One of the more neat things you can do with the versatile utility lsof is use it to recover a file you’ve just accidentally deleted.
A file in Linux is a pointer to an inode, which contains the file data (permissions, owner and where its actual content lives on the disk). Deleting the file removes the link, but not the inode itself – if another process has it open, the inode isn’t released for writing until that process is done with it.
To try this out, create a test text file, save it and then type less test.txt. Open another terminal window, and type rm testing.txt. If you try ls testing.txt you’ll get an error message. But! less still has a reference to the file. So…
> lsof | grep testing.txt less 4607 user 4r REG 254,4 21 8880214 /home/user/testing.txt (deleted)
The important columns are the second one, which gives you the PID of the process that has the file open (4607), and the fourth one, which gives you the file descriptor (4). Now, we go look in /proc, where there will still be a reference to the inode, from which you can copy the file back out:
> ls -l /proc/4607/fd/4 lr-x------ 1 user user 64 Apr 7 03:19 /proc/4607/fd/4 -> /home/user/testing.txt (deleted) > cp /proc/4607/fd/4 testing.txt.bk
Note: don’t use the -a flag with cp, as this will copy the (broken) symbolic link, rather than the actual file contents.
Now check the file to make sure you’ve got what you think you have, and you’re done!
Related Posts: On this day...
- The Underground Website Where You Can Buy Any Drug Imaginable (made possible by Bitcoin) - 2011
- Supreme Court: Suspects must explicitly invoke Miranda rights - 2010
- Google to employees: "Mac or Linux... but no more Windows" - 2010
- Ubuntu To Pull In New Versions Of Firefox - 2010
- Secrets of the crystal skull - 2010
- Fish: Kids pirate adventure book is great for adults too - 2010
- Google van: "We'll come back and get this street later." - 2009
- Ohh, the irony... Microsoft says "Safari isn't safe on Windows" - 2008