websites contain com...