Re: Solaris rm -rf on /var

From: Bob Hoekstra (Bob.Hoekstra_at_HoekstraSystems.ltd.uk)
Date: 10/29/03 

Date: Wed, 29 Oct 2003 01:59:46 +0000
To: Kralizec Craig <cd@lios.apana.org.au>

Kralizec Craig wrote:
> "Stephen Gray" <stephen@k-par.com> writes:
>>
>>I know the long answer to the following but just in case there is a real
>>quick fix :-
>>
>>I just did an rm-rf on /var with Solaris 9. I managed to stop it but of
>>course lots now missing so if anyone knows of a real quick way to fix this.
>
> You can't unless you restore from backups or completely re-install Solaris
> on the machine. 8-) There is no way to undo a file delete operation (at
> least none that I'm aware of) since there is no guarantee that once the
> inodes are released, the blocks associated with the inodes have not been
> re-allocated to other files.
>
> Craig.

Craig is not quite correct, though he may as well be. In fact, in TCT (The
Coroner's Toolkit) Wietse Venema and Dan Farmer have provided an 'unrm'
type tool (see hhttp://www.porcupine.org/forensics/tct.html,
ttp://www.fish.com/tct/help-recovering-file). But it is difficult to use,
and there is no guarantee. In fact, especially in /var, if you have been
running the box there is less chance of success. Practically, recover from
backup or reinstall.

Bob 

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GO/! d- s++:+ a+ C++(++++) US++++$ UB++ U*++ P+++ L+++ E--- W+++ N++ w--- O-
M+ V- PS+ PE+ Y+ PGP t+ 5++ X R* tv+ b+ DI++ D G e(*) h++/-- r+++ y?
------END GEEK CODE BLOCK------
-----------------------------------------------------
Bob Hoekstra: APL & Unix Consultant
Telephone:    +44 1483 771028
Mobile:       +44 7710 562345
Email:        Bob.Hoekstra@HoekstraSystems.ltd.uk
-----------------------------------------------------