find is one of the most useful Linux/Unix tools in the toolbelt, but most people use only a fraction of its power. Many Linux/Unix questions seen online can be solved using the find command alone, getting familiar with its main functionality is one of the best things you can do for yourself in the long-term.
find lets you do anything from finding all your .jpg files to seeing "all of Michael’s text documents that have the execute bit set and have been modified since yesterday." And when combined with exec or xargs, a properly constructed command can make quick work of some very heavy tasks.
First thing we need to do is understand how find works. Here are some of the key options:
-o : the OR operation to string multiple search criteria together
-name : find files by name
-iname : find files by name, ignoring case
-type f : find only files
-type d : find only directories
-size : find by size
-mtime : find by modified time
-mtime : find by modified time
There a number of variations of these, which we’ll talk about more below. It’s also possible to combine queries, like so:
find . -name nasa -type d
It’s important to note that when searching using -name or -iname you need to by default specify the whole name to get a match, e.g.: searching for "disc" will not find "discovered", but you can use common techniques (*) to widen the search.
find . -name *disc*
Let’s start simple by looking for things by name. Remember that thefirst argument you give find is where to look.
find . -name "*.jpg"
... ./Pictures/iPhoto Library/Data/2006/Roll 20/00697_bluewaters_1440x900.jpg ./Pictures/iPhoto Library/Data/2006/Roll 20/00705_cloudyday_1440x900.jpg ./Pictures/iPhoto Library/Data/2006/Roll 20/00710_fragile_1600x1200.jpg ./Pictures/iPhoto Library/Data/2006/Roll 20/00713_coolemoticon_1440x900.jpg ./Pictures/iPhoto Library/Data/2006/Roll 20/00714_cloudyday_1440x900.jpg ...
Note that by default when you give a location to start from (in our case"."), the find command starts there and drills all the way down duringits search. So in this case I started from my home directory and itfound the files all the way down in "~/Pictures/iPhotoLibrary/Data/2006/Roll 20" as well.
[ Placing quotes around the search criteria avoids issues with wildcardcharacters and is probably a good habit to get into. You can also use-iname instead of -name; it’s the same but it’s case insensitive ]
You can also define another search location which will be evaluatedrecursively as well.
find / -name "*.jpg"
Figuring out what a user is trivial using lsof. Simply provide the username and see everything they’re doing on the system.
find . -user daniel
... ./Music/iTunes/iTunes Music/Tool/Undertow/01 Intolerance.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/02 Prison Sex.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/03 Sober.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/04 Bottom.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/05 Crawl Away.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/06 Swamp Song.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/07 Undertow.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/08 4 Degrees.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/09 Flood.m4a ./Music/iTunes/iTunes Music/Tool/Undertow/69 Disgustipated.m4a ...
[ Also works for groups (-group) ]
You can also look for files or directories separately.
find . -type d
... ./Development/envelope ./Development/mhp ./Development/mservers ./Development/mservers/fortune100 ./Development/mst ./Development/mst/nmap ./Development/mst/services ...
Those are all directories, and to look for the others (files, links, or sockets), just substitute f, l, s for the d in the command above.
It’s often useful to find things on your drive that are taking up space and need to be dealt with.
find ~/Movies/ -size +1024M
... /Movies/Comedy/Funny.mpg /Movies/Drama/Sad.avi ...
[ +M indicates that you’re searching in megabytes, but you can also search in bytes or kilobytes if so desired. ]
You can also search based on when something was last updated or modified.
find also has a number of options that help one answer forensics-oriented questions such as when a file’s contents or permissions were last changed.
find /etc/ -user root -mtime 1
... /etc/passwd /etc/shadow ...
The checks you can use here are:
-atime: when the file was last accessed
-ctime: when the file’s permissions were last changed
-mtime: when the file’s data was last modified
These searches are done in 24 hour increments and followed by a number n. If you want to match the exact 24 hour period you use n by itself. More frequently, however, you’ll want to say everything since yesterday, or everything "more than 3 days ago." This is accomplished using the -n and +n options respectively.
There are also minute versions of the atime, ctime, and mtime arguments:
-amin: when (in minutes) the file was last accessed
-cmin: when (in minutes) the file’s permissions were last changed
-mmin: when (in minutes) the file’s data was last modified
Another option is to find things based on what permissions they have. This is especially helpful when looking for content on your system that is too wide open from a security standpoint.
# find all files in my directory with open permissions
find ~ -perm 777
... ~/testfile.txt ~/lab.rtf ...
Get a weekly breakdown of what's happening in security and tech—and why it matters.
find / – perm -0002
You can also use some options to search for things related to forensics.
-nouser: shows output that’s not associated with an existing userid
-nogroup: shows output not associated with an existing groupid
-links n: file has n links
-newer file: file was modified more recently than file.
-perm mode: file has mode permissions.
What’s the fun in finding a bunch of stuff if you’re not going to do something with it? While it’s interesting to say, "find me stuff", it’s far more useful to say, "Take every text file owned by ex-employee Jason that’s hasn’t been accessed in 60 days and move it to a remote backup folder."
Many use find in conjunction with exec, which then runs on the results. This is usually acceptable, but I prefer to use xargs because it executes more elegantly.
xargs, unlike exec, executes all arguments as a single command instead of running multiple commands. So if I run>:
find . -name something -exec ls -l {} ;
…I will ultimately be running ls as many times as there are contents in my home directory. But if I run this instead:
find . -name something | xargs -0 ls
…I will only run ls once, with the directory contents as arguments. While on modern computers the performance gain on this is often trivial, I simply prefer the aesthetic of it.
[ NOTE: The -print0 option terminates results with a null character instead of the default newline, making it cleaner and less likely to balk in many cases related to spaces, special characters, etc. in the input. ]
Here are some examples.
find / -nouser | xargs -0 rm
find ~/Desktop -name "*.jpg" -o -name "*.gif" -o -name "*.png" -print0 | xargs -0 mv –target-directory ~/Pictures
find /your/webdir/ -type d -print0 | xargs -0 chmod 755;find /your/webdir -type f | xargs chmod 644
find /etc/ -mtime -30 | xargs -0 cp /a/path
Just as with any good unix/linux command, the real power comes in combining options. You can combine find arguments using and, or, and not. By default if you use two different arguments you’re and‘ing them. If you want to use or you give the -o option, and if you want to get everything except something, you use the ! option.
find . -user daniel -type f -name *.jpg
... ./Pictures/iPhoto Library/autumn_woods.jpg ./Pictures/iPhoto Library/blue_forest.jpg ./Pictures/iPhoto Library/brothers.jpg ...
find . -user daniel -type f -name *.jpg ! -name autumn*
... ./Pictures/iPhoto Library/blue_forest.jpg ./Pictures/iPhoto Library/brothers.jpg ...
find /apps/ -user root -type f -amin -2 -name *.rb
... /apps/testing.rb /apps/runme.rb ...
The find Man Pagehttp://www.netadmintools.com/html/find.man.html"