Linux file deleted recovery

Question

Is there a way to create a file in Linux that link to a specific iNode? Take this scenario: There is a file that is in course of writing (a log maybe) and the specific file is deleted but a link in the dir /proc is still pointing at it. In this case we need not a bare copy of it but an hard link to it so we can have the future modifications and the most last modification before the process close and the system delete it.

If we have the iNode number is there a way to achieve this goal?

Answer 1

Since there is no Syscall that involves iNode, because is a concept of extX fs and is not a good practice make a stove pipe but it is to make a chain of responsability (as M.E.L. suggests), there is only a NO answer for this question because at VFS level we handle files path and names and not other internal representations.

BUT to achieve the goal to track the most last modification we can use a continous monitoring and duplication with tail:

tail -c+1 -f --pid=PID /proc/PID/fd/FD > /path/to/the/copy

where PID is the pid of the process that have the deleted file still opened and FD is its file descriptor number. With -f tail open and hold the file to display further modification, with -c+1 start to "tail" from the first byte and with --pid=PID tail is informed to exit when the pid exit.

Answer 2

You can use lsof to recover deleted files (sometimes)...

> lsof | grep testing.txt
less    4607    juliet  4r  REG 254,4   21  
       8880214 /home/juliet/testing.txt (deleted)

Be sure to read the original article for full details before attempting this, unless you're a Maveric like me.

> ls -l /proc/4607/fd/4
lr-x------ 1 juliet juliet 64 Apr  7 03:19 
         /proc/4607/fd/4 -> /home/juliet/testing.txt (deleted)
> cp /proc/4607/fd/4 testing.txt.bk

http://www.linuxplanet.com/linuxplanet/tips/6767/1

Enjoy