Just a little useful trick, if you’ve ever had need of it.

If you have files in lsof that are “deleted”, but still being held open by a process, it is actually possible to restore that file.

To show you what I mean, I have created a basic test file:

[darke@pabu ~]$ cat file
this is my test file

In one terminal, I open that file with less. In another, once the file is open in less, I delete the file. If I search lsof for deleted files with that file name:

[darke@pabu ~]$ lsof | grep deleted | grep file
less 8351 darke 4r REG 253,3 22 118 /home/darke/file (deleted)

Now, if I close less, the file will vanish forever. However, as long as less has it open, I can pull the file out of /proc based on the above information. The relevant fields you need are the second and fourth (process ID and file descriptor):

[root@pabu ~]# cp /proc/8351/fd/4 /home/darke/file-restore
[root@pabu ~]# cat /home/darke/file-restore
this is my test file

This is a limited use case, as it depends on the file still being open by something. However, if you’ve ever been stuck trying to figure out what deleted tmp files being held open by apache are (for example), it can be quite useful.


Category: advice

Leave a Reply

Categories


gives good tech

tech.superhappykittymeow.com
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz