Recover a Deleted File

If you rum rm command accidentally and deleted important a file, recovery becomes critical under Linux and/or UNIX oses.

Since Linux is multiuser and multitasking operating system other users/process can overwrite deleted file disk space. So you need to take down system to single user mode.

First use wall (only the super-user can write on the terminals of users) command write a message to all users, then use init (process control initialization) command to take system to single user mode.
Procedure

Following are generic steps to recover text files.

First use wall command to tell user that system is going down in a single user mode:
# wallOutput:

System is going down to …. please save your work.

Press CTRL+D to send message.

Next use init 1 command to take system to a single user mode:
# init 1
Using grep (traditional UNIX way) to recover files

Use following grep syntax:
grep -b ’search-text’ /dev/partition > file.txt
OR
grep -a -B[size before] -A[size after] ‘text’ /dev/[your_partition] > file.txt
Where,

* -i : Ignore case distinctions in both the PATTERN and the input files i.e. match both uppercase and lowercase character.
* -a : Process a binary file as if it were text
* -B Print number lines/size of leading context before matching lines.
* -A: Print number lines/size of trailing context after matching lines.

To recover text file starting with “nixCraft” word on /dev/sda1 you can try following command:
# grep -i -a -B10 -A100 ‘nixCraft’ /dev/sda1 > file.txt

Next use vi to see file.txt. This method is ONLY useful if deleted file is text file. If you are using ext2 file system, try out recover command. .

UNIX / Linux filesystem Inodes

The inode (index node) is a fundamental concept in the Linux and UNIX filesystem. Each object in the filesystem is represented by an inode. But what are the objects? Let us try to understand it in simple words. Each and every file under Linux (and UNIX) has following attributes:

=> File type (executable, block special etc)
=> Permissions (read, write etc)
=> Owner
=> Group
=> File Size
=> File access, change and modification time (remember UNIX or Linux never stores file creation time, this is favorite question asked in UNIX/Linux sys admin job interview)
=> File deletion time
=> Number of links (soft/hard)
=> Extended attribute such as append only or no one can delete file including root user (immutability)
=> Access Control List (ACLs)

All the above information stored in an inode. In short the inode identifies the file and its attributes (as above) . Each inode is identified by a unique inode number within the file system. Inode is also know as index number.
inode definition

An inode is a data structure on a traditional Unix-style file system such as UFS or ext3. An inode stores basic information about a regular file, directory, or other file system object.

How do I see file inode number?

You can use ls -i command to see inode number of file
$ ls -i /etc/passwd
Sample Output

32820 /etc/passwd

You can also use stat command to find out inode number and its attribute:
$ stat /etc/passwdOutput:

File: `/etc/passwd’
Size: 1988 Blocks: 8 IO Block: 4096 regular file
Device: 341h/833d Inode: 32820 Links: 1
Access: (0644/-rw-r–r–) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2005-11-10 01:26:01.000000000 +0530
Modify: 2005-10-27 13:26:56.000000000 +0530
Change: 2005-10-27 13:26:56.000000000 +0530

Inode application

Many commands used by system administrators in UNIX / Linux operating systems often give inode numbers to designate a file. Let us see he practical application of inode number. Type the following commands:
$ cd /tmp
$ touch \”la*
$ ls -l

Now try to remove file “la*

You can’t, to remove files having created with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. You have to use inode number to remove file.

Find out file inode

First find out file inode number with any one of the following command:

stat {file-name}

OR

ls -il {file-name}
Use find command to remove file:

Use find command as follows to find and remove a file:

find . -inum [inode-number] -exec rm -i {} \;

When prompted for confirmation, press Y to confirm removal of the file.
Delete or remove files with inode number

Let us try to delete file using inode number.

(a) Create a hard to delete file name:
$ cd /tmp
$ touch “\+Xy \+\8″
$ ls

(b) Try to remove this file with rm command:
$ rm \+Xy \+\8

(c) Remove file by an inode number, but first find out the file inode number:
$ ls -ilOutput:

781956 drwx—— 3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx—— 2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x 1 viv viv 0 2006-01-27 15:05 mapping-viv
781939 drwx—— 2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r–r– 1 viv viv 0 2006-01-27 15:49 \+Xy \+\8

Note: 782263 is inode number.

(d) Use find command to delete file by inode:
Find and remove file using find command, type the command as follows:
$ find . -inum 782263 -exec rm -i {} \;

Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm “\+Xy \+\8″

Ext3 – Reserved blocks percentage

According to tune2fs manual, reserved blocks are designed to keep your system from failing when you run out of space. Its reserves space for privileged processes such as daemons (like syslogd, for ex.) and other root level processes; also the reserved space can prevent the filesystem from fragmenting as it fills up. By default this is 5% regardless of the size of the partition.

On large partitions (250GB drives and up are quite common these days), the default 5% reserved space can be quite a lot (12.5Gb in my example). For ext3 partitions you can tune this parameter by using tune2fs with the parameter -m. For ex. to decrease this to 3% you would run (for ex. on /dev/sda1):

tune2fs -m3 /dev/sda1

You should be very careful when ‘playing’ with this parameter and be sure you know what you are doing before changing this value.

Load/Unload or Add/Remove Kernel Modules

modprobe program is to add and remove modules from the Linux Kernel. You can add or remove wanted or unwanted modules.

To add a module:

modprobe modulename

To remove a module:

modprobe -r modulename

Suppose, you don’t want to remove a module also you don’t want to load it at the boot time, If so then blacklist that module to prevent from loading at the boot.

Add the module name in the file /etc/modprobe.d/blacklist as below and reboot the machine

blacklist i8xx_tco

After all this, check it using lsmod command.

Console Access and How linux shutdowns.

When normal (non-root) users log into a computer locally, they are given two types of special permissions:

1. They can run certain programs that they would not otherwise be able to run

2. They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access

Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to “win” the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.

In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff, and reboot.
24.1. Disabling Shutdown Via Ctrl-Alt-Del

By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a [Ctrl]-[Alt]-[Del] key combination used at the console. If you would like to completely disable this ability, you will need to comment out the following line in /etc/inittab by putting a hash mark (#) in front of it:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using [Ctrl]-[Alt]-[Del]. You can restrict this privilege to certain users, by taking the following steps:

1. Add a -a option to the /etc/inittab line shown above, so that it reads:

ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now

The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you will create in the next step.

2. Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using [Ctrl]-[Alt]-[Del]. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:

stephen
jack
sophie

According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using [Ctrl]-[Alt]-[Del]. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.

Allow any users to Shutdown Linux server

You need to use sudo command to grant a permission to other users to shutdown your server. sudo allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers file. Login as a root user and type visudo command to edit the sudoers file:
Allow any user to shutdown my Linux server

For example, allow user rocky to shutdown computer (first login as a root user):
$ su -
# visudo

Append following text to file:
rocky server.mydomain.com=/sbin/halt /sbin/reboot
Save file and exit to shell prompt. Now rocky can halt server by typing command:
$ sudo /sbin/halt
Output:

Password:

Please note that at password prompt rocky need to type his password.

Another way is to allow other users to shutdown server is to add them to /etc/shutdown.allow access control file. shutdown command can check to see if an
authorized user is logged in on one of the virtual consoles. If shutdown command is called with the -a argument , it checks to see if the file /etc/shutdown.allow is present. It then compares the login names in that file with the list of people that are logged in on a virtual console only if one of those authorized users or root is logged in, it will proceed. Otherwise, it will write the message

shutdown: no authorized users logged in

First login as a root user:
# touch /etc/shutdown.allow
# echo”username” >> /etc/shutdown.allow
On the other hand, use text editor such as vi to add username (Max 32 names are allowed):
# vi /etc/shutdown.allow
Shutdown computer using following command:
$ /sbin/shutdown -a -h 0