Recover a deleted fileĮarlier in the article, I used the xfs_bmap tool to obtain the block used by the file in the filesystem. The file open, the file is deleted and the space it was using If that name was the last link to a file and no processes have Here's more information from the unlink man page: unlink() deletes a name from the filesystem. The unlink syscall has deleted a name from the filesystem, possibly the file it refers to. Next, the process makes the unlinkat syscall: 1727 17:26:04.489724 unlinkat(AT_FDCWD, "example.txt", 0) = 0 Īnd the file is deleted from the folder: $ ls -la The executable rm has successfully accessed the file, as indicated by the W_OK marker: 1727 17:26:04.489705 faccessat(AT_FDCWD, "example.txt", W_OK) = 0 st_ctime=1663169061: Time of last status change.st_mtime=1663169061: Time of last modification. st_uid=1001, st_gid=1001: The user ID (UID) and group ID (GID) owner of the file.st_ino=17198515: The inode number containing all the file metadata.You can also see that the system verifies the stat of the file with the syscall newfstatat: 1727 17:26:04.489674 newfstatat(AT_FDCWD, "example.txt",, AT_SYMLINK_NOFOLLOW) = 0 First, notice the process ID ( PID): 1727 execve("/usr/bin/rm", , Using /tmp/rm_log.txt as a record, you can see important information about the rm process execution. To understand the interaction between the file and the syscall you make with rm, you can monitor the deletion process with strace: $ strace -follow-forks \ Strace is a powerful tool that allows you to trace the thin layer between user processes and the Linux kernel. If you proceed with deletion, you're going to need them! The strace commandĪ system call ("syscall" for short) is the programmatic way a program requests a service from the kernel. For example, in XFS, it is the xfs_bmap command. These commands are specific to the filesystem. There are tools to find block information about a file. It includes the file's size, where to find the blocks that contain the file's contents, the file mode, and so on. In this example, that's: Inode: 17198515 What is an inode?Īn inode holds metadata about a file. The most important information in this example is the inode number. (Don't worry, this article does not require any math!) The stat command output displays the filesystem's block size, how many blocks the file uses, and so on. Get some additional information about the file with the stat command: $ stat example.txtĬontext: unconfined_u:object_r:user_home_t:s0 Without dwelling on filesystem specifics, it's always possible to monitor exactly what happens when you invoke the rm command.įirst, create a test file named example.txt: $ echo "This is a test file" > example.txt File removalĭifferent interactions occur when you delete a file, mainly depending on the filesystem ( EXT4, XFS, BtrFS, and so on) the system uses. But what happens when you tell your Linux computer to delete a file with the rm command? Does it delete the file? When you're using a terminal, trash commands send files to the trash folder as a staging area. This location permits retrieving a "deleted" file before it is irrecoverably erased. Modern desktop and graphical environments offer a trash folder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |