Accidentally deleting a file in Linux does not always mean the data is permanently lost. Thanks to how the Linux filesystem works, it is often possible to recover a deleted file — provided a running process still has it open.
This guide explains how Linux handles file deletion and how you can recover deleted files using the /proc filesystem and the lsof command.
Understanding How Linux Deletes Files
In Linux, a file is essentially a link to an inode.
An inode stores important metadata such as:
- File ownership
- Permissions
- File size
- Timestamps
- Disk block locations
When you delete a file using the rm command, Linux removes only the directory entry (link) pointing to the inode.
The actual data is not immediately deleted.
The data remains on disk as long as:
- A process still has the file open
- The inode is still referenced
Only after all links and open file handles are released will the system free the storage space.
Why Deleted Files Can Still Be Recovered
If an application is still using a file after deletion, the file contents remain accessible in memory and through the Linux process pseudo-filesystem located at:
/procEach running process has its own directory:
/proc/<PID>/Inside this directory, the fd (file descriptor) folder contains links to all files opened by that process:
/proc/<PID>/fd/<FD>Even if the file no longer appears in directory listings, its data can still be accessed here.
Step 1: Create a Test File
Create a sample file for testing recovery:
man lsof | col -b > test_fileView the file:
less test_fileYou will see a plaintext version of the lsof manual.
Suspend the viewer without closing it:
Ctrl + ZDo not exit the process — it must keep the file open.
Step 2: Confirm File Details
Check the file information:
ls -l test_file
stat test_fileNow delete the file:
rm test_fileVerify removal:
stat test_fileYou should see:
No such file or directoryAlthough the file appears deleted, the running process still holds it open.
Step 3: Identify the Process Holding the File
Use lsof (List Open Files):
lsof | grep test_fileExample output:
less 14094 arun 4r REG ... (deleted) /test_fileImportant values:
| Field | Meaning |
|---|---|
| less | Command using the file |
| 14094 | Process ID (PID) |
| 4 | File descriptor |
| (deleted) | File removed from filesystem |
Step 4: Recover the Deleted File
Navigate to the process file descriptor:
/proc/14094/fd/4Check the symbolic link:
ls -l /proc/14094/fd/4You’ll notice it points to the deleted file.
Now copy the data back:
cp /proc/14094/fd/4 test_fileDo not use
cp -a, as it copies only the symbolic link instead of the actual file contents.
Step 5: Verify File Recovery
Confirm restoration:
ls -l test_fileOptional validation:
man lsof | col -b > test_file1
cmp test_file test_file1If no differences are shown, the recovery was successful.
Important Recovery Tips
- Act immediately after accidental deletion.
- Do not close the application using the file.
- Pause media players or editors if needed.
- Recovery works only while the file remains open by a process.
Conclusion
Linux file deletion removes only directory references — not the underlying data immediately. By leveraging the /proc filesystem and the lsof command, administrators can recover files that appear deleted but are still open by running processes.
Understanding this behavior can save critical data and prevent unnecessary downtime caused by accidental deletions.
If you require help, contact SupportPRO Server Admin
Partner with SupportPRO for 24/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.
