Beruflich Dokumente
Kultur Dokumente
http://archive09.linux.com/articles/58142?theme=print
Linux.com
Everything Linux and Open Source
Then have a look at the contents of the file that you just created:
$ less myfile
You should see a plaintext version of lsof's huge man page looking out at you, courtesy of less. Now press Ctrl-Z to suspend less. Back at a shell prompt make sure your file is still there:
$ ls -l myfile -rw-r--r-- 1 jimbo jimbo 114383 Oct 31 16:14 myfile $ stat myfile File: `myfile' Size: 114383 Blocks: 232 IO Block: 4096 Device: 341h/833d Inode: 1276722 Links: 1
regular file
1 of 2
3/10/2013 9:18 AM
http://archive09.linux.com/articles/58142?theme=print
(0644/-rw-r--r--) Uid: ( 1010/ jimbo) 2006-10-31 16:15:08.423715488 -0400 2006-10-31 16:14:52.684417746 -0400 2006-10-31 16:14:52.684417746 -0400
Gid: ( 1010/
jimbo)
Yup, it's there all right. OK, go ahead and oops it:
$ rm myfile $ ls -l myfile ls: myfile: No such file or directory $ stat myfile stat: cannot stat `myfile': No such file or directory $
It's gone. At this point, you must not allow the process still using the file to exit, because once that happens, the file will really be gone and your troubles will intensify. Your background less process in this walkthrough isn't going anywhere (unless you kill the process or exit the shell), but if this were a video or sound file that you were playing, the first thing to do at the point where you realize you deleted the file would be to immediately pause the application playback, or otherwise freeze the process, so that it doesn't eventually stop playing the file and exit. Now to bring the file back. First see what lsof has to say about it:
$ lsof | grep myfile less 4158 jimbo 4r REG 3,65 114383 1276722 /home/jimbo/myfile (deleted)
The first column gives you the name of the command associated with the process, the second column is the process id, and the number in the fourth column is the file descriptor (the "r" means that it's a regular file). Now you know that process 4158 still has the file open, and you know the file descriptor, 4. That's everything you have to know to copy it out of /proc. You might think that using the -a flag with cp is the right thing to do here, since you're restoring the file -- but it's actually important that you don't do that. Otherwise, instead of copying the literal data contained in the file, you'll be copying a now-broken symbolic link to the file as it once was listed in its original directory:
$ ls -l /proc/4158/fd/4 lr-x------ 1 jimbo jimbo 64 Oct 31 16:18 /proc/4158/fd/4 -> /home/jimbo/myfile (deleted) $ cp -a /proc/4158/fd/4 myfile.wrong $ ls -l myfile.wrong lrwxr-xr-x 1 jimbo jimbo 24 Oct 31 16:22 myfile.wrong -> /home/jimbo/myfile (deleted) $ file myfile.wrong myfile.wrong: broken symbolic link to `/home/jimbo/myfile (deleted)' $ file /proc/4158/fd/4 /proc/4158/fd/4: broken symbolic link to `/home/jimbo/myfile (deleted)'
No complaints from cmp -- your restoration is the real deal. Incidentally, there are a lot of useful things you can do with lsof in addition to rescuing lost files. Read in the original layout at: http://archive09.linux.com/articles/58142
2 of 2
3/10/2013 9:18 AM