I have just asked in an interview that if someone mistakenly deletes apache logfile from /var/log/apache/access.log while it's being written, can you recover it?
After my answer interviewer said that we can recover the inode details of the apache process from the /proc file system and then can recover those files. I couldn't understand that properly as it was over the phone.
So can anyone please explain how?
Unfortunately it is not possible to link a new name to the inode in the filesystem.
But you can copy the content of the file to a new file:
# in shell 1
bash -c 'echo $$; exec cat >delfile'
27225
So you have to determine the PID of the process which keeps the file open. Then you determine the file descriptor of the deleted file:
# in shell 2, same directory
$ rm delfile
$ ll /proc/27225/fd
insgesamt 0
lrwx------ 1 hl hauke 64 20. Jun 00:38 0 -> /dev/pts/4
l-wx------ 1 hl hauke 64 20. Jun 00:38 1 -> '/crypto/home/hl/tmp/delfile (deleted)'
lrwx------ 1 hl hauke 64 20. Jun 00:38 2 -> /dev/pts/4
Then you can copy the content:
cp /proc/27225/fd/1 restored_file
