While working as an admin, there are some
times where I would remove some important log files or configuration files
accidently. If we are working on a GUI based Linux Environment we can recover
the file form the Trash but when we are working on a Command line Linux mode
its is a little complex. This article tells you how to recover a file that is
accidently deleted in the linux command line mode.
Consider a Tomcat process which is sending
the log details to a file named jboss.log .Consider this file was deleted.
One important thing to keep in mind is that
we need to keep the process running which is using the deleted file or else the
file will be completely deleted. so in the above case ,if the file jboss.log is deleted and even
then the tomcat process is running then we can recover the file.
Lsof (List of Open Files) is a command available
in linux by which we can see what are the files that are opened currently by a
process and with various other options. This command helps us in here in recovering
the file.
If you just run the lsof
root@hunter-tmp $ lsof | head
COMMAND
PID USER FD
TYPE DEVICE SIZE/OFF
NODE NAME
init 1
root cwd unknown /proc/1/cwd
init 1
root rtd unknown /proc/1/root
The output says
The Command, PID, and User columns represent the name
of a process, process identifier (PID), and owner's name, respectively. The
Device, SIZE/OFF, Node, and Name columns refer to the file itself, specifying
the name of the disk, size of the file, inode (the file's identification on the
disk), and actual name of the file
The FD and Type columns are the most important ones and
provide more information on how the file
is being used. The FD column represents the file descriptor, which is how the
application sees the file. The Type column gives more description about what
form the file takes.
The cwd value refers to the application's current
working directory, which is the directory that the application was started from.
A number refers to the application's file descriptor, which is an integer
returned upon opening the file.
So when we execute the losf and grep for
the deleted file
root@hunter - $ lsof | grep jboss.log
java
1786 ds002 85w
REG 253,1 63186
1015840 /software/jboss/6.0/logs/ABC-A2/jboss.log (deleted)
java
4566 ds002 64w
REG 253,1 0 1015847 /software/jboss/6.0/logs/DEF-A2/jboss.log
We can see two files with the same name but the first
says it was deleted. Now this is the file we need to recover.
As I said early a Integer digits refers to the
application's file descriptor, which is an integer returned upon opening the
file. Each application is initially opened with three file descriptors, 0
through 2, for the standard input, output, and error streams, respectively.
The u means the file has been opened in read/write
mode, rather than read-only (r) or write-only (w). As such, most opened files
from the application start at FD 3.
Now in the above case we can a Integer digit 85w. Thus,
the data is available by looking at /proc/<PID>/fd/
When we go to this location we can see a lot of integer
digits which are actually a file descriptor. Now we can also see a 85 file
which is a symlink for the file that is deleted. We can just copy the contents
of the 85 file (which are actually the contents of the file that we deleted) to another files and by this we have the contents of the file that is deleted.
Happy Learning