Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you do not have a backup of the overwritten file you are out of luck....
Remember: Linux and Unix have the "You know what you are doing" philosophy. No "Are you sure" and "Are you really sure" questions by default (opposed to Windows).
If you are worried about this, make an alias for the cp and/or mv commands (in .profile or .bashrc) that includes the -i flag, something like: alias cp='cp -i'. The -i flags does the following: prompt before overwrite.
Let's think about what it means to "overwrite" a file. If I understand it correctly, the filesystem keeps track of filenames and the location(s) of the data on the disk. If, for example, the file is deleted, the actual data is not erased----the system simply releases the blocks and make them available for new data.
If you attempt to write a file with the same name as one existing, then you are prompted as to whether you really intend to do this. If you say yes, it is not obvious to me that the filesystem will use the same physical locations.
Some simple experiments should be able to confirm...
... the filesystem keeps track of filenames and the location(s) of the data on the disk. If, for example, the file is deleted, the actual data is not erased----the system simply releases the blocks and make them available for new data.
That part is true.
Quote:
If you attempt to write a file with the same name as one existing, then you are prompted as to whether you really intend to do this. If you say yes, it is not obvious to me that the filesystem will use the same physical locations.
The bold part is only true if the command/script has been told to do this (using -i with cp/mv or a piece of code that checks the existence of a file and acts accordingly for example).
A simple example:
Code:
$ ls -li lg.lcd.tv.pdf
48963 -rw-r----- 1 druuna internet 11667921 May 29 2009 lg.lcd.tv.pdf
$ ls -li infile
48964 -rw-r----- 1 druuna internet 92 Dec 8 16:14 infile
$ cat infile
foo
-vertical
foobar
barfoo
.
.
$ debugfs /dev/sdb3
debugfs: ls -ld
.
48963 100640 (1) 500 500 11667921 29-May-2009 13:59 lg.lcd.tv.pdf
.
debugfs: imap <48963>
Inode 48963 is part of block group 3
located at block 99040, offset 0x0100
debugfs: quit
$ cp infile lg.lcd.tv.pdf
$ ls -li lg.lcd.tv.pdf
48963 -rw-r----- 1 druuna internet 92 Dec 8 16:14 lg.lcd.tv.pdf
$ cat lg.lcd.tv.pdf
foo
-vertical
foobar
barfoo
.
.
$ debugfs /dev/sdb3
debugfs: ls -ld
.
48963 100640 (1) 500 500 92 8-Dec-2009 16:14 lg.lcd.tv.pd
.
debugfs: imap <48963>
Inode 48963 is part of block group 3
located at block 99040, offset 0x010
The original lg.lcd.tv.pdf is overwritten but still has the same inode index and block group associated with it (= same physical location on disk).
This test is done on an ext3 FS.
Last edited by druuna; 12-11-2009 at 04:27 AM.
Reason: Fixed a typo
I created a small partition and filled it to about 80% with random files.
I then copied a small file to the partition, and noted the location using
Code:
hexdump -C /dev/sda6|grep -C8 keyword
Then:
1. edited the file to be ~10X larger. Repeated the hexdump and found the old file intact, and the new longer file at a new location
2. changed 1 word in the longer file--keeping the file size the same: The system saved this to another new location---and both of the two older files were still visible in the hexdump.
In all cases, the inode number remained the same.
conclusion: Do not assume that over-writing a file destroys the old file.
PS:
I have not done enough testing to know if the behavior is different when modifying and then copying the file vs simply modifying it in place. My intuition is that it should not matter.
@pixellany: Nice test, have to try that and have a better look with debugfs.
At first glance it looks like the (data) blocks that the original file used are not necessarily overwritten, but on an active (running) partition they probably will be in a relative short time due to the "defragmentation" mechanism:
Quote:
Modern Linux filesystem(s) keep fragmentation at a minimum by keeping all blocks in a file close together, even if they can't be stored in consecutive sectors. Some filesystems, like ext3, effectively allocate the free block that is nearest to other blocks in a file.
In theory you can probably restore parts (most?/all??) of the overwritten file by immediately "freezing" the partition it happened on, look for and gather the still available blocks and put them back together (possibly filling in the missing gaps yourself). Having just one partition (probably true for most users) makes this a lot harder to do.
Guess the conclusion should be: Yes, (partial) recovery is theoretically possible, but very hard to do in real life.
HOWTO recover overwritten text file, file copied over with cp
Here is my experience.
I accidentaly copied over a text file using cp. This file I've been editing for
about 3 months now, about once per week.
I use reiserfs filesystem and have a separate partition for /home.
I realized the blunder immediately and took the following steps.
1. I became a root, changed to root's home and unmounted the partition:
$sudo su -
#cd
#umount /home
2. Find out which partition is mounted as /home. In my case it was /dev/sda2
so that's what I'm gonna use from this point on.
3. If it's a text file you've been editing yourself, you probably remember some
words that you used. These words you will use as a search pattern to look for
your file (the more specific the better). You also approximately remember the size
of the file - as a number of lines or smtng. Say, you know that the file was about
800lines long and you know for certain you've had the word "soldier" somewhere
in that file.
4. With this information, you will pattern-search your unmounted /home partition
using the following command:
#grep -a -A800 -B800 'soldier' /dev/sda2 | strings > recovered_file
This might take a while.
5. Look thru the file "recovered_file". It will probably be very large. If you've
edited your lost text file more then once, you will for sure find several
instances of the text file you're looking for. A different copy for every time you edited it. You probably want to recover the very last instance.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.