Linux distributions are managed with both GUI(Graphical User Interface) and CLI(Command Line Interface). The CLI is at the forefront in the use of the server operating system. So, can the work done in an operating system with the GUI be done on the systems used with the CLI? For example, can you undo the rm operation?
How to undo rm in Linux?
We will describe 2 methods and 3 suggestions to answer this question. You can search for deleted data on disk with Foremost and Scalpel applications. With the Trash command you have a bin in the CLI just like you would in a GUI system. You can alias the rm command to the mv command and provide a workaround. Finally, you can add an alias to the rm command and add a check step again before deleting it. Let's exemplify them.
Method-1: Recover data using Foremost
Foremost is a data recovery program for Linux used to recover files using their headers, footers and data structures through a process known as file carving. It is available for free and can be used as a general data recovery tool.
According to the Linux distribution you are using, you can find the installation step below:
For Debian Based OS(Ubuntu, Mint, Pardus etc):
sudo apt install foremost -y
For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc):
sudo pacman -S foremost
For Redhat-based OS(Centos, Fedora, AlmaLinux, Rocky Linux etc), the forensics repository is added first, then the package is installed:
sudo dnf install https://forensics.cert.org/cert-forensics-tools-release-el9.rpm sudo dnf --enablerepo=forensics install foremost
The default usage of the foremost command is:
foremost [-h] [-V] [-d] [-vqwQT] [-b <blocksize>] [-o <dir>] [-t <type>] [-s <num>] [-i <file>]
You can search by giving the file(jpg, gif, png, exe, mov,pdf, doc, zip, rar, htm, mp4 etc) parameter with the -t parameter. The -i parameter is used as the file input file. If no input file is specified or the input file cannot be read, stdin is used.Files recovered with the -o parameter are written to the specified directory. If no value is entered, the output is taken to the "output" directory.
An example for foremost:
foc@linux:~$ sudo foremost -t pdf -i /dev/vda3 Processing: /dev/vda3 |**************************************************************************************************************************
The output directory and the pdf files found are as follows:
foc@linux:~$ sudo tree output
output
├── audit.txt
└── pdf
├── 00472288.pdf
├── 09197568.pdf
├── 09198264.pdf
├── 09204608.pdf
├── 09208560.pdf
├── 09212840.pdf
├── 09296680.pdf
├── 10765320.pdf
├── 11036672.pdf
├── 13143040.pdf
├── 13143320.pdf
├── 13143664.pdf
├── 13150208.pdf
├── 13150488.pdf
├── 13150848.pdf
├── 13284784.pdf
├── 13389464.pdf
├── 13395368.pdf
├── 13412800.pdf
└── 13862912.pdf
1 directory, 21 files
All formats are searched by giving the value "all" to the -t parameter:
foc@linux:~$ sudo foremost -t all -i /dev/vda3
foc@linux:~$ sudo ls -l output/
total 92
-rw-r--r-- 1 root root 44568 Nov 13 07:44 audit.txt
drwxr-xr-- 2 root root 4096 Nov 13 07:41 bmp
drwxr-xr-- 2 root root 4096 Nov 13 07:41 exe
drwxr-xr-- 2 root root 4096 Nov 13 07:41 gif
drwxr-xr-- 2 root root 12288 Nov 13 07:41 htm
drwxr-xr-- 2 root root 4096 Nov 13 07:41 jpg
drwxr-xr-- 2 root root 4096 Nov 13 07:41 pdf
drwxr-xr-- 2 root root 12288 Nov 13 07:41 png
drwxr-xr-- 2 root root 4096 Nov 13 07:41 zip
The file formats found are in their named directory. This way undo rm is done with the "previous" command.
Method-2: Recover data using Scalpel
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is independent on used file-system and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.
Follow the steps below to install on your system. For Debian Based OS(Ubuntu, Mint, Pardus etc):
sudo apt install scalpel -y
For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc):
sudo pacman -S scalpel
For Redhat based operating systems (Centos, Fedora, AlmaLinux, Rocky Linux etc.), the EPEL repository is added first and the "tre" package is installed:
sudo dnf install epel-release -y sudo dnf install tre -y
Then the forensics repository is added, then the "scalpel" package is installed:
sudo dnf install https://forensics.cert.org/cert-forensics-tools-release-el9.rpm sudo dnf --enablerepo=forensics install scalpel -y
The scalpel configuration file is located("/etc/scalpel/scalpel.conf" for Debian based OS) at /etc/scalpel.conf. File formats are in this file, a new file type definition or wanted/unwanted formats are defined in this file:
nano /etc/scalpel.conf
#--------------------------------------------------------------------- # ADOBE PDF #--------------------------------------------------------------------- pdf y 5000000 %PDF %EOF\x0d REVERSE pdf y 5000000 %PDF %EOF\x0a REVERSE # MICROSOFT OFFICE #--------------------------------------------------------------------- # Word documents doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1 # MISCELLANEOUS #--------------------------------------------------------------------- zip y 10000000 PK\x03\x04 \x3c\xac rar y 10000000 Rar! java y 1000000 \xca\xfe\xba\xbe # GRAPHICS FILES #--------------------------------------------------------------------- # AOL ART files art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00 # GIF and JPG files (very common) gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9
You must prefix the file format you want to exclude with a # character. Then start a sample search:
[root@fedora faruk]# scalpel -c /etc/scalpel.conf -o files_found /dev/nvme0n1p2
Scalpel version 2.1
Written by Golden G. Richard III and Lodovico Marziale.
Multi-core CPU threading model enabled.
Initializing thread group data structures.
Creating threads...
Thread creation completed.
Opening target "/dev/nvme0n1p2"
Image file pass 1/2.
/dev/nvme0n1p2: 72.3% |********************************* | 335.8 GB 01:57 ETA/dev/nvme0n1p2: 100.0% |**********************************************| 464.8 GB 00:00 ETAAllocating work queues...
Work queues allocation complete. Building work queues...
Adding files_found/pdf-0-0/00000000.pdf to queue
...
Adding files_found/pdf-1-0/00000875.pdf to queue
Adding files_found/pdf-1-0/00000876.pdf to queue
Adding files_found/pdf-1-0/00000877.pdf to queue
Adding files_found/pdf-1-0/00000878.pdf to queue
Work queues built. Workload:
pdf with header "%PDF" and footer "%EOF\x0d" --> 113 files
pdf with header "%PDF" and footer "%EOF\x0a" --> 766 files
Carving files from image.
Image file pass 2/2.
/dev/nvme0n1p2: 100.0% |**********************************************| 464.8 GB 00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 879, elapsed = 400 secs.
When the search is complete, you can access the data in the directory specified with the -o parameter:
[root@fedora faruk]# tree files_found/
files_found/
├── audit.txt
├── pdf-0-0
│ ├── 00000000.pdf
...
├── 00000877.pdf
└── 00000878.pdf
2 directories, 880 files
Before starting the scan, make sure that the directory you specify with -o has enough space. Otherwise, you may encounter an insufficient disk space warning.
Protect Linux system from accidental rm command execution
Suggestion-1: Using Trash Command
In this suggestion we will use trash on the CLI. Let's examine how you can install the "trash-cli" application to Linux distributions:
sudo apt install trash-cli -y # For Debian Based OS(Ubuntu, Mint, Pardus etc) sudo apt-get install trash-cli -y # For Debian-based old version operating systems (Ubuntu, Mint, Pardus etc.) sudo pacman -S trash-cli # For Arch Based OS(Archman Linux, Arch Linux, Manjaro etc) sudo dnf install trash-cli # For Redhat-based OS(Centos, Fedora, AlmaLinux, Rocky Linux etc) sudo yum install trash-cli -y # For Redhat-based old version operating systems(Centos, Fedora, AlmaLinux, Rocky Linux etc) sudo zypper install trash-cli # For openSUSE
After installation, you can delete files with the trash command:
foc@ubuntu22:~$ ls text-1.txt text-2.txt text-3.txt text-4.txt foc@ubuntu22:~$ trash text-1.txt foc@ubuntu22:~$ ls text-2.txt text-3.txt text-4.txt
The file was deleted with the trash command, you can give the -d parameter for the directory:
foc@ubuntu22:~$ trash -d folder
You can list the deleted files and directory with the trash-list command:
foc@ubuntu22:~$ trash-list 2022-11-09 18:44:37 /home/foc/folder 2022-11-09 18:41:11 /home/foc/text-1.txt 2022-11-09 18:42:46 /home/foc/text-1.txt
The trash-restore command is used to get the deleted file/folder back from the trash box:
foc@ubuntu22:~$ trash-list 2022-11-09 18:44:37 /home/foc/folder 2022-11-09 18:49:45 /home/foc/text-1.txt foc@ubuntu22:~$ trash-restore /home/foc/text-1.txt 0 2022-11-09 18:49:45 /home/foc/text-1.txt What file to restore [0..0]: 0 foc@ubuntu22:~$ ls text-1.txt text-2.txt text-3.txt text-4.txt
Clears all trash with the trash-empty command:
foc@ubuntu22:~$ trash-empty
These works fine, so how do we use them in the rm command use? The answer to this question is to define "alias". When the rm command runs, the "trash" command runs so the undo can be done after deletion.
Open the user's ".bashrc" file with a text editor and type the following line:
foc@ubuntu22:~$ nano ~/.bashrc alias rm='trash'
Then get this change to the user:
foc@ubuntu22:~$ source ~/.bashrc
Now when you run the rm command, the trash command actually works:
foc@ubuntu22:~$ rm -h Usage: trash [OPTION]... FILE... Put files in trash ...
Suggestion-2: Sort of Hack Solution for undo rm
This time, the "mv
" command can be given as alias to the rm command. For this, the ".Trash
" directory is created in the user's home directory:
[foc@rocky9 ~]$ mkdir ~/.trash
Then the mv command Alias is defined:
[foc@rocky9 ~]$ vi ~/.bashrc alias rm='mv --target-directory="$HOME/.trash"'
Then get this change to the user:
[foc@rocky9 ~]$ source ~/.bashrc
Then run the rm command:
[foc@rocky9 ~]$ rm text-1
[foc@rocky9 ~]$ ls ~/.trash/
arch text-1
If you use RM in this way, you will have a limited "undo rm" feature.
Suggestion-3: Use interactive rm command
Again, a alias is needed. This time we will define the rm command with its own parameter. Some Linux distribution do this by default. They set the "-i
" paramter to the rm command default. In this way, the user requests approval before the deletion process.
Edit the ".bashrc" file:
[manjaro manjaro]# nano ~/.bashrc alias rm="rm -i"
Then get this change to the user:
[manjaro manjaro]# source ~/.bashrc
And try deleting files:
[manjaro manjaro]# rm text-1 rm: remove regular empty file 'text-1'? y
You will now receive a warning before deleting. There is no undo process, but you will have time before the deletion process.
Summary
Data deletion on servers is risky. Care should be taken when assigning authorization to users. Above are some undo methods and precautions you can take in the system.
For more information, you can get help from the application's manual pages:
man foremost man scalpel man trash
References