There are many usages of the lsof command in Linux system. Recovery of accidentally deleted files is one of the usages, especially the recovery of log files. The following small series will introduce you to the method of using Linux to use lsof command to recover accidentally deleted files.
Prerequisites: After deleting the file, the process is still accessible with, therefore, more suitable for the log file type for recovery.
When a Linux computer is compromised, it is common for log files to be deleted to mask the attacker's trail. Administrative errors can also cause accidental deletion of important files, such as accidentally deleting the active transaction log of the database while cleaning up old logs. Sometimes these files can be recovered by lsof.
When a process opens a file, as long as the process keeps the file open, even if it is deleted, it still exists on disk. This means that the process does not know that the file has been deleted, it can still read and write to the file descriptor provided to it when the file is opened. Except for this process, this file is invisible because its corresponding directory index node has been deleted.
In the /proc directory, it contains various files that reflect the kernel and the process tree. The /proc directory mounts an area that is mapped in memory, so these files and directories do not exist on the disk, so when we read and write to these files, they are actually getting from memory. Related Information. Most of the information related to lsof is stored in a directory named after the PID of the process, that is, /proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the process's memory space, file descriptor list, symbolic links to files on disk, and other system information. The lsof program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated file name. That is, we can find information about the file by accessing the file descriptor of the process. When a file in the system is accidentally deleted, as long as there are still processes in the system that are accessing the file, then we can restore the contents of the file from the /proc directory via lsof.
If the /var/log/messages file is deleted due to a misoperation, then the method to restore the /var/log/messages file is as follows: First use lsof to see if there is a process open currently /The var/logmessages file is as follows:
# lsof
When the name of the folder has a space, it can be easily deleted under Windows. Ho
There are a lot of tools for viewing Linux disk space, so how do you use commands t
Ubuntu system many files and windows are displayed in the form of code, including the terminal user
Ubuntu can use apt-get to get system or software updates, and download these updates from the networ
How to use the test command in Linux
Linux how to use ControlPersist to speed up SSH connection speed
Getting Started with Arch Linux
What should I do if the Linux system Openvpn process exits abnormally?
How to use Linux to clear Bash environment variables with commands
What is the meaning of Linux beginners learning commands?
How Linux cracks root password in single-user mode
How to boot Linux ISO image file from hard disk
How to solve the problem of multi-line display of wget download progress bar in CentOS
Linux cancels the SSH login password
How to install Linux using the pidstat command
Ubuntu 14.04 method for loading shutdown/restart options in Dash
The rookie must read the XP login interface restore record
Window 8 various functions experience
Big breaking news Windows 8.1 re-enable start button
Win10 10122 preview will be released on the morning of May 21
How to create Win10 broadband connection Win10 create broadband connection graphic tutorial
How to add Windows Media Center to Win8
Bilibili video download graphic step teaching