Linux lsof command details (restore the method for deleting files)

Source: Internet
Author: User

Lsof (list open files) is a tool used to list open files in the current system. In Linux, everything exists in the form of a file. Through a file, you can not only access common data, but also access network connections and hardware.

Enter lsof in the terminal to display the files opened by the system. Because lsof needs to access the core memory and various files, it must be run as the root user to make full use of its functions.

Command PID user FD type device size node name
Init 1 root CWD dir 3, 3 1024 2/
Init 1 root RTD dir 3, 3 1024 2/
Init 1 root TXT Reg 38432 1763452/sbin/init
Init 1 root mem Reg 106114 1091620/lib/libdl-2.6.so
Init 1 root mem Reg 7560696 1091614/lib/libc-2.6.so
Init 1 root mem Reg 79460 1091669/lib/libselinux. so.1
Init 1 root mem Reg 223280 1091668/lib/libsepol. so.1
Init 1 root mem Reg 564136 1091607/lib/ld-2.6.so
Init 1 root 10u FIFO 1309/dev/initctl

Each line shows an opened file. If no conditions are specified, all files opened by all processes are displayed by default. The significance of lsof output column information is as follows:

Command: process name
PID: process identifier
User: process owner
FD: file descriptor. The application identifies the file through the file descriptor. Such as CWD and txt
Type: file type, such as Dir and Reg
Device: Specify the disk name.
Size: File Size
Node: Index node (the identifier of the file on the disk)
Name: the exact name of the opened file.

The file descriptor CWD value in the FD column indicates the current working directory of the application, which is the directory started by the application unless it changes the directory. TXT files are program code, such as application binary files or shared libraries. The second value indicates the file descriptor of the application, which is an integer returned when the file is opened. The last line of the above file/dev/initctl, whose file descriptor is 10. U indicates that the file is opened and in read/write mode, instead of read-only or write-only (w) mode. In addition, W indicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one application instance can be opened at a time. When each application is initially opened, it has three file descriptors
0 to 2, indicating the standard input, output, and error streams respectively. Therefore, the FD of files opened by most applications starts from 3. The type column is more intuitive than the FD column. The files and directories are called Reg and Dir respectively. CHR and BLK, respectively, indicate characters and Block devices; or UNIX, FIFO, and IPv4, respectively indicate Unix domain sockets, first-in-first-out (FIFO) queues, and Internet Protocol (IP) sockets.

Lsof is commonly used to find the name and number of files opened by an application. It can be used to find out where a specific application Records log data or is tracking a problem. For example, Linux limits the number of files that a process can open. This value is usually very large, so there is no problem, and when necessary, the application can request a larger value (until a certain upper limit ). If you suspect that the application has exhausted the file descriptor, you can use lsof to count the number of opened files for verification. The syntax format of lsof is:

  1. Lsof [Options] filename

List of common parameters:

Lsof filename displays all processes that open the specified file
Lsof-A indicates that the result is displayed only when both parameters are met.
Lsof-C string displays all open files of the process whose command column contains the specified characters.
Lsof-u Username: displays the files opened by the user process
Lsof-g gid: displays the processes that belong to the GID.
Lsof + D/DIR/displays files opened by processes in the directory
Lsof + D/DIR/is the same as above, but all directories under the directory will be searched for a relatively long time
Lsof-d fd displays the process of the specified file descriptor
Lsof-N does not convert the IP address to the hostname. The-N parameter is not added by default.
Lsof-I is used to display qualified Processes
Lsof-I [46] [Protocol] [@ hostname | hostaddr] [: Service | Port]
46 --> IPv4 or IPv6
Protocol --> TCP or UDP
Hostname --> Internet host name
Hostaddr --> IPv4 address
Service --> service name in/etc/service (more than one)
Port --> port number (either)

For example, check the current running status of port 22.

  1. # Lsof-I: 22
  2. Command PID user FD type device size node name
  3. Sshd 1409 root 3u ipv6-5678 tcp *: SSH (Listen)

View the TXT file opened by the root user process:

  1. # Lsof-a-u root-D txt
  2. Command PID user FD type device size node name
  3. Init 1 root TXT Reg 38432 1763452/sbin/init
  4. Mingetty 1632 root TXT Reg 14366 1763337/sbin/mingetty
  5. Mingetty 1633 root TXT Reg 14366 1763337/sbin/mingetty
  6. Mingetty 1634 root TXT Reg 14366 1763337/sbin/mingetty
  7. Mingetty 1635 root TXT Reg 14366 1763337/sbin/mingetty
  8. Mingetty 1636 root TXT Reg 14366 1763337/sbin/mingetty
  9. Mingetty 1637 root TXT Reg 14366 1763337/sbin/mingetty
  10. KDM 1638 root TXT Reg 132548 1428194/usr/bin/KDM
  11. X 1670 root TXT Reg 1716396 1428336/usr/bin/Xorg
  12. KDM 1671 root TXT Reg 132548 1428194/usr/bin/KDM
  13. Startkde 2427 root TXT Reg 645408 1544195/bin/bash
  14. ......

Lsof instance

1. Find out who is using the file system

When detaching a file system, if the file system contains any open files, the operation usually fails. Then, you can use lsof to find out which processes are currently using the file system to be detached, as shown below:

  1. # Lsof/gtes11/
  2. Command PID user FD type device size node name
  3. Bash 4208 root CWD dir 3, 1 4096 2/gtes11/
  4. Vim 4230 root CWD dir 3, 1 4096 2/gtes11/

In this example, the user root is performing some operations in its/gtes11 directory. A Bash instance is running, and its current directory is/gtes11, And the other shows the files that Vim is editing under/gtes11. To successfully uninstall/gtes11, you should stop these processes after notifying the user to ensure normal conditions. This example shows that the current working directory of the application is very important because it still maintains file resources and can prevent the file system from being detached. This is why most daemon (background processes) change their directories to the root directory or service-specific directories (such as/var/spool/mqueue in the sendmail example, to prevent this daemon from blocking unmounting unrelated file systems.

2. Restore deleted files

When a Linux computer is intruded, it is common to delete log files to mask attackers. Management errors may also lead to accidental deletion of important files. For example, when clearing old logs, the active transaction logs of the database are accidentally deleted. Sometimes you can use lsof to restore these files.

When a process opens a file, as long as the process keeps opening the file, even if it is deleted, it still exists in the disk. This means that the process does not know that the file has been deleted, and it can still read and write the file descriptor provided to it when the file is opened. In addition to this process, this file is invisible because the corresponding Directory Index node has been deleted.

The/proc directory contains various files that reflect the kernel and process tree. The/proc directory is mounted to a region mapped in the memory. Therefore, these files and directories are not stored in the disk. Therefore, when we read and write these files, in fact, it is getting the relevant information from the memory. Most lsof-related information is stored in the directory named after the PID of the process, that is, the/proc/1234 contains information about the process whose PID is 1234. Each process directory contains various files, which allow applications to easily understand the memory space, file descriptor list, symbolic links to files on the disk, and other system information of the process. The lsof program uses this information and other information about the internal status of the kernel to generate its output. Therefore, lsof
Displays the file descriptors and related file names of processes. That is, we can find information about the file by accessing the file descriptor of the process.

When a file in the system is accidentally deleted, as long as there are other processes in the system accessing the file, we can use lsof to restore the file content from the/proc directory. If the/var/log/messages file is deleted due to misoperations, the methods for restoring the/var/log/messages file are as follows:

First, use lsof to check whether a process opens the/var/logmessages file, as shown below:

  1. # Lsof | grep/var/log/messages
  2. Syslogd 1283 Root 2 W Reg 5381017 1773647/var/log/messages (Deleted)

From the above information, we can see that the file descriptor of the PID 1283 (syslogd) open file is 2. You can also see that/var/log/messages has been marked as deleted. Therefore, we can view the corresponding information in/proc/1283/FD/2 (each file named by number under FD represents the file descriptor corresponding to the process), as follows:

# Head-N 10/proc/1283/FD/2
Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source =/proc/kmsg started.
Aug 4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (GCC version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007
Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical Ram map:
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000-000000000009f000 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000-00000000000a0000 (Reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000-000000001f7d3800 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 2017100001f7d3800-0000000020000000 (Reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: Too Many e0000000-too many f0007000 (Reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 201710000f0008000-201710000f000c000 (Reserved)

From the above information, you can view/proc/8663/FD/15 to obtain the data to be restored. If you can view the corresponding data through the file descriptor, you can use I/O redirection to copy it to the file, such:

  1. CAT/proc/1283/FD/2>/var/log/messages

For many applications, especially log files and databases, this method is very useful for restoring and deleting files.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.