Find command Learning

I. find

1. find

Sometimes you may need to search for files with certain characteristics in the system (such as file permissions, file owner, file length, file type, and so on ). There may be many reasons for doing so. For security reasons or general system management tasks, it may only be necessary to find a file that does not know where it is stored. Find is a very effective tool that can traverse the current directory or even the entire file system to Find some files or directories.

 

2. find syntax Introduction

The common form of the Find command is:

Find pathname-options [-print-exec-OK]

Find path parameters

 

Path of the directory to be searched by the pathname command. For example, use "." To represent the current directory, and use "/" to represent the root directory of the system.

-The print find command outputs matching files to the standard output.

-Execute the exec find command to execute the shell command given by this parameter on the matching file. The command format is 'comm-

And '{}\;, note the spaces between {} and.

-OK and-exec play the same role, but execute the shell life given by this parameter in a safer mode.

Before executing each command, a prompt is displayed, asking the user to determine whether to execute the command.

Because find has such powerful functions, there are many options, most of which are worth looking. Even if the system contains a Network File System (NFS), the find command is equally valid in the file system, as long as you have the corresponding permissions.

When running a find command that consumes a lot of resources, many people tend to put it in the background for execution, because it may take a long time to traverse a large file system (this is a file system with more than 30 GB bytes ).

3. find Command Options

The find command has many options or expressions. Each option follows a horizontal bar -. Let's take a look at the main options of this command:

-Name: searches for files by file name.

-Perm searches for files based on the file permissions.

-Prune can use this option to make the find command not to be searched in the specified directory. If-depth is used at the same time

The-prune option is ignored by the find command.

-The user searches for files based on the file owner.

-The group searches for files based on the group to which the files belong.

-Gid n: Find the file whose ID is n in the system.

-Mtime-n + n: searches for files based on the file change time.-n indicates that the file change time is less than n days away,

+ N indicates that the file was modified n days ago. The Find command also has the-atime and-ctime options,-ctime:

The specified time file permission has been modified-atime: the specified time file has been read. Both of them and-mtime

Items are similar, so here we will only introduce the-mtime option. Accurate to minutes of amin, mmin, cmin

-Nogroup: Find the file with no valid group, that is, the group to which the file belongs does not exist in/etc/groups.

-Nouser: Find the file without a valid owner, that is, the owner of the file does not exist in/etc/passwd.

-Newer file1! File2 searches for files whose change time is newer than file1 but older than file2.

-Type: search for a certain type of files, such:

B-block device files.

D-directory.

C-character device file.

P-MPs queue file.

L-Symbolic Link file.

F-common file.

-Size n [c]: searches for files with a file length of n blocks. If the file contains c, the file length is measured in bytes. + indicates that the file length is greater than a certain value.

Number,-indicates less than a certain number. C indicates that the Unit is byte. You can replace c with k, M, and G.

-When searching for files, depth first searches for files in the current directory, and then searches for files in its subdirectories.

-Fstype: searches for files in a certain type of file system, such as ext3.

The configuration file/etc/fstab contains information about the file system in the system.

-Daystart .. test the system's files within 24 hours from today. The usage is similar to-amin.

-Maxdepth N is searched by the descending method in a directory at a certain level. The function is to restrict the find command from pressing

Search for directories with more than a certain level or excessive number of directories when searching for files by the decimal side.

As a result, the search speed slows down and the search takes too much time.

-Mount does not span the mount point of the file system when searching for files.

-Follow: If the find command encounters a symbolic link file, it traces the file pointed to by the link.

-Cpio uses the cpio command to back up the matching files to the tape device.

-False: searches for files that are always wrong in the system.

-Noleaf prohibits optimal search in non-UNUX file systems, MS-DOS systems, and CD-ROM file systems

 

4. Application Example

Use the name option:

The file name option is the most common option for the find command. You can either use this option independently or use it with other options. You can use a certain file name pattern to match the file. Remember to use quotation marks to cause the file name pattern.

No matter what the current path is, if you want to find a file with a file name *. txt in your root directory $ HOME, use ~ As the 'pathname parameter, the Tilde ~ Represents your $ HOME directory.

$ Find ~ -Name "*. txt"-print

To find all '*. txt' files in the current directory and subdirectory, you can use:

$ Find.-name "*. txt"-print

To search for a file whose name starts with an uppercase letter in the current directory and subdirectory, you can use:

$ Find.-name "[A-Z] *"-print

To search for a file whose file name starts with host in the/etc directory, use:

$ Find/etc-name "host *"-print

To search for files in the $ HOME directory, you can use:

$ Find ~ -Name "*"-pri or ntfind.-print

To make the system run at a high load, search for all the files from the root directory. If you want to keep a good impression on the system administrator, you 'd better consider it before doing so!

$ Find/-name "*"-print

If you want to find the file name starting with two lower-case letters in the current directory, followed by two numbers, and finally a file named *. txt, the following command can return the file named ax37.txt:

$ Find.-name "commana-z?a-z=%0--9%%0--9%.txt"-print

 

Use the perm Option

You can use the-perm option to search for objects in the File Permission mode. You may need to find the files that all users have execution permissions, or you want to view the File Permission types in a user directory. When using this option, it is best to use the octal permission notation.

To search for files with a File Permission of 755 in the current directory, that is, the file owner can read, write, and execute the files. Other users can read and execute the files:

$ Find.-perm 755-print

If you want to find all files that can be read, written, and executed by users in the current directory (Be careful with this situation), you can use the-perm option of the find command. Add a horizontal bar before the octal digit -. In the following command-perm indicates searching by File Permission, while '007 'is identical to the notation used in the absolute mode of the chmod command.

$ Find.-perm-007-print

 

Ignore a directory with the-prune Option

If you want to ignore a directory when searching for a file because you know that there is no file in the directory, you can use the-prune option to specify the directory to be ignored. Be careful when using the-prune option, because if you use the-depth option at the same time, the-prune option will be ignored by the find command.

If you want to find files in the/apps directory, but want to ignore the/apps/bin directory, you can use:

$ Find/apps-name "/apps/bin"-prune-o-print

 

 

Use the user and nouser options

If you want to search for a file by file owner, you can give the corresponding user name. For example, to find a file whose owner is dave in the $ HOME directory, you can use:

$ Find ~ -User dave-print

Find the uucp file under the/etc directory:

$ Find/etc-user uucp-print

You can use the-nouser option to find files that have been deleted by the owner account. In this way, you can find the files whose owner does not have a valid account in the/etc/passwd file. When you use the-nouser option, you do not need to give a user name. The find command can complete the corresponding work for you. For example, to search for all such files in the/home directory, you can use:

$ Find/home-nouser-print

 

Use the group and nogroup options

Like the user and nouser options, the find command also has the same options for the user group to which the file belongs. To find files belonging to the accts user group in the/apps directory, you can use:

$ Find/apps-group accts-print

You can use the nogroup option to find all files that do not have a valid user group. The following find command looks for such a file from the root directory of the file system

$ Find/-nogroup-print

 

Search for files based on the Change Time

You can use the mtime option to find files based on the change time. If the system suddenly has no available space, it is very likely that the length of a file increases rapidly during this period, then you can use the mtime option to find such a file. Use minus signs-to limit the files whose change time is earlier than n days ago, and use the plus sign + to limit the files whose change time is earlier than n days ago.

To search for files whose modification time is less than 5 days in the root directory of the system, you can use:

$ Find/-mtime-5-print

To search for files whose modification time is earlier than 3 days in the/var/adm directory, you can use:

$ Find/var/adm-mtime + 3-print

 

Search for new or old files than a file

You can use the-newer option to find all files whose modification time is newer than a file but older than the other file. It generally takes the following form:

Newest_file_name! Oldest_file_name

Here ,! Is a logical non-sign.

There are two files, and their change time is about two days different.

-Rwxr-x-r-x 1 root 92 Apr 18 11: 18 age. awk

-Rwxrwxr-x 1 root 1045 Apr 20 belts. awk

The find command given below can find the files whose change time is newer than the file age. awk but earlier than the file belts. awk:

$ Find.-newer age. awk! -Newer belts. awk-exec ls-l {}\;

-Rwxrwxr-x 1 root 62 Apr 18 :32./who. awk

-Rwxr-xr-x 1 root 49 Apr 18 12:05./group. awk

-Rw-r -- 1 root 201 Apr 20./grade2.txt

-Rwxrwxr-x 1 root 1054 Apr 20./belts. awk

If you want to use this option of the find command to find files whose modification time is less than two hours, unless there is a ready-made file whose modification time is just two hours ago, otherwise, there will be no files available to compare the change time. To solve this problem, you can first create a file and set its date and timestamp to the required time. This can be achieved using the touch command.

Assume that the current time is. If you want to find a file whose modification time is less than two hours, you can first create such a file:

$ Touch-t 05042140 dstamp

-Rw-r -- 1 dave admin 0 May 4 21:40 dstamp

A file that meets the requirements has been created. Here we assume that today is July 22, May 4, and the change time for this file is, just two hours earlier than now.

Now we can use the "-newer" option of the "find" command to search for all files whose modification time is less than two hours in the current directory:

$ Find.-newer dstamp-print

 

 

Use the type option

There are several different file types in UNIX or LINUX systems. We have already introduced this part in the previous sections and will not go into details here. If you want to find all the directories under the/etc directory, you can use:

$ Find/etc-type d-print

To find all types of files except directories in the current directory, you can use:

$ Find .! -Type d-print

To find all symbolic link files under the/etc directory, you can use:

$ Find/etc-type l-print

 

Use the size Option

You can search for a file based on the file length. The file length referred to here can be measured by block or byte. The length of a byte metering file is Nc. The length of a block metering file is represented by only numbers.

Personally, I always use the byte method. Most people like to use this length when searching for files by file length, this parameter is not expressed by the number of blocks, unless the file system is large.

Small, because block metering is easier to convert.

To find a file with a length greater than 1 MB in the current directory, you can use:

$ Find.-size + 000000c-print

To find a file with a length of exactly 100 bytes in the/home/apache directory, you can use:

$ Find/home/apache-size 100c-print

To search for files with more than 10 blocks in the current directory (one block equals 512 bytes), you can use:

$ Find.-size + 10-print

Find/-empty # search for files or folders that are empty in the system

 

Use depth options

When using the find command, you may want to match all the files first and then search for them in the subdirectory. Use the depth option to run the find command. One reason for this is that when you use the find command to back up the file system on the tape, you want to back up all the files first, and then back up the files in the subdirectories.

In the following example, the find command starts from the root directory of the FILE system and looks for a FILE named CON. FILE. It will first match all the files and then go to the subdirectory to find them.

$ Find/-name "CON. FILE"-depth-print

 

Use the mount Option

You can use the mount option of the find command to find files in the current file system (not to access other file systems. In the following example, we start from the current directory to find the files whose names end with XC in the current file system:

$ Find.-name "*. XC"-mount-print

 

Use cpio options

The cpio command can be used to back up or recover files from a tape device. You can use the find command to search for files in the entire file system (in most cases, in some file systems), and then use the cpio command to back up the files to the tape.

If you want to use the cpio command to back up files in the/etc,/home, And/apps directories, you can use the following command, but remember that you are under the root directory of the file system:

$ Cd/

$ Find etc home apps-depth-print | cpio-ivcsc65536-o/dev/rmt0

In the above example, you should note that the path is missing /. This is called relative path. The relative path is used because you can choose to restore the file path when restoring these files from the tape. For example, you can restore these files to another directory, perform some operations on them, and then restore them to the original directory. If an absolute path, such as/etc, is used during backup, the path can only be restored to the/etc directory. In the above example, I told the find command to first enter the/etc directory, then the/home And/apps directories, first match the files under these directories, and then match the files in their subdirectories, all these results will be backed up by the cpio command in the pipeline.

By the way, in the above example, the cpio command uses the C65536 option. I can use the B option, but the size of each block is only 512 bytes, and after the C65536 option is used, the block size is changed to 64 KB (65536/1024 ).

 

Execute shell commands using exec or OK

After matching some files, you may want to perform some operations on them. Then you can use the-exec option. Once the find command matches the corresponding file, you can use the command in the-exec option to operate on it (in some operating systems, only the-exec option is allowed to execute commands such as ls or ls-l ). Most users use this option to find and delete old files. Here, I strongly recommend that you first use the ls command to check whether the files are to be deleted before you actually execute the rm command to delete the files.

The exec option is followed by the command to be executed, followed by a pair of characters {}, a space, a \, and a semicolon.

To use the exec option, you must use the print option at the same time. If you verify the find command, you will find that this command only outputs the relative path and file name from the current path.

To use the ls-l command to list the matched files, you can place the ls-l command in the-exec option of the find command, for example:

$ Find.-type f-exec ls-l {}\;

-Rwxr-xr-x 10 root wheel 1222 Jan 4 1993./sbin/C80

-Rwxr-xr-x 10 root wheel 1222 Jan 4 1993./sbin/Normal

-Rwxr-xr-x 10 root wheel 1222 Jan 4 1993./sbin/Revvid

In the preceding example, the find command matches all common files in the current directory and lists them using the ls-l command in the-exec option.

To find and delete files whose changes were earlier than 5 days in the/logs directory, you can use:

$ Find logs-type f-mtime + 5-exec rm {}\;

Remember, you should check the corresponding file before deleting the file in shell in any way. Be careful!

When using commands such as mv or rm, you can use the-exec option safe mode. It will prompt you before performing operations on each matching file. In the following example, the find command searches for all file names in the current directory. files whose names end with logs and whose change time is more than five days ago are deleted, but a prompt is provided before the deletion.

$ Find.-name "*. LOG"-mtime + 5-OK rm {}\;

<Rm... ./Nets. LOG>? Y

Press y to delete the file, and press n to not delete the file.

Any form of command can be used in the-exec option. In the following example, we use the grep command. The find command First matches all files named "passwd *", such as passwd, passwd. old, passwd. bak, and then runs the grep command to check whether a rounder user exists in these files.

$ Find/etc-name "passwd *"-exec grep "rounder "{}\;

Rounder: JL9TtUqk8EHwc: 500: 500:/home/apps/nets/rounder:/bin/sh

 

 

Example of the find command

Find all common files with a length of 0 in the system and list their full paths. You can use:

$ Find/-type f-size 0-exec ls-l {}\;

Find and delete common files in the/var/logs directory that were modified before the last 7 days. You can use:

$ Find/var/logs-type f-mtime + 7-exec rm {}\;

Find all files in the system that belong to the audit group. You can use:

$ Find/-name-group audit-print

One of our audit systems creates an audit log file every day. The log file name contains numbers at the end, so that we can see at a glance which file is the latest and which is the oldest. The Admin. log file has the serial numbers admin. log.001 and admin. log.002. The following find command will delete the admin. log file that was accessed in the/logs directory seven days ago and contains a digital suffix. This command only checks three digits, so the suffix of the corresponding log file should not exceed 999.

$ Find/logs-name 'admin. log [0-9] [0-9] '[-0a-t9i] me + 7-exec rm {}\;

Search and sort all the directories in the current file system. You can use:

$ Find.-type d-print-local-mount | sort

Find all the rmt tape devices in the system. You can use:

$ Find/dev/rmt-print

 

 

Ii. xargs

Xargs-build and execute command lines from standard input

When you use the-exec option of the find command to process matched files, the find command passes all matching files to exec for execution. However, some systems have limits on the length of commands that can be passed to exec, so that an overflow error will occur after the find command runs for several minutes. The error message is usually "the parameter column is too long" or "parameter column overflow ". This is the use of the xargs command, especially used with the find command.

The find command passes the matching file to the xargs command, while the xargs command only obtains part of the file, not all, at a time, unlike the-exec option. In this way, it can first process the first part of the obtained files, then the next batch, and continue like this.

In some systems, the-exec option is used to initiate a corresponding process for processing each matching file, rather than executing all the matching files as parameters once; in this way, in some cases, there may be too many processes and the system performance may decline, resulting in low efficiency;

The xargs command has only one process. In addition, when using the xargs command, whether to obtain all parameters at a time or obtain parameters in batches, and the number of parameters obtained each time is determined based on the options of the command and the corresponding adjustable parameters in the system kernel.

Let's take a look at how the xargs command is used with the find command and give some examples.

The following example finds every common file in the system, and then uses the xargs command to test which files they belong:

$ Find/-type f-print | xargs file

/Etc/protocols: Enghlish text

/Etc/securetty: ASCII test

...

The following example finds the memory information dumping file (coredump) in the entire system and saves the result to the/tmp/core. log file:

$ Find.-name "core"-print | xargs echo "">/tmp/core. log

In the following example, find all files with read, write, and execution permissions under the/apps/audit directory, and revoke the corresponding write permissions:

$ Find/apps/audit-perm-7-print | xargs chmod o-w

In the following example, we use the grep command to search for the word "device" in all common files:

$ Find/-type f-print | xargs grep "device"

In the following example, we use the grep command to search for the word DBO in all common files in the current directory:

$ Find.-name \ *-type f-print | xargs grep "DBO"

Note: In the preceding example, \ is used to cancel the special meaning of * in shell of the find command.

 

 

 

 

This article is from the "learning notes" blog