For those “oops” moments: ext3undel

The rm command can be a powerful tool for deleting data — until you delete the wrong files or directories. Thankfully, the ext3undel utility can recover accidently removed data on ext3 filesystems. Users can recover a specific file by name, or they can restore all files marked as deleted (though the filenames won’t be recovers, so they will have to look at the contents of the files to identify them).

Files on the ext3 filesystem have two parts. The file’s metadata — that is, the file name, size, and creation and access dates — is stored in a Unix data structure called an inode. The actual file data is stored in blocks on the hard drive. Deleting a file destroys the link between the metadata and the filesystem blocks, eliminating the association between the file’s information and content. Both the inodes and the data blocks are marked as free, and the operating system will use them to write new data when it needs to. But because the inodes and blocks are merely marked free and aren’t overwritten, users can rescue data as long as new data hasn’t been written there. That’s why it is important to recover data to a new partition: any changes to the filesystem risk overwriting data users wish to recover. Until then, an application can “save” deleted data by marking the blocks as in use, and reconnecting the inodes and the blocks symbolically. Continue reading

System Recovery Week: Rescue Mode and Reinstalling Grub

This article is part of System Recovery Week, examining techniques used to perform maintenance or recovery on a Fedora system in special circumstances.

When a system is too damaged to permit booting from the hard disk drive, it’s necessary to boot from another medium. The Fedora installation discs support a “Rescue mode” in which the system is booted from the CD and the hard disk partitions are optionally mounted for access.

To access this mode, boot from your Fedora install media and select “Rescue installed system” from the boot menu using the arrow keys and Enter or by pressing the R key (if you need to edit the boot options first — to disable ACPI, for example — navigate to the Rescue option with the arrow keys and press Tab).

The kerenel will boot from CD and the system will prompt you to select a keyboard style and language from scrollable lists of options. You will then be given the opportunity to enable the network interfaces on the system, either by entering the IP information or by using DHCP.
The system will then present a dialog stating that the rescue environment is about to find and mount the filesystems from your hard disk Fedora installation, and asks if you wish to continue. This is a critical question: if your filesystems are intact and you wish to access the data that is in them, you can select Continue, the default option. If you are concerned about the state of your filesystems and want to ensure that they will not be altered, but still want to access them, select Read-Only. If your filesystems are damaged, you have multiple Fedora installations, or you wish to perform an operation such as reducing the size of the root filesystem, choose Skip. After some additional messages, you will be presented with a root shell prompt.

If you have elected to continue with read/write mounting of your filesystems, all of the files from your Fedora installation should be available under /mnt/sysimage — so the normal /etc/passwd file will be available at /mnt/sysimage/etc/passwd.

Although regular Fedora commands and utilities are available in rescue mode, most of them will not work because of the altered paths. You can work around this issue by temporarily changing the root directory using the chroot command:

chroot /mnt/sysimage

However, you need to be aware that files within the mounted Fedora filesystems will not have been updated during the rescue mode boot process, including /etc/mtab and /var/log/messages. You can compensate for this by some degree by getting the information from other places (such as dmesg for kernel messages and /proc/mounts for mount information).

If you have been forced to use rescue mode because your system’s Grub bootloader code has become damaged or has been overwritten by another bootloader, you can reinstall the Grub bootloader in rescue mode:

  1. Start the Grub shell with the grub command:# grub
    Probing devices to guess BIOS drives. This may take a long time.

    GNU GRUB version 0.97 (640K lower / 3072K upper memory)

    [ Minimal BASH-like line editing is supported. For the first word, TAB
    lists possible command completions. Anywhere else TAB lists the possible
    completions of a device/filename.]

  2. Use the find command to locate the partition containing the boot files by searching for /grub/grub.conf (or /boot/grub/grub.conf if that fails). Grub will report the partition using its own syntax:grub> find /grub/grub.conf
  3. Use the root command to configure the partition from which the boot files are to be loaded (use the partition ID from step 2):grub> root (hd0,0)
    Filesystem type is ext2fs, partition type 0x83
  4. The partition ID from step 2 can be converted to a drive ID by removiing the comma and partition number — for example, the partition (hd0,0) is on the drive (hd0). Use the setup command with this drive ID to install the Grub bootloader code:grub> setup (hd0)
    Checking if “/boot/grub/stage1” exists… no
    Checking if “/grub/stage1” exists… yes
    Checking if “/grub/stage2” exists… yes
    Checking if “/grub/e2fs_stage1_5” exists… yes
    Running “embed /grub/e2fs_stage1_5 (hd0)”… 16 sectors are embedded.
    Running “install /grub/stage1 (hd0) (hd0)1+16 p (hd0,0)/grub/stage2 /grub/grub.conf”… succeeded
  5. Exit the Grub shell with quit:grub> quit

You can also use rescue mode to set the root password, create alternate superuser accounts, or change or remove a boot password. Whether these are important recovery operations or a type of attack depends only on the context in which they are performed. You can slow down such an attack by configuring the system BIOS to boot only from the hard disk and installing a BIOS password, but that can be reset using a motherboard jumper in most cases. The moral of the story: if you don’t have physical security, you don’t have system security.

When you are finished using rescue mode, type exit or press Ctrl-D twice. The system will then reboot.