Eric's Tech Notes: find

Guide to Linux/UNIX "find" command:

The UNIX/Linux "find" command is an essential tool for UNIX administrators and users alike, and has many uses in shell scripting. Some example uses of "find" are listed below.

NOTE: Unlike other UNIX commands, the paths you desire to search are specified BEFORE the program arguments. Also note that several version of "find" exist (BSD, SysV, Solaris, Linux, etc..), and these commands have only been tested on the GNU version (found on Linux) so you may need to refer to your "find" man page and adjust the commands for your local version (or download the GNU version!)

---

• How can I find files created/modified in the last 24 hours:

  $ find . -mtime -1 -type f
  

  ---

• How can I find files created/modified today?
  Just add -daystart before -mtime to limit the results to files modified beginning that day.

  $ find . -daystart -mtime 0
  

  ---

• How can I get the full "ls" details from a find command?
  Just add "-exec ls -ld {} \;" to your "find" command:

  $ find . -mtime -1 -type f -exec ls -ld {} \;
  

  ---

• How do I find files larger than one megabyte?

  $ find /etc /var -size +1M
  

  ---

• What's filling up my hard disk?!
  Has your UNIX drive suddenly filled up? You can search for larger files created in the last day with (better done as root to avoid permissions problems):

  # find /var /home -size +1M -mtime -1 -exec ls -ld {} \;
  

  Hint: take a special look at your log files (/var/log or /usr/log) and at your temporary files (/tmp) for programs that may be misconfigured and causing lot of data to be written to disk. If you're desperate, consider rebooting, as some programs will clear their temporary and working files upon a restart.

  ---

• How to I avoid scanning NFS-mounted filesystems?!
  You can limit find's search to locally-mounted disks by adding -mount:

  $ find / -mount -size -500k
  

  ---

• How can I find a specific file in UNIX?
  You can use -name to look for an exact filename (remember that UNIX is case-sensitive):

  # find / -mount -type f -name my_lost_file.txt
  

  ---

• How can I find all the pictures/music/movies on my UNIX system?
  With -name, you can ask find to locate a specific "globbed" filename pattern.
  NOTE: Be sure to use 'single-quotes' around the search term if you use any "globbing" characters (like *?{}[]), to avoid pre-glob-expansion by the shell:

  # find / -mount -type f -name '*.{jpg,gif,JPG,GIF,png,PNG,ppm,pbm}'
  # find / -mount -type f -name '*.{mp3,MP3,ogg,OGG,wav,WAV,M4A,m4a,M4P,m4p}'
  # find / -mount -type f -name '*.{mpg,MPG,mov,MOV,avi,AVI,wmv,WMV}'
  

  ---

• I deleted a user, now I need to delete all of their files! Well, it's really better if you never delete a user, but instead just lock thier account:
  (NOTE: this command varies on different systems)
  

  # passwd -l bob
  

  ..but if you insist on wiping the user from the passwd file, if you know their old uid, you can search for all their files with -uid:

  # find / -uid 666
  

  ...and you can automatically erase them by calling "rm" on each one:

  # find / -uid 666 -exec /bin/rm {} \;
  

  NOTE: Be CAREFUL! You never know if a file critical to system operation or to your business happened to be owned by that user, especially if they were a system administrator! It's often a good idea to study the list of files that find WILL erase BEFORE running it with "-exec rm"!

  You can find "orphaned" files (files whose user has been deleted from /etc/passwd) with -nouser:

  # find / -mount -nouser
  

  ---

• How can I find vulnerable/insecure files and directories?
  You can search the critical system directory structures for sub-directories that are world writable with -perm.

  By using -o=w as the argument, find will display filesystem entries in which OTHER(o) users (than the user and group owners) can WRITE(w) to the entry:

  # find /etc /lib /usr /var -perm -o=w -exec ls -ld {} \;
  

  NOTE: Don't be alarmed if you find world-writable directories (like /tmp) in which the "t" (sticky-bit) is set. That indicates that ANYONE can make and edit file in that directory, but ONLY the files that THEY OWN. For example:

  drwxrwxrwt  4 root root 8192 Aug 24 03:11 /tmp
  

  ..also, symbolic links always indicate world-writable permissions. This is unimportant, as the kernel adheres to the actual linked file's permissions, not those of the symlink. You can ask "find" to study the LINKED FILE's permissions, and not those of the symlink itself, with -follow:

  # find /etc /lib /usr /var -follow -perm -o=w -exec ls -ld {} \;
  

  ALSO NOTE! Be aware that some programs (such as "qmail" and "mysql") use world-writable "pipes" and "sockets" (fake files for communicating with processes) to allow any user to send them messages:

  prw--w--w-  1 qmails qmail 0 Aug 24 03:39 /var/qmail/queue/lock/trigger
  
  srwxrwxrwx  1 mysql mysql 0 Jul  7 21:52 /var/run/mysqld/mysqld.sock
  

  ...(Note the "p" and "s" at the beginning, for PIPE and SOCKET.) This is normal and harmless! If you change it, things are likely to break! If you get any "No such file or directory" messages, this usually just indicates the presence of symlinks that point to non-existant paths, and this is usually harmless as well.

Find an error or omission? Sorry about that! Please e-mail Eric at eric@ericshalov.com and let him know!

All of Eric's Tech Notes are provided on an as-is basis, and may contain errors or omissions. No statement is made as to thier suitability for any particular purpose, and no warranty is given. Use at your own risk! All trademarks are the property of their respective owners.
No duplication of the above information is permitted without prior written permission of the author(s).
©Copyright 2007 Eric Shalov. All Rights Reserved.

Last modified Monday, 17th August, 2009 @ 10:55pm