Advertisements
Recovering a deleted file in linux operating system if there is still a running process asosciated with it.
This is very interesting. We know filename is just a link to the inode. If we delet a file, only the link betweek filename to inode is removed. The data in the inode remains same until it is readded to the free list of inodes and allocated to an another file.
We can check this with a small example.
Here we create a text file with name filename.txt as follows.
[root@work1 ~]# vi filename.txt
[root@work1 ~]# cat filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#
Now we view that file using less
[root@work1 ~]# less filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
filename.txt (END)
Without quitting the less command, we delete the filename.txt from another terminal.
[root@work1 ~]# rm -rf filename.txt
Now try to cat it. Its gone!
[root@work1 ~]# cat filename.txt
cat: filename.txt: No such file or directory
[root@work1 ~]#
Now using lsof command get the pid of the less process associated with the filename.txt
[root@work1 ~]# lsof | grep filename.txt
less 5315 root 4r REG 253,0 140 1115137 /root/filename.txt (deleted)
[root@work1 ~]#
2nd field is the pid. i.e 5315
Now try cat the following
[root@work1 ~]# cat /proc/5315/fd/
0 1 2 3 4
[root@work1 ~]# cat /proc/5315/fd/4
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#
You can see its the very same file content.
Now just copy that to our desired file
[root@work1 ~]# cp /proc/5315/fd/4 filename.txt
Its done.
[root@work1 ~]# cat filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#
Now we will see what are the content of /proc/pid/
[root@work1 ~]# ls /proc/5354/
attr cmdline cpuset environ fd limits maps mounts oom_adj root smaps statm task
auxv coredump_filter cwd exe limits loginuid mem mountstats oom_score schedstat stat status wchan
[root@work1 ~]#
/proc/[pid]
There is a numerical subdirectory for each running process; the subdirectory is named by the process ID. Each such subdirectory contains the following pseudo-files and directories
/proc/PID/cmdline
This holds the complete command line for the process, unless the process is a zombie. In the latter case, there is nothing in this file: that is, a read on this file will return 0 characters. The command-line arguments appear in this file as a set of strings separated by null bytes ('\0'), with a further null byte after the last string.
/proc/PID/cpu
Current and last cpu in which it was executed.
/proc/PID/cwd
This is a symbolic link to the current working directory of the process.
/proc/PID/environ
This file contains the environment for the process.
/proc/PID/exe
Under Linux 2.2 and later, this file is a symbolic link containing the actual pathname of the executed command. This symbolic link can be dereferenced normally; attempting to open it will open the executable.
Under Linux 2.0 and earlier /proc/[pid]/exe is a pointer to the binary which was executed, and appears as a symbolic link
/proc/PID/fd
This is a subdirectory containing one entry for each file which the process has open, named by its file descriptor, and which is a symbolic link to the actual file. Thus, 0 is standard input, 1 standard output, 2 standard error, etc.
/proc/PID/maps
A file containing the currently mapped memory regions and their access permissions.
/proc/PID/mem
This file can be used to access the pages of a process's memory through open(2), read(2), and lseek(2).
/proc/PID/root
UNIX and Linux support the idea of a per-process root of the file system, set by the chroot(2) system call. This file is a symbolic link that points to the process's root directory, and behaves as exe, fd/*, etc. do.
/proc/PID/stat
Status information about the process.
/proc/PID/statm
Provides information about memory status in pages.
/proc/PID/status
Provides much of the information in /proc/[pid]/stat and /proc/[pid]/statm in a format that's easier for humans to parse.
For more information regarding the fields under /proc/pid kindly run the following command
#man 5 proc
No comments:
Post a Comment
Be nice. That's all.