Regardless of which method you choose, the first step is to unmount the file system containing the deleted files. I strongly discourage any urges you may have to mess around on a mounted file system. This step should be performed as soon as possible after you realise that the files have been deleted; the sooner you can unmount, the smaller the chance that your data will be overwritten.
The simplest method is as follows: assuming the deleted files were in the /usr
file system, say:
# umount /usr
You may, however, want to keep some things in /usr
available. So remount it read-only:
# mount -o ro,remount /usr
If the deleted files were on the root partition, you'll need to add a -n
option to prevent mount from trying to write to /etc/mtab
:
# mount -n -o ro,remount /
Regardless of all this, it is possible that there will be another process using that file system (which will cause the unmount to fail with an error such as `Resource busy'). There is a program which will send a signal to any process using a given file or mount point: fuser
. Try this for the /usr
partition:
# fuser -v -m /usr
This lists the processes involved. Assuming none of them are vital, you can say
# fuser -k -v -m /usr
to send each process a SIGKILL
(which is guaranteed to kill it), or for example,
# fuser -k -TERM -v -m /usr
to give each one a SIGTERM
(which will normally make the process exit cleanly).