Linux系统中对Ext3文件系统删除后恢复

大家好，昨天有一同事在linux系统中用管理员用户(root)删除了另一用户的根目录(rm-rf/home/tong),所有的文件无法找回了,我找了百度和谷哥终于把这个问题解决了,现在我把处理的过程写出来,希望对大家以后有帮助.1.安装软件(ext3grep依赖于系统的e2fsprogs三个软件包)[root@redhat1home]#mkdir/mnt/cdrom--创建光盘挂载目录[root@redhat1home]#mount/dev/cdrom/mnt/cdrom--挂载光盘mount:blockdevice/dev/sr0iswrite-protected,mountingread-only[root@redhat1home]#vim/etc/yum.repos.d/base.repo--配置系统的本地源[base]name=basebaseurl=file:///mnt/cdromenabled=1gpgcheck=1gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-REDHAT-6[root@redhat1home]#yuminstalle2fs*--安装ext3grep软件的依赖包[root@redhat1home]#rpm-aq|grepe2fs--检查软件包是否安装e2fsprogs-devel-1.41.12-14.el6.i686e2fsprogs-libs-1.41.12-14.el6.i686e2fsprogs-1.41.12-14.el6.i686[root@redhat1home]#wgethttp://code.google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz--下载ext3grep软件包[root@redhat1home]#tarxvfext3grep-0.10.2.tar.gz--解压软件包[root@redhat1home]#cdext3grep-0.10.2--进入软件包[[email protected]]#./configure--prefix=/usr/local/ext3grep&&make&&makeinstall--安装软件[[email protected]]#ll/usr/local/|grepext3--查看软件安装成功drwxr-xr-x.3rootroot4096Dec217:24ext3grep[[email protected]]#2.新建个块设备,用块设备做测试.如果你用/home目录,home目录必须是一个单独的分区,在后面要进行挂载和卸载.[root@redhat1home]#ddif=/dev/zeroof=123bs=1Mcount=100--在home目录下新建一个块设备123100+0recordsin100+0recordsout104857600bytes(105MB)copied,0.634943s,165MB/s[root@redhat1home]#mkfs.ext3123--格式化块设备mke2fs1.41.12(17-May-2010)123isnotablockspecialdevice.Proceedanyway?(y,n)y--输入y确定Filesystemlabel=OStype:LinuxBlocksize=1024(log=0)Fragmentsize=1024(log=0)Stride=0blocks,Stripewidth=0blocks25688inodes,102400blocks5120blocks(5.00%)reservedforthesuperuserFirstdatablock=1Maximumfilesystemblocks=6737100813blockgroups8192blockspergroup,8192fragmentspergroup1976inodespergroupSuperblockbackupsstoredonblocks:8193,24577,40961,57345,73729Writinginodetables:doneCreatingjournal(4096blocks):doneWritingsuperblocksandfilesystemaccountinginformation:doneThisfilesystemwillbeautomaticallycheckedevery27mountsor180days,whichevercomesfirst.Usetune2fs-cor-itooverride.[root@redhat1home]#mkdir/mnt/123--新建块设备挂载的目录[root@redhat1home]#mount123/mnt/123-oloop--将块设备123挂载到/mnt/123中[root@redhat1home]#df-TH--查看目录是否挂载FilesystemTypeSizeUsedAvailUse%Mountedon/dev/mapper/VolGroup-lv_rootext420G3.8G16G20%/tmpfstmpfs262M0262M0%/dev/shm/dev/sda1ext4508M32M451M7%/bootdf:`/mnt/cdrom':Nosuchfileordirectory/dev/sr0iso96603.2G3.2G0100%/mnt/home/123ext3102M5.8M91M7%/mnt/123--设备已挂载3.拷贝文件,删除文件.[root@redhat1home]#cp-a/etc/passwd/etc/shadow/etc/group/mnt/123/--将文件移动到设备中[root@redhat1home]#ll/mnt/123/--查看是否有文件total19-rw-r--r--.1rootroot712Dec214:39groupdrwx------.2rootroot12288Dec411:14lost+found-rw-r--r--.1rootroot1509Dec214:39passwd----------.1rootroot976Dec214:39shadow[root@redhat1home]#sync--文件同步一下[root@redhat1home]#rm-rf/mnt/123/passwd/mnt/123/shadow--删除文件[root@redhat1home]#sync--文件同步一下[root@redhat1home]#umount/mnt/123--卸载设备4.恢复文件[root@redhat1home]#cd/usr/local/ext3grep/bin/--进入ext3grep软件的目录[root@redhat1bin]#./ext3grep--ls--inode2/home/123Runningext3grepversion0.10.2WARNING:Idon'tknowwhatEXT3_FEATURE_COMPAT_EXT_ATTRis.Numberofgroups:13Loadinggroupmetadata...doneMinimum/maximumjournalblock:49402/53515Loadingjournaldescriptors...sorting...doneTheoldestinodeblockthatisstillinthejournal,appearstobefrom1386127317=WedDec411:21:572013Numberofdescriptorsinjournal:22;min/maxsequencenumbers:2/5InodeisAllocatedFindingallblocksthatmightbedirectories.D:blockcontainingdirectorystart,d:blockcontainingmoredirectoryentries.Eachplusrepresentsadirectorystartthatreferencesthesameinodeasadirectorystartthatwefoundpreviously.Searchinggroup0:DDSearchinggroup1:Searchinggroup2:Searchinggroup3:Searchinggroup4:Searchinggroup5:Searchinggroup6:++Searchinggroup7:Searchinggroup8:Searchinggroup9:Searchinggroup10:Searchinggroup11:Searchinggroup12:Writinganalysissofarto'123.ext3grep.stage1'.Deletethatfileifyouwanttodothisstageagain.Resultofstageone:2inodesarereferencedbyoneormoredirectoryblocks,2ofthoseinodesarestillallocated.1inodesarereferencedbymorethanonedirectoryblock,1ofthoseinodesisstillallocated.0blockscontainanextendeddirectory.Resultofstagetwo:2ofthoseinodescouldberesolvedbecausetheyarestillallocated.Alldirectoryinodesareaccountedfor!Writinganalysissofarto'123.ext3grep.stage2'.Deletethatfileifyouwanttodothisstageagain.Thefirstblockofthedirectoryis508.Inode2isdirectory"".Directoryblock508:.--Filetypeindir_entry(r=regularfile,d=directory,l=symlink)|.--D:Deleted;R:ReallocatedIndxNext|Inode|DeletiontimeModeFilename==========+==========+----------------data-from-inode------+-----------+=========01d2drwxr-xr-x.12d2drwxr-xr-x..25d11drwx------lost+found34r12D1386127493WedDec411:24:532013rrw-r--r--passwd--D表示是删除的文件45r13D1386127493WedDec411:24:532013r---------shadow5endr14rrw-r--r--group[root@redhat1bin]#./ext3grep--restore-filepasswd/home/123--restore-file用文件名来恢复文件Runningext3grepversion0.10.2WARNING:Idon'tknowwhatEXT3_FEATURE_COMPAT_EXT_ATTRis.Numberofgroups:13Minimum/maximumjournalblock:49402/53515Loadingjournaldescriptors...sorting...doneTheoldestinodeblockthatisstillinthejournal,appearstobefrom1386127317=WedDec411:21:572013Numberofdescriptorsinjournal:22;min/maxsequencenumbers:2/5WritingoutputtodirectoryRESTORED_FILES/Loading123.ext3grep.stage2...doneRestoringpasswd--恢复passwd文件成功[root@redhat1bin]#./ext3grep--restore-inode13/home/123--用节点号(--restore-inode)来恢复文件Runningext3grepversion0.10.2WARNING:Idon'tknowwhatEXT3_FEATURE_COMPAT_EXT_ATTRis.Numberofgroups:13Minimum/maximumjournalblock:49402/53515Loadingjournaldescriptors...sorting...doneTheoldestinodeblockthatisstillinthejournal,appearstobefrom1386127317=WedDec411:21:572013Numberofdescriptorsinjournal:22;min/maxsequencenumbers:2/5Restoringinode.13--恢复成功[root@redhat1bin]#llRESTORED_FILES/--在自己当前目录下有个RESTORED_FILES目录存放恢复文件total8----------.1rootroot976Dec214:39inode.13-rw-r--r--.1rootroot1509Dec214:39passwd[root@redhat1bin]#注：Linux系统中对Ext4文件系统删除后恢复:http:///os/html/201312/6837.html重点:1.ext3grep命令参考:ext3grep/home/123--dump-names--查看存在的和删除的文件ext3grep/home/123--ls--inode2--详细查看存在的删除的文件(d删除r存在)ext3grep/home/123--restore-file文件名--恢复文件ext3grep/home/123--restore-all--恢复所有文件ext3grep/home/123--restore-inode节点号--恢复指定节点号的文件ext3grep/home/123--ls--inode15809--可以进入节点为15809的文件夹中,看是否有还有的是的文件ext3grep/home/1234--restore-file目录/文件--还原目录下面的文件(进入目录ext3grep/home/1234--ls--inode目录节点)2.错误处理:1)如果执行命令报错[root@redhat1bin]#./ext3grep--ls--inode2/home/123

(以上内容不代表本站观点。)
---------------------------------