Operations 36 min read

Can You Recover Files Deleted with rm ‑rf? What Works, What Fails, and How to Respond

The article explains that occasional recovery of rm ‑rf deletions is possible, but no single command guarantees full restoration; it outlines the Linux kernel behavior, immediate containment steps, how to examine backups, snapshots, open file descriptors, block‑level imaging, filesystem‑specific tools, verification, and post‑recovery best practices for production environments.

Golang Shines
Golang Shines
Golang Shines
Can You Recover Files Deleted with rm ‑rf? What Works, What Fails, and How to Respond

Conclusion: occasional recovery is possible, but no command can guarantee complete restoration of data removed by rm -rf. Recovery depends on whether the file is still open by a process, existence of backups or snapshots, filesystem type, amount of writes after deletion, TRIM status, and whether the data resides on container writable layers, network storage, or object storage.

1. What rm -rf Actually Does

When deleting a regular file, the kernel calls unlink or unlinkat; for directories it calls rmdir. The directory entry is removed and the inode link count is decreased. When the link count reaches zero and no process holds the file open, the inode and data blocks become reclaimable. rm does not shred data; space is merely marked reusable.

If the file is still open, the kernel keeps the file until the last descriptor is closed.

Each subsequent write may reuse the freed blocks, reducing recovery probability over time.

The -r flag makes the operation recursive, and -f suppresses errors and prompts. Neither option provides a recycle bin or undo log.

2. First Five Minutes After Accidental Deletion

2.1 Stop All New Writes

Immediately notify relevant teams to stop deployments, sync jobs, log archiving, and batch processing. If the deleted directory still receives live writes, isolate the instance or switch the write target before shutting down the service.

Do NOT install recovery tools (e.g., testdisk, extundelete) on the affected filesystem.

Do NOT create placeholder files or redeploy the application in the same path.

Do NOT write recovered data back to the original filesystem.

Do NOT run fsck or xfs_repair as generic undelete tools.

Do NOT execute fstrim because it may release blocks to zero.

Do NOT reboot the server; a reboot closes open file descriptors and may corrupt the filesystem.

Do NOT continue writing just because there is free space; the allocator may reuse the freed blocks.

2.2 Record Time, Command, and Operator

Capture the current time and context:

date -Is
id
pwd
findmnt -T /path/to/deleted

Replace /path/to/deleted with the actual path. Even if the directory no longer exists, findmnt -T can often locate the underlying filesystem.

Also record recent shell history (e.g., history | tail -n 30) and, if available, audit logs from auditd, bastion hosts, or centralized logging.

2.3 Identify Filesystem and Underlying Storage

Run discovery commands to understand the environment:

findmnt -T /path/to/deleted -o TARGET,SOURCE,FSTYPE,OPTIONS
lsblk -o NAME,TYPE,FSTYPE,SIZE,MOUNTPOINTS
df -hT /path/to/deleted

Key questions:

Is the filesystem ext4, XFS, Btrfs, ZFS, or a network/distributed FS?

Is the storage HDD, SSD, NVMe, cloud‑disk, hardware RAID, software RAID, or LVM?

Are mount options like discard or periodic fstrim enabled?

Are there pre‑deletion snapshots (LVM, cloud‑disk, storage‑array)?

Is the directory provided by a container volume, bind‑mount, or PersistentVolume?

Is data encrypted and are the keys still available?

3. Highest‑Probability Recovery Paths

Application‑level backups, artifact repositories, and object‑storage versions.

Pre‑deletion filesystem, LVM, cloud‑disk, or storage‑array snapshots.

Files still open by a process (see Section 4).

Copies on other nodes, replicas, caches, container images, or release artifacts.

Block‑level imaging followed by filesystem‑level or signature‑level recovery.

3.1 Verify Backups Are Usable

Ensure the backup timestamp precedes the deletion, covers the target path, and the retention policy has not pruned it. For database directories, use the database’s physical or logical backup procedures rather than copying raw files.

Restore to an isolated directory first: mkdir -p /recovery/restore-test Never restore directly onto the production filesystem.

3.2 Snapshots Must Pre‑date Deletion

Post‑deletion snapshots only capture the “already deleted” state and cannot magically bring back data. If a pre‑deletion snapshot exists, clone it to a new volume and mount read‑only for extraction. Never roll back a production volume directly; instead, clone, mount, and export the needed files.

4. Open‑File Recovery via /proc

4.1 Find Deleted but Still Open Files

lsof +L1

Typical output shows a line with (deleted) in the NAME column and NLINK = 0, indicating the directory entry is gone but the process still holds the file descriptor.

Limit the search to a specific directory or PID:

lsof +L1 /data
lsof -p 18472 +L1

Do NOT restart or terminate the process before copying; the file may disappear.

4.2 Copy the Open File to Another Filesystem

Identify the descriptor:

readlink /proc/18472/fd/5
stat /proc/18472/fd/5

Copy it to an isolated mount point:

install -d -m 700 /recovery/open-files
cp --sparse=always /proc/18472/fd/5 /recovery/open-files/access.log.recovered
sync /recovery/open-files/access.log.recovered

Replace 18472 and 5 with the actual PID and FD, and ensure /recovery resides on a separate disk with enough space.

Limitations:

If the process continues writing, the copy may not be a consistent snapshot.

If the file was truncated, the descriptor reflects only the truncated view.

Special files, anonymous temp files, memory‑mapped files, or database files often cannot be recovered with a simple cp.

Metadata (owner, permissions, ACLs, SELinux context) is not restored automatically.

The process may close the descriptor at any time; copy the most critical files first.

After copying, verify integrity:

sha256sum /recovery/open-files/access.log.recovered
stat /recovery/open-files/access.log.recovered

5. Block‑Level Imaging Before Filesystem Recovery

5.1 Decision‑Making for High‑Risk Operations

Unmounting the filesystem stops all processes but may cause inconsistency. Before proceeding, list mount points, affected services, containers, databases, and users; confirm traffic has been drained; ensure sufficient target capacity; and perform a dry‑run using fuser or lsof for read‑only checks.

5.2 Create an Image with ddrescue

ddrescue -f -n /dev/mapper/vg-data /recovery/vg-data.img /recovery/vg-data.map
ddrescue -d -f -r3 /dev/mapper/vg-data /recovery/vg-data.img /recovery/vg-data.map

Replace the device path with the actual source device discovered via findmnt and lsblk. The first pass ( -n) skips retries; the second pass ( -r3) retries up to three times.

6. Filesystem‑Specific Guidance

6.1 ext4

Ext4 may reuse directory entries, inodes, and blocks quickly. SSD/NVMe with active fstrim can zero out freed blocks, dramatically lowering recovery chances. Tools like extundelete work on an offline image but have limited support for newer ext4 features. The source filesystem must be unmounted or mounted read‑only, and recovery output must be written to a different filesystem.

6.2 XFS

XFS lacks an official undelete utility. xfs_repair fixes metadata consistency but does not restore deleted files and may alter the on‑disk state. Preferred order: pre‑deletion snapshots, open file descriptors, other business copies, then professional data‑recovery services.

6.3 Btrfs, ZFS, LVM, Cloud Disks

Recovery relies on snapshots taken before deletion. List snapshots, clone them read‑only, and extract needed paths. Snapshots are not backups; they share the same failure domain unless stored on a separate volume.

6.4 Container & Kubernetes Scenarios

Determine where the path lives:

Overlay read‑only layer – deletion creates a whiteout; recreating the container may restore the original file.

Overlay writable layer – deletion may be permanent once the container is removed.

Bind‑mount or named volume – treat as host filesystem.

Kubernetes PersistentVolume – follow the CSI driver’s snapshot/backup mechanism.

Never delete the pod before copying open files via /proc, and be aware of reclaim policies that may delete the underlying volume.

7. Post‑Recovery Validation and Re‑launch

File restoration does not equal service restoration. Verify:

File count, directory hierarchy, and total size match backup manifests.

Hashes match trusted copies.

Ownership, group, permissions, ACLs, extended attributes, and SELinux contexts are correct.

Hard‑link and soft‑link relationships are intact.

Configuration files pass syntax checks.

Data files are readable by the application in read‑only or validation mode.

Any legitimate increments after the deletion point are merged appropriately.

Generate manifests and hashes for the restored directory:

find /recovery/restored -xdev -printf '%y %m %u %g %s %p
' > /recovery/restored-manifest.txt
find /recovery/restored -xdev -type f -print0 | sort -z | xargs -0 sha256sum > /recovery/restored-sha256.txt

Before overwriting production data, perform a dry‑run with rsync -aHAXn --delete /recovery/restored/ /data/target/, review the diff, and only then execute the real sync.

8. Common Misconceptions

Rebooting closes open files but also writes new metadata; it is not a first‑step. sync only flushes caches; it does not undo deletions. fsck fixes consistency, not undelete; it may further modify metadata.

SSD/NVMe behavior with TRIM can make data unrecoverable.

Seeing a filename in recovery‑software output does not guarantee content integrity.

Never overwrite the original path with recovered files; always use an isolated location first.

9. Reducing Future Deletion Impact

Principle‑of‑least‑privilege for service accounts; avoid giving them recursive delete rights.

Separate mounts and permissions for data, logs, caches, and artifacts.

Immutable backups, object versioning, and protected snapshots for critical data.

Write safe cleanup scripts that validate variables, enforce allowed directories, and require a dry‑run before deletion.

Regularly test backups with full restore drills and verify RPO/RTO.

Monitor deletions, sudden capacity drops, and high‑risk commands with audit alerts.

10. Incident Checklist for rm -rf Mistakes

Record exact time, host, user, command, and target path.

Stop non‑essential writes; do not install tools or reboot.

Use findmnt and lsblk to confirm the real filesystem and device.

Check backups, pre‑deletion snapshots, artifact repositories, other nodes, and object versions.

Immediately run lsof +L1 to locate open deleted files and copy them elsewhere.

If no reliable copy exists, isolate traffic, unmount, and create a block‑level image.

Perform all recovery experiments on the image, outputting to a separate disk.

Choose the appropriate tool for the filesystem (ext4, XFS, Btrfs, ZFS, etc.).

Validate recovered content, hashes, permissions, timestamps, and application consistency.

Before production restore, dry‑run, gray‑scale, and back up the current state; have a clear rollback plan.

Post‑mortem: review permissions, cleanup scripts, snapshot policies, backup strategy, audit logging, and recovery drills.

Even after a successful rm -rf recovery, the ultimate guarantee comes from verified backups and snapshots; filesystem scanning should be a last resort, not a primary data‑protection strategy.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxbackupsnapshotfilesystemlsofprocfsrm -rffile recovery
Golang Shines
Written by

Golang Shines

We share daily the latest Golang technical articles, practical resources, language news, tutorials, and real-world projects to help everyone learn and improve.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.