Next Previous Contents

5. Unmounting the file system

Regardless of which method you choose, the first step is to unmount the file system containing the deleted files. I strongly discourage any urges you may have to mess around on a mounted file system. This step should be performed as soon as possible after you realise that the files have been deleted; the sooner you can unmount, the smaller the chance that your data will be overwritten.

The simplest method is as follows: assuming the deleted files were in the /usr file system, say:

# umount /usr

You may, however, want to keep some things in /usr available. So remount it read-only:

# mount -o ro,remount /usr

If the deleted files were on the root partition, you'll need to add a -n option to prevent mount from trying to write to /etc/mtab:

# mount -n -o ro,remount /

Regardless of all this, it is possible that there will be another process using that file system (which will cause the unmount to fail with an error such as `Resource busy'). There is a program which will send a signal to any process using a given file or mount point: fuser. Try this for the /usr partition:

# fuser -v -m /usr

This lists the processes involved. Assuming none of them are vital, you can say

# fuser -k -v -m /usr

to send each process a SIGKILL (which is guaranteed to kill it), or for example,

# fuser -k -TERM -v -m /usr

to give each one a SIGTERM (which will normally make the process exit cleanly).


Next Previous Contents