0

I have just asked in an interview that if someone mistakenly deletes apache logfile from /var/log/apache/access.log while it's being written, can you recover it?

After my answer interviewer said that we can recover the inode details of the apache process from the /proc file system and then can recover those files. I couldn't understand that properly as it was over the phone.

So can anyone please explain how?

Improve this question
1

1 Answer 1

Reset to default
1

Unfortunately it is not possible to link a new name to the inode in the filesystem.

But you can copy the content of the file to a new file:

# in shell 1 bash -c 'echo $$; exec cat >delfile' 27225

So you have to determine the PID of the process which keeps the file open. Then you determine the file descriptor of the deleted file:

# in shell 2, same directory $ rm delfile $ ll /proc/27225/fd insgesamt 0 lrwx------ 1 hl hauke 64 20. Jun 00:38 0 -> /dev/pts/4 l-wx------ 1 hl hauke 64 20. Jun 00:38 1 -> '/crypto/home/hl/tmp/delfile (deleted)' lrwx------ 1 hl hauke 64 20. Jun 00:38 2 -> /dev/pts/4

Then you can copy the content:

cp /proc/27225/fd/1 restored_file
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.