Linux find command proficiency Guide

Author: Sheryl calish
Briefly introduces the powerful and chaotic aspects of this ubiquitous command.
Released in July 2008
The Linux find command is one of the most useful and confusing among all Linux commands. It is difficult because its syntax is different from the standard syntax of other Linux commands. However, it is powerful because it allows you to search for files by file name, file type, user, or even timestamp. Using the find command, you can not only find files with any combination of these attributes, but also perform operations on the files it finds.
The purpose of this article is to simplify the learning and use of the find command by summarizing its usage and potential. At the same time, it provides a basic guide and reference for some of the most powerful but chaotic aspects of the find command.
[Note: The find version used in this article is the GNU version. Therefore, some details may be different from other versions of find.] Basic Format
Before starting, let's take a look at the basic structure of the find command:
Find start_directory test options criteria_to_match action_to_1_m_on_results
In the following command, find will start searching for any file with the extension of "Java" in the current directory (represented:
Find.-Name "*. Java"
The following is a scaling list of the commands found by the command:
Find. -Name "*. java ". /regexpvalidate/src/Oracle/otnsamples/PLSQL/connectionmanager. java. /regexpvalidate/src/Oracle/otnsamples/PLSQL/dbmanager. java ..
[Note: If you cut and paste this article to run the find command, you may need to replace double quotation marks ("") with your keyboard to get the correct result.]
The following command will perform the same operation. In both cases, you need to escape the wildcard to ensure that it is passed to the find command and cannot be explained by shell. Therefore, put your search string in quotation marks or add a backslash before it:
Find.-Name \ *. Java
Although all the parameters of find are optional, if you do not specify where to start the search, the search will start in the current directory by default. If you do not specify the test connection, option, or value to match, your results will be incomplete or have no difference.
Run the following three FIND commands to get the same result-the complete list of all files (including hidden files) in the current directory and all subdirectories:
Find find. Find.-Print
This is similar to running an LS command with the-La option. If you want the output of the above command to contain the complete path name (perhaps for backup), you will need to specify the full path of the starting directory:
Find/home/bluher-name \*. java/home/bluher/PLSQL/regexpvalidate/src/Oracle/otnsamples/PLSQL/connectionmanager. java/home/bluher/PLSQL/regexpvalidate/src/Oracle/otnsamples/PLSQL/dbmanager. java /...
You can also specify multiple start directories in the search string. If you run the command as a user with the relevant permissions, run the following command to find all jar files in the/usr,/home/tmp directories:
Find/usr/home/tmp-name "*. Jar"
However, if you do not have the required permissions, an error message is generated when you start browsing many System directories. The following is an example:
Find:/tmp/orbit-root: Permission denied
You can append your search string to avoid confusion, as shown below:
Find/usr/home/tmp-name "*. Jar" 2>/dev/null
This will send all error messages to an empty file, so the cleaner output is provided.
By default, find is case sensitive. For case-insensitive find, replace the-INAME test with the-name test.
Find downloads-INAME "*. GIF" downloads/. xvpics/calendar05_enlarged.gif downloads/lcmgcfexsmall. gif
In addition to file names, you can also search for files by type. For example, you can use the following command to find all subdirectories in a directory:
Find.-type D
You can use the following command to find all symbolic links in your/usr directory:
Find/usr-type L
This may list more than 3,000 links. Any of the following commands run with the root permission will list the links in the/usr directory and the files it points:
# Find/usr/bin-type L-name "z *"-exec LS-l {}\; lrwxrwxrwx 1 Root 8 Dec 12/usr/bin/zsh->/bin/zsh lrwxrwxrwx 1 root 5 Dec 12/usr/bin/zless-> zmore lrwxrwxrwx 1 Root root 9 Dec 12 23: 17/usr/bin/zcat->/bin/zcat
Find/usr/bin-type L-name "z *"-ls
However, the second shorter command will list more files, as well as the Directory and inode information: in the subsequent sections of this article, we will discuss the usage of-exec and-ls operations.
Other types of files that can be found by find include:
• B-block (cache) Special • C-character (not cached) Special • P-Named Pipe (FIFO) • S-socket
Using the root as the start point of the find command greatly reduces the system speed. If you have to run such a command, you can run it during off-peak hours or at night. You can use the following syntax to redirect the output to a file:
Find/-print> masterfilelist. Out
If you mistakenly enter a find command to generate a large amount of unnecessary output, simply interrupt the command by pressing the CTRL-C, which will stop the most recent command.
On the Enterprise Network with multiple file systems, it is also a particularly useful method to restrict the files to be searched by find. Use as many options and tests as possible to reduce the load on the system. The two most useful options for this purpose are-xdev and-mount. They shorten the search range by blocking the find to directories on other file systems such as MS-dos, CD-ROM, or AFS. This restricts the search to a file system of the same type as the starting directory.
If you run the mount command, you can use these options on the dual-boot system. If Windows partition is involved, you can install it using a command similar to the following:
Mount-T vfat/dev/sda1/mnt/msdos
The actual command you use depends on your system settings. You can run DF or the following command to verify that the partition has been installed:
Find/mnt/msdos-name "*. txt" 2>/dev/null
You should have seen a lot of files listed on the MS windows partition. Run the following command with the-mount or-xdev options:
Find/-name "*. txt"-mount 2>/dev/null
Or
Find/-name "*. txt"-xdev 2>/dev/null
You can also use the-fstype test to explicitly tell the file system in which find is located, as shown in the following example:
Find/-name "*. txt"-fstype vfat 2>/dev/null
Search Time
The find command has several options for searching files based on your system's timestamp. These timestamps include
• Mtime-last modification time of file content • atime-time when the file is read or accessed • ctime-time when the file status changes
Mtime and atime are both easy to understand, while ctime requires more explanations. Inode maintains the metadata of each file. Therefore, if the metadata related to the file changes, the inode data also changes. This may be caused by a series of operations, including creating symbolic links to files, changing file permissions, or moving files. In these cases, the file content will not be read or modified, so mtime and atime will not change, but ctime will change.
These time options must be used together with a value of N, specified as-N, N or + N.
•-N return items less than n • + N return items greater than n • N return items are exactly equal to n
Next, let's look at several examples to facilitate understanding. The following Command finds all the files modified in the last hour:
Find.-mtime-1./PLSQL/forallsample./PLSQL/regexpdnasample/PLSQL/regexpsample
Replace-1 with 1 and run the same command to find all the files modified just one hour ago:
Find.-mtime 1
The preceding command does not generate any results because it must be completely consistent. Run the following command to search for all files modified more than one hour ago:
Find.-mtime + 1
By default,-mtime,-atime, and-ctime indicate the last 24 hours. However, if the start time option is added before them, the 24-hour cycle starts from the start time of the day. You can also use mmin, Amin, and Cmin to find the timestamp that has changed in less than one hour.
If you run the following command immediately after logging on to your account, you will find all the files read less than one minute ago:
Find.-Amin-1./. bashrc/. bash_history./. xauthj5fcx1
It should be noted that using the find command to find the file itself will change the access time of the file as part of its metadata.
You can also use the-newer,-anewer, and-cnewer options to find the modified or accessed files and compare them with specific files. This is similar to-mtime,-atime, and-ctime.
•-Newer refers to the file whose content has been recently modified •-anewer refers to the file that has recently been read •-cnewer refers to the file whose status has recently changed
To find all the files edited in some way since the previous tar file in your home directory, run the following command:
Find.-newer backup.tar.gz
Search for files by size
-Size Option: Find the files that meet the specified size conditions. To find all user files larger than 5 MB, use
Find/-size + 5001_c 2>/dev/null/var/log/lastlog/var/log/cups/access_log.4/var/spool/mail/bluher
The ending "C" reports our results in bytes. By default, find reports the size in 512 bytes. If we replace "C" with "K", we will also see the results reported in kilobytes. If we use "W ", the result of the Two-byte number report is displayed.
-The Size Option is often used to search for all zero-byte files and move them to the/tmp/zerobyte folder. The following command exactly completes this task:
Find test-type F-size 0-exec MV {}/tmp/zerobyte \;
-The exec operation allows find to execute any shell command on the file it encounters. Later in this article, you will see more examples of its usage. Each empty file can be moved with braces.
Option-empty can also be used to find empty files:
Find test-empty test/Foo test/test
Search by permission and owner
The find command is required to monitor your system security. You can use symbols or octal notation to find files open to users, as shown below:
Find.-Type F-Perm a = rwx-exec LS-l {}\;
Or
Find.-Type F-Perm 777-exec LS-l {}\;-rwxrwxrwx 1 bluher users 0 May 24./test.txt
In this section, we use the-exec LS-l operation in the above and below commands. Therefore, you can see the actual permissions of the returned file. The following Command finds the files that can be written by other and group:
Find PLSQL-type F-Perm-Ug = RW-exec LS-l {}\; 2>/dev/null
Or
Find PLSQL-type F-Perm-220-exec LS-l {}\; 2>/dev/null-RW-1 bluher users 4303 Jun 7 2004 PLSQL/forallsample/doc/otn_new.css-RW-1 bluher users 10286 Jan 12 2005 PLSQL/forallsample/doc/readme.html-RW-1 bluher users 22647 Jan 12 2005 PLSQL/forallsample/src/config. SQL ..
The next command searches for files written by users, groups, or both:
Find PLSQL-type F-Perm/ug = RW-exec LS-l {}\; 2>/dev/null, or, find PLSQL-type F-Perm/220-exec LS-l {}\; 2>/dev/null-RW-r -- 1 bluher users 21473 May 3 PLSQL/regexpvalidate.zip-RW-1 bluher users 4303 Jun 7 2004 PLSQL/forallsample /doc/otn_new.css-RW-1 bluher users 10286 Jan 12 2005 PLSQL/forallsample/doc/readme.html-RW-1 bluher users 22647 Jan 12 2005 PLSQL /forallsample/src/config. SQL
You may see the following commands referenced in the Web and earlier manuals:
Find.-Perm + 220-exec LS-l {}\; 2>/dev/null
+ The role of a symbol is the same as that of A/symbol. However, the new version of GNU findutils does not support this symbol.
To find all files that can be written by all users on your system, run the following command:
Find/-wholename '/proc'-prune-O-type F-Perm-0002-exec LS-l {}\; -RW-1 bluher users 4303 Jun 7 2004/home/bluher/PLSQL/forallsample/doc/otn_new.css-RW-1 bluher users 10286 Jan 12 2005 /home/bluher/PLSQL/forallsample/doc/readme.html...
The 4th permissions will be discussed later, but "2" in the last field is the "other" field in the File Permission, also known as the write bit. We used a break number before permission mode 0002 to indicate that we want to see the file with write permission set for other, regardless of the other permission settings.
The preceding commands also introduce three new concepts. For the file mode "/proc", use-wholename for testing. If this mode is found,-prune can prevent "find" from going to this directory. Boolean "-o" enables find to process the rest of the command for other directories. Since there is a hypothetical implicit and operator (-a) between each expression, if the left expression is calculated as false, the expression after and is not calculated; therefore, the-O operator is required. Find also supports Boolean-not ,!, Just like using parentheses to force priority.
System Administrators often use find to search regular files of specific users or groups by user or group name or ID:
[Root] $ find/-type F-user bluher-exec LS-ls {}\;
The following is an example of a highly streamlined output of such a command:
4-RW-r -- 1 bluher users 48 May 1 0:09/home/bluher/public_html /. directory 4-RW-r -- 1 bluher users 925 May 1/home/bluher /. profile
You can also use find to find files by group:
[Root] $ find/-type F-group users
Find/-type D-gid 100
This command will list the directories owned by the Group ID 100. To find the UID or GID, you can run more or cat commands on the/etc/passwd or/etc/group file.
In addition to searching for files of specific known users and groups, you will also find it useful for searching for files without such information. The next command identifies files not listed in the/etc/passwd or/etc/group file:
Find/-nouser-o-nogroup
The above command may not generate actual results on your system. However, it can be used to identify files that may not have users or groups after frequent movement.
Now, we can solve the very important permissions mentioned at the beginning of this section.
SGID and SUID are special access permission signs that can be assigned to files and directories on UNIX-based operating systems. They are set to allow normal users who access computer systems to execute binary executable files with temporarily elevated permissions.
Find/\ (-Perm-2000-o-Perm-4000 \) -ls 167901 12-rwsr-XR-x 1 Root 9340 Jun 16 2006/usr/bin/rsh 167334 12-rwxr-Sr-x 1 root tty 10532 May 4 2007/usr /bin/Wall
In the preceding command, you can see the use of escape brackets. You can also see different permissions. The first file sets the sgid permission, and the second file sets the SUID permission. The final operation in the preceding command is similar to the find operation with-exec LS-dils. Control find
Unlike many Linux commands, find does not need the-R or-r option to go down to the subdirectory. It performs this operation by default. However, you may want to limit this line. Therefore, options-depth,-maxdepth,-mindepth, and operation-prune come in handy.
We have seen how useful-Prune is. Let's take a look at the-depth,-maxdepth, and-mindepth options.
-The maxdepth and-mindepth options allow you to specify the level at which you want the find to search for the directory tree. If you want to find only at one level of the Directory, you can use the maxdepth option.
Run the following command to search for log files in the first three levels of the directory tree. You can see the effect of-maxdepth. Using this option produces much less output than not using this option.
Find/-maxdepth 3-name "* log"
You can also have find search in at least three levels of directories in the directory tree:
Find/-mindepth 3-name "* log"
-The depth option ensures that you first search in a directory before searching in its subdirectory. The following command provides an example:
Find-name "* test *"-depth. /test. /test. /localbin/test. /localbin/test_shell_var. /localbin/test.txt. /Test2/test. /Test2/test. /Test2
Find world
We have seen some of the more useful and difficult functions of the find command, but find can execute more tasks. For example, there are multiple options to make find compatible with lower UNIX versions and other operating systems and allow you to print and output to multiple files. After reading this article, you now have a background for understanding the find reference guide. I encourage you to study this powerful and useful tool in depth.