LinuxCommandLibrary

debugfs

Examine and repair ext2/3/4 filesystems

TLDR

Open the filesystem in read only mode

$ debugfs [/dev/sdXN]
copy

Open the filesystem in read write mode
$ debugfs -w [/dev/sdXN]
copy

Read commands from a specified file, execute them and then exit
$ debugfs -f [path/to/cmd_file] [/dev/sdXN]
copy

View the filesystem stats in debugfs console
$ stats
copy

Close the filesystem
$ close -a
copy

List all available commands
$ lr
copy

SYNOPSIS

debugfs [ options ] device

PARAMETERS

device
    The path to the block device containing the filesystem (e.g., /dev/sda1) or a filesystem image file.

-V
    Print the version number of debugfs and exit.

-b blocksize
    Specify the block size of the filesystem. This is rarely needed as debugfs can usually determine it automatically.

-s superblock
    Specify the block number of an alternative superblock to use. Useful for corrupted filesystems.

-f cmd_file
    Read commands from the specified file instead of standard input (non-interactive mode).

-R command
    Execute a single command and then exit. Useful for scripting specific queries.

-w
    Open the filesystem in read-write mode. Use with extreme caution! This allows modifications to the filesystem.

-D directory
    Set the current working directory within debugfs. This can simplify path specification for interactive commands.

DESCRIPTION

debugfs is a powerful interactive command-line utility used to examine and modify the internal structures of an ext2, ext3, or ext4 filesystem. It's an integral part of the e2fsprogs suite of tools. Unlike standard filesystem utilities like ls or cp, debugfs operates at a much lower level, allowing users to directly inspect and manipulate inodes, directory entries, block maps, and superblock information.

This makes it invaluable for filesystem forensics, recovery of lost or deleted files (though success is not guaranteed), and advanced debugging of filesystem issues. While it can be used for non-destructive operations like viewing filesystem metadata, it also provides commands to modify the filesystem, which can be extremely dangerous if not used with extreme caution, potentially leading to irreversible data corruption.

It supports both an interactive mode, where users type commands at a prompt, and a non-interactive mode, where a script of commands can be executed against a specified device. Typically, debugfs requires root privileges to operate on a raw block device.

CAVEATS

High Risk of Data Loss: Using debugfs, especially with the -w option, can lead to severe data corruption if commands are executed incorrectly. Always back up critical data before attempting modifications.
Root Privileges: Typically requires root privileges to access raw block devices.
Unmounted Filesystems: For any modifying operations, it is strongly recommended to use debugfs on an unmounted filesystem to prevent inconsistencies.

INTERACTIVE MODE COMMANDS

Once inside debugfs, numerous commands are available. Common examples include:
ls: List files and directories.
stat file: Display inode information for a file.
cat file: Display the contents of a file.
dump file: Dump a file's contents to an operating system file.
icheck inode_number: List blocks allocated to an inode.
bmap file logical_block: Find the physical block number of a logical block.
rm file: Remove a file (can be used to recover 'deleted' inodes by relinking).

FILESYSTEM RECOVERY

debugfs is often used in attempts to recover accidentally deleted files. By finding the inode of a deleted file and potentially relinking it, it's sometimes possible to restore the file, provided its data blocks have not been overwritten. This process requires a deep understanding of filesystem internals.

HISTORY

debugfs is a foundational component of the e2fsprogs project, which was primarily developed by Theodore Ts'o. It has been a key utility for managing and debugging ext2, ext3, and ext4 filesystems since their early development, evolving alongside the filesystem standards.

SEE ALSO

e2fsck(8), tune2fs(8), dumpe2fs(8), mke2fs(8), fsck(8)

Copied to clipboard