Linux lsof commands and recovering deleted files

1. Introduction

Lsof (list open files) is a tool that lists open files for the current system. In a linux Environment, everything is in the form of files, with files that not only access regular data, but also access to network connectivity and hardware. So, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system assigns a file descriptor to the application in the background, regardless of the nature of the file, This file descriptor provides a common interface for the interaction between the application and the underlying operating system. Because the application opens a descriptor list of files that provides a lot of information about the application itself, It is helpful to see the list through the Lsof tool for system monitoring and troubleshooting.

2. Output message meaning

enter lsof under Terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be rooted The user's identity runs it before it can fully perform its function.

The direct input lsof partial output is :

650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M02/9E/4C/wKiom1mNsgHT3pkOAAFOTsNut4I559.jpg "title=" 1.jpg "alt=" Wkiom1mnsght3pkoaafotsnut4i559.jpg "/>

Each row displays an open file, and all files opened by all processes are displayed by default if you do not specify a condition.

the meaning of the lsof output column information is as follows:

·  COMMAND: Name of the process PID: Process identifier

·  USER: process owner

·   :           file descriptor, the application recognizes the file through a file descriptor. such as cwd txt etc

·  type: file types, such as DIR,REG , etc.

·  DEVICE: Specifies the name of the disk

·  size: sizes of files

·  node: Index node (the identity of the file on disk)

·  name: Open the exact name of the file

Fdthe file descriptor in the columnCWDThe value represents the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself, txttypes of files are program code, such as the application binaries themselves or shared libraries, as shown in the list above/sbin/initprogram. The second value represents the application's file descriptor, which is an integer returned when the file is opened. As on the last line of file/dev/initctl, whose file descriptor isTen. uindicates that the file is open and is read/write mode instead of read-only or write only(W)mode. And it's capitalized.Windicates that the application has a write lock on the entire file. This file descriptor is used to ensure that only one instance of the application can be opened at a time. When you initially open each application, you have three file descriptors, from0to the2, representing standard input, output, and error streams, respectively. So most applications open files that areFDIt's all from3start.

Typecolumns are more intuitive, and the parts and directories are calledREGand theDIR. andCHRand theBLKrepresenting characters and block devices, respectively, orUNIX,FIFOand theIPv4, respectively, saidUNIXdomain sockets, FIFO(FIFO)queues and Internet Protocol(IP)sockets.

3. Common Parameters

the lsof syntax format is:
lsof [options] filename650) this.width=650; "Src=" https:// S3.51cto.com/wyfs02/m01/9e/4d/wkiom1mnsp6sln3haakcigqqiy8200.jpg "title=" 2.jpg "alt=" Wkiom1mnsp6sln3haakcigqqiy8200.jpg "/>

4.lsof Use example 4.1, find who is using the file system

when uninstalling a file system, the operation will typically fail if there are any open files in the file system. Then through lsof you can find out which processes are using the file system that is currently being uninstalled, as follows:

650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M00/9E/4D/wKiom1mNszqiKOysAABMKE1Ftws226.jpg "title=" 3.jpg "alt=" Wkiom1mnszqikoysaabmke1ftws226.jpg "/>

in this example, the userRootis in its/GTES11directory to perform some operations. ABashis the instance that is running, and its current directory is/GTES11, and the other shows theVimEditing in Progress/GTES11the file below. To successfully uninstall/GTES11, the process should be aborted after notifying the user to ensure that the situation is normal. This example illustrates the importance of the current working directory of the application because it retains the file resources and prevents the file system from being unloaded. This is why most daemons (background processes) change their directories to the root directory, or service-specific directories (such asSendMailin the example/var/spool/mqueue) to prevent the daemon from uninstalling unrelated file systems.

4.2, recovering deleted files

when a Linux computer is compromised, it is common for the log files to be deleted to conceal the attacker's traces. Administrative errors can also cause accidental deletion of important files, such as the active transaction log of the database is accidentally deleted when the old log is cleaned up. These files can sometimes be recovered by lsof .
When a process opens a file, it remains on disk as long as the process remains open for that file, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to this process, this file is not visible because its corresponding directory index node has been deleted.
in the/procdirectory, which contains the various files that reflect the kernel and the process tree. /procdirectories are mounted in an area that is mapped in memory, so these files and directories do not exist on disk, so when we read and write these files, we actually get the relevant information from memory. Most withlsofthe relevant information is stored in the process'sPIDnamed in the directory, i.e./proc/1234is included in thePIDto be1234information about the process. There are various files in each process directory that allow the application to simply understand the process's memory space, file description list characters, symbolic links to files on disk, and other system information. lsofThe program uses this information and other information about the internal state of the kernel to produce its output. SolsofYou can display information such as the file descriptor of the process and the associated filename. That is, we can find information about the file by accessing the file descriptor of the process.
When a file in the system is accidentally deleted, as long as there are processes in the system that are accessing the file, we can recover the contents of the file from the/proc directory by lsof. If the /var/log/messages file is deleted due to misoperation , then the method to restore the /var/log/messages file is as follows:
First Use lsof to see if there is currently a process open /var/logmessages file, as follows:

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M01/9E/3B/wKioL1mNs5CwmQ7NAAA8XfqjeQU720.jpg "title=" 4.jpg "alt=" Wkiol1mns5cwmq7naaa8xfqjequ720.jpg "/>

from the above information can be seen The PID 1283 (syslogd) Open file has a file descriptor of 2. You can also see that/var/log/messages has been flagged for deletion. So we can view the corresponding information in/PROC/1283/FD/2 (each file descriptor for the process corresponding to a digitally named file under FD), as follows:

650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M02/9E/3B/wKioL1mNs8fR4uDNAAGee_rJU4A202.jpg "title=" 5.jpg "alt=" Wkiol1mns8fr4udnaagee_rju4a202.jpg "/>

As you can see from the information above, you can get the data you want to recover by looking at/PROC/8663/FD/15. If you can view the data through a file descriptor, you can use I/O redirection to copy it to a file, such as :
CAT/PROC/1283/FD/2 >/var/log/messages
This method of recovering deleted files is useful for many applications, especially log files and databases.

4.3, utility commands

650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M02/9E/4D/wKiom1mNtA3C-UlCAAJEEHwUthI362.jpg "title=" 6.jpg "alt=" Wkiom1mnta3c-ulcaajeehwuthi362.jpg "/>

This article is from the "Beloved Linux" blog, so be sure to keep this source http://mpflinux.blog.51cto.com/12173924/1955615

Linux lsof commands and recovering deleted files