Solaris - Tricks

Finding deleted files that are held open

This set of commands can be used to find files that have been deleted when still in use. It can be used to either undelete the file or find the process holding the file open. Typically this is a problem when someone has attempted to free space on a file system and removed in-use log files which has no affect on the file-system usage and gives misleading commands.

The following command will use the find command to look for file descriptors with no links within the /proc file system. (being root here helps as you can't look at processes you don't own)

find /proc/*/fd -type f -links 0

The output will be file descriptors with no links. e.g. deleted but still open.

The output will contain the process ID and the file descriptor number.

To undelete the file you can copy it back to the original file name or a new file name. Keep it in the same file system though.

To get more information on the file you can use the pfiles command. The file descriptor number will match up to the output of the pfiles command

Another method is to use the lsof +L1 command.