debugfs
Examine and repair ext2/3/4 filesystems
TLDR
Open the filesystem in read only mode
Open the filesystem in read write mode
Read commands from a specified file, execute them and then exit
View the filesystem stats in debugfs console
Close the filesystem
List all available commands
SYNOPSIS
debugfs [ options ] device
PARAMETERS
device
The path to the block device containing the filesystem (e.g., /dev/sda1) or a filesystem image file.
-V
Print the version number of debugfs and exit.
-b blocksize
Specify the block size of the filesystem. This is rarely needed as debugfs can usually determine it automatically.
-s superblock
Specify the block number of an alternative superblock to use. Useful for corrupted filesystems.
-f cmd_file
Read commands from the specified file instead of standard input (non-interactive mode).
-R command
Execute a single command and then exit. Useful for scripting specific queries.
-w
Open the filesystem in read-write mode. Use with extreme caution! This allows modifications to the filesystem.
-D directory
Set the current working directory within debugfs. This can simplify path specification for interactive commands.
DESCRIPTION
debugfs is a powerful interactive command-line utility used to examine and modify the internal structures of an ext2, ext3, or ext4 filesystem. It's an integral part of the e2fsprogs suite of tools. Unlike standard filesystem utilities like ls or cp, debugfs operates at a much lower level, allowing users to directly inspect and manipulate inodes, directory entries, block maps, and superblock information.
This makes it invaluable for filesystem forensics, recovery of lost or deleted files (though success is not guaranteed), and advanced debugging of filesystem issues. While it can be used for non-destructive operations like viewing filesystem metadata, it also provides commands to modify the filesystem, which can be extremely dangerous if not used with extreme caution, potentially leading to irreversible data corruption.
It supports both an interactive mode, where users type commands at a prompt, and a non-interactive mode, where a script of commands can be executed against a specified device. Typically, debugfs requires root privileges to operate on a raw block device.
CAVEATS
High Risk of Data Loss: Using debugfs, especially with the -w option, can lead to severe data corruption if commands are executed incorrectly. Always back up critical data before attempting modifications.
Root Privileges: Typically requires root privileges to access raw block devices.
Unmounted Filesystems: For any modifying operations, it is strongly recommended to use debugfs on an unmounted filesystem to prevent inconsistencies.
INTERACTIVE MODE COMMANDS
Once inside debugfs, numerous commands are available. Common examples include:
ls: List files and directories.
stat file: Display inode information for a file.
cat file: Display the contents of a file.
dump file: Dump a file's contents to an operating system file.
icheck inode_number: List blocks allocated to an inode.
bmap file logical_block: Find the physical block number of a logical block.
rm file: Remove a file (can be used to recover 'deleted' inodes by relinking).
FILESYSTEM RECOVERY
debugfs is often used in attempts to recover accidentally deleted files. By finding the inode of a deleted file and potentially relinking it, it's sometimes possible to restore the file, provided its data blocks have not been overwritten. This process requires a deep understanding of filesystem internals.
HISTORY
debugfs is a foundational component of the e2fsprogs project, which was primarily developed by Theodore Ts'o. It has been a key utility for managing and debugging ext2, ext3, and ext4 filesystems since their early development, evolving alongside the filesystem standards.