Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I accidentally executed "rm -rf" on the wrong directory. After going through various posts on several websites, i have tried photorec, testdisk, extundelete. Only following cmd works.
This cmd copies 'all' deleted files on that partition into a RECOVERED_FILES dir inside home dir. This will fill up all the free space i have.
Is there any way to undelete 'only the directory' in its original location. As directory is technical just a file, wont that in turn recover the files under it?
I tried the directory recovery feature of extundelete, but it wont work.
Restoring directories which have been "rm -rf" is generally Black Magic in Linux - there's a thread on it at least once a month here at LQ, and I've never successfully recovered one. The "solution" is to make regular backups, and not to be trigger-happy with your rm's (zsh at least has a feature where it asks you to confirm that you want to delete the contents of a directory, in case you made a typo). Some people also change their 'rm' command for a command which just moves the file(s) to a trash folder, like deleting files using a window manager.
In terms of trying to fix the problem as it is, do you have any external hard drives (or similar) which you could mount to give you extra room (extundelete makes the 'RECOVERED_FILES' directory in the current directory you're in, which doesn't need to be your home directory)? Or moving some of the files on your hard drive to another computer/hard drive, recovering, deleting the ones you don't need, and restoring the files you moved?
@Snark1994
making more space or using external hdd, is pretty much straight forward, if i opt to use the restore-all way. Was seeking help to avoid that.
---
I have been able to get the inode number of the directory that was deleted. Is it possible to grep or dd the 'directory file'? And will getting back 'directory file' in its location lead to reverting back to previous state, i.e, all contents intact?
@chrism01
There is no problem in bulk data retrieval and it is obvious thing that the partition should be kept untouched, until recovery is complete.
@all
Anyone here ever used grep or dd to retrieve back a directory using inode? I have seen examples of retrieving files with inode information, but not sure about retrieving directory & its consequence.
Is there any way to undelete 'only the directory' in its original location.
Apart from manual fiddling with 'debugfs' I'm not aware of any tool that would cause that. (That doesn't mean there aren't any, just that I only know to use common recovery and forensic tools, and yes, I have helped LQ members recover files successfully more than once.) As the others hinted at it would not be a best practice either.
Quote:
Originally Posted by bobobagins
As directory is technical just a file, wont that in turn recover the files under it?
No, that's just wishful thinking. You may have read the "everything is a file" phrase. Simply put this means each single file is represented by a single inode. It tells the file system where to find the (small) file, where to find the first n blocks (larger file, direct blocks) plus where to find the blocks that point to other blocks (indirect secondary and tertiary block addrs). Given aspects like default file system block size, the size of files and the "cost" attached to disk write ops and how the kernel deals with writes it is no wonder block allocation isn't contiguous and given how a file system like Ext deals with allocation there's generally speaking no need for it either. That's files. Directories are files too in the sense that its inode serves as a kind of "index", holding information about the items it contains. This means that once a directory gets deleted the "index", the link between directory inode and file inode, is gone and recreating the directory inode does not automagically mean re-populating its "index".
Tools like Photorec, Scalpel and Foremost try to bypass problems by looking for files directly as file types often have a specific header (see 'man magic') and footer. But since block allocation isn't contiguous this may incorporate for example part of a header-less file B between header A and footer C.
On top of that, by allowing time to pass, not freezing the file system the instant a deletion happened, the system will continue to re-allocate freed up blocks. And every action be it involuntarily like journal syncing, daemons and subsystems running in the background, or voluntarily like any command you execute in the shell, can trigger a write op. The most encountered mistakes I've seen are installing software, rebooting, running fsck on corrupted file systems, not remounting disks in read-only mode (also see "-o ro,norecovery,noload") and not making a copy of the disk or partition before messing with it.
Testdisk allows you to try and "walk" the file system by attaching it to the disk or partition (like for example 'testdisk /debug /log /dev/sda1' for the latter), Proceed > None > Advanced > Undelete. There you should see directories and files in red if unlinked. If it's a very recent deletion you may encounter deleted files listed in the parent directory of the deleted directory where you can select them and copy them to a different partition or disk. Else you can at least use Testdisk as a convenient tool to do recon with and at least verify you can still see items or not. *Talking about convenience: as you can guess from the above file recovery isn't the type of situation where what you would "like" is a valid reason or has any priority but what's possible or not.
Quote:
Originally Posted by bobobagins
Code:
Failed to restore file /media/encryptedPartitionA/mydir/
What does this mean? That the file system to recover from is an encrypted one and you tried to recover to the same file system?
@unSpawn
I had used debugfs earlier to get logdumps of the inode, for using with grep for retrieving the directory file. I wrongly assumed that the index to the underlying files was part of the 'directory file' and was hoping that restoring the 'directory file' will fix things.
Quote:
What does this mean? That the file system to recover from is an encrypted one and you tried to recover to the same file system?
No, it means i did not read the docs carefully. It needs the path relative to the partition, i gave path wrt root.
After giving the relative path, the directory & its contents were recovered. It pretty good, as i didnt had to use the --restore-all option, which recovers deleted stuff from the entire partition.
Thanks for the responses!
Last edited by bobobagins; 02-11-2013 at 09:58 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.