The problem of protecting users from accidental file deletion is one
that many people have encountered, and therefore there are many
solutions of different types already implemented and available.
Which solution you choose depends on
the features you want it to have and on how you want it to do its job.
Many people do not use the
shell-script solutions described
because they are too slow or too unreliable or
because they don't allow deleted files to be recovered for long
For example, Purdue University runs a large network of many different
machines that utilize some local file space and some
Their file recovery system,
, replaces certain system calls
functions that check to
see if a file would be destroyed by the requested system call; if so,
the file is backed up (by asking a local or remote
to do so) before the actual system call is performed.
The advantages of this system are that you don't have to create any
new applications to do safe file removal - the standard
will automatically do the right thing, as will
and any other
programs that have the potential of erasing files.
cat a b > a
A disadvantage of this system is that you have to have the source
code for your UNIX system and be able to recompile its utilities in
order to link them against the
libraries. Furthermore, if
you wish to install this system on your machines, you have to be able
to install it on
of them. If someone learns
machine you manage and then wants to use it on a workstation in a
private lab for which you do not have source code, it can't be done.
Also, there is a danger of people getting used to
there to save them if they make mistakes, and then losing a file when
on a system that doesn't have
If you don't have strict control over all the machines on which you want to
have file-deletion protection, or if you don't have source code and
therefore can't use something like
, there are several other
options available. One of them is the
written at MIT.
overcomes several of the disadvantages of
is very simple, compiles on virtually any machine, and doesn't require
any sort of superuser access to install. This means that if you learn
on one system and then move somewhere else, you can
take it with you by getting the source code and simply recompiling it
on the new system. Furthermore,
intentionally isn't named
, so that people who use it know they are using it and therefore
don't end up believing that files removed with
recovered. However, this means that users have to be educated to use
when removing files.
works by renaming files with a prefix that marks them as
deleted. For example,
would simply rename the
. Here's an example of the
commands in action:
The directory starts with three files:
a b c
One of the files is deleted:
The deleted file doesn't show up with normal ls because the name
now starts with a dot (.). However, it shows up when files starting with .
are listed or when the lsdel command is used:
.#a b c
Bringing the file back with undelete leaves us back where we started:
a b c
We can delete everything:
a b c
We can expunge individual files or the current working directory:
After the last expunge, there are no files left at all:
The technique used by
has some advantages and some
disadvantages. The advantages include:
It works on any filesystem type - local, NFS, AFS, RFS, whatever.
You don't have to have special daemons running on your file servers
in order for it to work, and there are no daemons to go down and
prevent deleted file archiving from taking place.
It maintains the directory locations in which deleted files are
stored so that they can be undeleted in the same locations.
It maintains file permissions and ownership so that undeleted files
can be restored with them. Furthermore, deleted files can be
undeleted by anyone who had permission to delete them in the first
place, not just by the one individual who deleted them.
Deleted files are counted against a user's
disk quota (
until they are
actually permanently removed (either by the system, a few days after
they are deleted, or by the user with the
is part of the
package). Some people would actually call
this an advantage, because it prevents people from using deleted
file space to store large files (something which is possible with
Deleted files show up when a user does
. This is
considered a relatively minor disadvantage by most people,
files starting with a dot (
) are supposed to be
most of the time.
Deleted files have to be searched for in filesystem trees in order
to expunge them, rather than all residing in one location as they do
. This, too, is usually considered a minor
disadvantage, since most systems already
search the entire filesystem (
each night automatically in order to delete certain
program protects files. A user can still blow
away a file with
cat a b > a
If your main concern
is eliminating accidental file deletions with
much of a problem; furthermore, it is not clear that the extra
overhead required to run something like
is worth the
advantage gained (even if it is possible to do what
at your site).
represent the two main approaches to the
problem of protection from accidental file erasure. Other packages of
this sort choose one or the other of these basic techniques in order
to accomplish their purposes.