GCE Undeletion Facility The Undeletion Facility allows undeletion of VMS files that were accidentally deleted, within a period of time, and without generating security holes in one's file system. It operates by interception code which gains control at any delete request on a controlled volume and which activates a delete daemon to perform the actual "deletion" operations. For simplicity, the deletion daemon can use a secondary subprocess to do actual operations. The modes this subprocess has are: 1. Rename files to "safe" area on the same disk and mark them for time, or 2. Copy files to "safe" area somewhere else and mark for time. The daemon also can use callable CONVERT to copy files or lib$rename_file to accomplish these policies directly, using logicals to specify filetypes to delete at once. The subprocess method will however provide ultimate flexibility where this is needed. Normally, the "built-in" method will be used for speed, but this can be selected separately for each daemon that runs (each daemon serving one or more disks). Additional policy decisions are needed. These consist of: 1. File types that should be deleted immediately (e.g., ".OBJ files", or "files created more than 10 days ago"). 2. What to do if space runs out at the destination area. An additional command file is run by the system where space is exhausted on the device by an extend or create (actually, it runs before the extend or create is performed), but as a general policy one can either allow the deletion or disallow it in such a case. This must be a site option. Also an option must be whether to report an I/O error on deletion or not, since the system can fake a success or generate an error in addition to doing the deletion. The marking consists of a simple data record giving the time of deletion and original file location & owner, which is used by cleanup processes. This permits programmatic copy or rename without messing with file ACLs, speeding up the operation. A cleanup process runs every hour or so and deletes older files. An option for an auto expunge operation on files at logout will be provided. Both of these operate by command procedures running a cleanup image which can clean up old files or files from a particular user. The system will allow deletions by any process specifying the io$_delete + io$m_create function instead of just io$_delete. The modifier is stripped off and the delete is done. This is used by an EXPUNGE program which will cause files to "really delete" with no possibility of undeletion. A file restore command will allow replacing a file where it came from, with ownership unaltered. Finally, a hook in the cleanup daemon will allow deleted files to be recorded "somewhere". Where a HSM package is in use, this may consist of moving files to a nearline site and leaving the headers around tagged for automatic retrieval. A callable version of the cleanup utility will be provided also, which can be furnished a disk, a time before which to clean up, or a user to clean up. An undelete utility (also available in callable version) will allow restoration of files to their original locations provided the caller either has sysprv privilege or is the original file owner. Others will not be allowed access.