Severed toes now in fridge (WAS: Re: [ale] OOOhh! That smarts!)

[John Mills]

ALErs -

Thanks to notes from Dow, Bob, Michael, and others (for which, 'Thanks!'), I have made a step towards recovering from "# rm -rf /var" - here's where it stands:

1) I can boot 'linux single', but other modes draw system whines due to missing directories and files (naturally).

2) I used available space elsewhere on my disk to capture a full snapshot of my 'root' partition ('/'):
 "# dd if=/dev/hd*6 of=/opt/snapshot/root_image"
followed by a longish wait to produce a file of 1.7GBy(+/-). <WHOOOF!>

3) I can mount that file on "/dev/loop*" and look through it as a file system.

Loopback mounting is way-cool and remarkable!

4) I ran "# debugfs -R lsdel /dev/hd*6 > deleted_nodes" and now have a file listing all deleted inodes from that partition, including about the ~160 for which the deletion time exactly matches the fateful moment of my command plus one pair deleted 1 second later. I expect these are my late, lamented "/var/*".

Next steps:
5) I did not try 'debugfs' on the loopback-mounted file, but it sounds like a useful next exercise. ("Read-only" for the moment!!)

6) I have to learn how to use 'debugfs' [or other tool folks might recommend] to relink those inodes into a directory tree. I will probably try working with a diskette first, making, killing, and trying to resurrect files and directories.

If anyone who has been through this can suggest some steps and/or which 'debugfs' commands to try, that would be welcome. Likewise pointers to TFM on structure of the 'ext2fs' would be nice.

As references, I have 'man debugfs', Bob Toxen's _Real_World_Linux_Security_, and W.Richard Stevens' _Advanced_Programming_in_a_Unix_Environment_. Other suggestions welcomed here, too.

Cheers - have a good weekend, and wish me luck.


Regards,
 John Mills
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.