Linux Find command Proficient guide __linux

Original: http://www.oracle.com/technology/global/cn/pub/articles/calish-find.html Linux Find command Proficient guide

Author: Sheryl Calish

Briefly describe the powerful aspects of this ubiquitous command and the confusing aspects.

Released in July 2008

The Linux Find command is one of the most useful in all Linux commands, and one of the most confusing. It is difficult because its syntax differs from the standard syntax for other Linux commands. However, it is powerful because it allows you to find files by file name, file type, user, or even timestamp. Using the Find command, you can not only locate a file with any combination of these attributes, but also perform actions on the files it finds.

The purpose of this article is to simplify the learning and use of the command by outlining the purpose and potential of the find command. At the same time, it will provide a basic guide and reference for some of the most powerful but most confusing aspects of the find command.

[Note: The find version used in this article is a GNU version, so some details may differ from other versions of find.] ] basic Format

Before we begin, let's take a look at the basic structure of the Find command:

Find  start_directory test options  criteria_to_match
action_to_perform_on_results
   

In the following command, find starts in the current directory (with the "." Indicates that any file with the extension "Java" is found in:

Find. -name  

The following is a thumbnail list of the commands found by the command:

Find. -name  "*.java"
./regexpvalidate/src/oracle/otnsamples/plsql/connectionmanager.java
./ Regexpvalidate/src/oracle/otnsamples/plsql/dbmanager.java
..

[Note: If you cut and paste from this article to run the Find command, you may need to replace the double quotes ("") with your own keyboard to produce the correct results.) ]

The following command performs the same operation. In both cases, you need to escape the wildcard to make sure it is passed to the Find command and not interpreted by the shell. So, put your search string in quotes, or precede it with a backslash:

Find. -name  /*.java

Although all of the parameters for find are optional, if you do not specify where to start the search, the search defaults will start in the current directory. If you do not specify a test connection, option, or value to match, your results will be incomplete or no different.

Running the following three find commands will produce the same result-complete list of all files (including hidden files) in the current directory and all subdirectories:

Find Find 
.
Find. -print

This is similar to running a LS command with the-la option. If you want the output of the above command to contain the full pathname (or perhaps for backup), you will need to specify the full path to the starting directory:

Find/home/bluher-name/*.java
/home/bluher/plsql/regexpvalidate/src/oracle/otnsamples/plsql/ Connectionmanager.java
/home/bluher/plsql/regexpvalidate/src/oracle/otnsamples/plsql/dbmanager.java/
...

You can also specify multiple start directories in the search string. If you are running as a user with the appropriate permissions, the following command finds all jar files down to/usr,/home/tmp directory:

Find/usr/home  /tmp-name "*.jar"

However, if you do not have the appropriate permissions, you will generate an error message when you begin browsing through many system directories. Here's an example:

Find:  /tmp/orbit-root:permission denied

You can avoid confusing output by attaching your search string, as follows:

Find/usr/home  /tmp-name "*.jar" 2>/dev/null

This will send all error messages to the empty file, thus providing the cleaner output.

By default, find is case-sensitive. For case-insensitive find, replace the-iname test with the-name test.

Find Downloads  -iname "*.gif"
downloads/.xvpics/calendar05_enlarged.gif
downloads/lcmgcfexsmall. Gif

In addition to file names, you can search for files by type. For example, you can use the following command to find all subdirectories in a directory:

You can use the following command to find all the symbolic links in your/usr directory:

Find/usr-type L

This may list more than 3,000 links. Any of the following commands running with root permissions will list the links in the/usr directory and the files it points to:

# find/usr/bin  -type l-name "z*"-exec ls-  l {}/;
lrwxrwxrwx 1 root  8 Dec 23:17/usr/bin/zsh->/bin/zsh
lrwxrwxrwx 1 root  5 Dec 23:17/usr/b In/zless-> Zmore
lrwxrwxrwx 1 root  9 Dec 23:17/usr/bin/zcat->/bin/zcat

Find/usr/bin-type  l-name "z*"-ls

However, the second shorter command will list more files, as well as directory and inode information: In the later part of this article, we will discuss the use of-exec and-LS operations.

Other file types found to find can include:

b-block (cache) Special
c-characters (not cached) special
p-Named pipe (FIFO)
s-sockets

Using the root as the starting point for the find command can greatly reduce the speed of the system. If you must run such a command, you can run it during off-peak hours or at night. You can redirect output to a file using the following syntax:

Find/  -print > Masterfilelist.out

If you mistakenly enter a Find command to generate a large amount of unnecessary output, just press Ctrl-c to interrupt the command, which will stop the most recently executed command.

On a corporate network with multiple file systems, restricting find lookup files is also a particularly useful method. Use as many options and tests as possible to reduce the load on your system. The two most useful options for this purpose are-xdev and-mount. They shorten the search by blocking the find down to directories on other file systems, such as MS-DOS, CD-ROM, or AFS. This restricts the search to the same type of file system as the starting directory.

If you run the Mount command, these options are available to users on a dual-boot system. If you are involved in a Windows partition, you can install it by using a command similar to the following:

Mount-t VFAT  /dev/sda1/mnt/msdos

The actual commands that you use depend on your system settings. You can verify that the partition is installed by running DF or by executing the following command:

Find/mnt/msdos  -name "*.txt" 2>/dev/null

You should see a lot of files listed on the MS Windows partition. Now, run the following command with the-mount or-xdev option:

Find/-name  "*.txt"-mount 2>/dev/null

Or

Find/-name  "*.txt"-xdev 2>/dev/null

You can also use the-fstype test to explicitly tell find which file system to look for, as shown in the following example:

Find/-name  "*.txt"-fstype vfat 2>/dev/null

Find Time

The Find command has several options for searching for files based on your system's timestamp. These time stamps include

mtime-file content last modified time
atime-The time the file was read or accessed
ctime-file state Change time

The meaning of Mtime and atime is easy to understand, and ctime needs more explanations. Because the inode maintains the metadata on each file, the Inode data will also change if the metadata associated with the file changes. This could be caused by a series of actions, including creating symbolic links to files, changing file permissions, or moving files. Because the contents of the file are not read or modified in these cases, mtime and atime will not change, but CTime will change.

These time options need to be used in conjunction with a value of n, specified as-n, N, or +n.

-n return item less than n
+n return item greater than n
The N return entry is exactly the same as N

Next, let's look at a few examples to make it easier to understand. The following command finds all files modified in the last 1 hours:

Find. -mtime-1
./plsql/forallsample
./plsql/regexpdnasample
/plsql/regexpsample

Replace with 1-1 running the same command will look for all files that were modified exactly 1 hours ago:

The above command does not generate any results because it requires a complete match. The following command finds all files that were modified 1 hours ago:

By default,-mtime,-atime, and-ctime refer to the last 24 hours. However, if they precede the start time option, the 24-hour cycle will count from the start of the day. You can also use Mmin, Amin, and Cmin to find timestamps that have changed in less than 1 hours.

If you run the following command immediately after you log on to your account, you will find all files that were read less than 1 minutes ago:

Find. -amin-1
./.BASHRC
/.bash_history
./.xauthj5fcx1

It should be noted that using the Find command to locate the file itself will change the access time of the file as part of its metadata.

You can also use the-newer,-anewer, and –cnewer options to find files that have been modified or accessed compared to specific files. This is similar to-mtime,-atime and –ctime.

-newer refers to files that have recently been modified
-anewer refers to files that have recently been read
-cnewer refers to a file in which the state has recently changed

To find all the files in your home directory that have been edited in some way since the last tar file, use the following command:

Find. -newer  backup.tar.gz

find files by size

The-size option finds files that meet the specified size criteria. To find all user files that are larger than 5MB , use the

Find/-size  +5000000c 2>/dev/null
/var/log/lastlog
/var/log/cups/access_log.4
/var/spool/mail /bluher

The end of "C" reports our results in byte units. By default, find reports the size in quantities of 512-byte blocks. If we replace "C" with "K", we will also see the results reported in kilobytes, and if you use "W", you will see the results reported in quantities of two-byte words.

The-size option is often used to search all 0-byte files and move them to the/tmp/zerobyte folder. The following command can accomplish this task exactly:

Find Test-type F  -size 0-exec mv {}/tmp/zerobyte/;

The-exec operation allows find to execute any shell commands on the file it encounters. In the later part of this article, you will see more examples of its use. Curly braces allow you to move each empty file.

Option-empty can also be used to find empty files:

Find Test-empty 
test/foo
test/test

Find by permission and owner

To monitor your system security depends on the Find command. You can use symbol or octal notation to find files that are open to a broad audience, as follows:

Find. -type F  

Or

Find. -type F  -perm 777-exec ls-l {}/;
-RWXRWXRWX 1 Bluher  users 0 may 14:14./test.txt

In this section, in the commands above and below, we use the-exec ls-l operation, so you can see the actual permissions of the returned file. The following command looks for files that can be written by "other" and groups:

Find Plsql-type F  -perm-ug=rw-exec ls-l {}/; 2>/dev/null

Or

Find Plsql-type F  -perm-220-exec ls-l {}/; 2>/dev/null 
-rw-rw-rw-1 bluher users 4303  June 7  2004 Plsql/forallsample/doc/otn_new.css
-rw-rw-rw-1 bluher users 10286 the  plsql/forallsample/doc/ Readme.html
-rw-rw-rw-1 bluher users 22647 a few of the  plsql/forallsample/src/config.sql
.

The next command looks for files that are written by users, groups, or both:

Find Plsql-type F  -perm/ug=rw-exec ls-l {}/; 2>/dev/null, or, find
plsql-type f  -perm/220-exec L S-l {}/; 2>/dev/null 
-rw-r--r--1 bluher users 21473 May 3 16:02 plsql/regexpvalidate.zip-rw-rw-rw-1 bluher
u Sers 4303  June 7  plsql/forallsample/doc/otn_new.css
-rw-rw-rw-1 bluher users 10286  12 2005  plsql/forallsample/doc/readme.html
-rw-rw-rw-1 bluher users 22647 the  plsql/ Forallsample/src/config.sql

You may see the following command referenced in the Web and earlier manuals:

Find. -perm +220  

The action of the + symbol is the same as/symbol, but the symbol is not supported in the new GNU findutils now.

To find all the files that everyone on your system can write to, use the following command :

Find/-wholename  '/proc '-prune-o-type f-perm-0002-exec ls-l {}/;
-rw-rw-rw-1 bluher users 4303  June 7  2004/home/bluher/plsql/forallsample/doc/otn_new.css
-rw-rw-rw-1 Bluher users 10286 the  /home/bluher/plsql/forallsample/doc/readme.html
...

The 4th permission will be discussed later, but "2" in the last field is a "other" field in the file permission, also known as a write bit. We used the dash in front of permission mode 0002 to indicate that we want to see a file with Write permission set for other, regardless of the other permissions setting.

The above command also introduces three new concepts. Use the-wholename test for the file mode "/proc", and if the pattern is found,-prune can prevent find from being down to the directory. The Boolean type "-O" enables find to handle the rest of the command for other directories. Because there is a hypothetical implicit and operator (-a) between each expression, if the expression on the left evaluates to False,and, the expression will not be evaluated, so the-O operator is required. Find also supports Boolean type-not,!, just like using parentheses to force precedence.

System administrators often use find to search for regular files for a particular user or group through the name or ID of a user or group:

[Root] $ find/-type F-user bluher-exec ls-ls {}  /;

Here is an example of a highly streamlined output of such an order:

4-rw-r--r--1 Bluher users  1 03:09  /home/bluher/public_html/.directory
4-rw-r--r--1 bluher users 92 5 May  1 03:09/home/bluher/.profile

You can also use Find to locate files by group:

[Root] $ find/  -type F-group Users

Find/-type d-gid  100

This command lists the directories owned by the group with ID 100. To find the appropriate UID or GID, you can run more or cat commands against/etc/passwd or/etc/group files.

In addition to locating files for specific known users and groups, you will find it useful to find files that do not have this information. The next command will identify files that are not listed in the/etc/passwd or/etc/group file:

Find/-nouser-o  -nogroup

The above command may not generate actual results on your system. However, it can be used to identify files that may not have a user or group after they are moved frequently.

OK, now we can address the particularly important permissions that are mentioned at the beginning of this section.

SGID and SUID are special access permission flags that can be assigned to files and directories on a unix-based operating system. They are set up to allow ordinary users accessing the computer system to execute binary executables using temporarily elevated privileges.

Find//(-perm-2000-o-perm-4000/)-ls
167901 12-rwsr-xr-x 1 root 9340 June 2006/usr/b In/rsh
167334 12-rwxr-sr-x 1 root TTY 10532 May 4 2007/usr/bin/wall

In the above command, you can see the use of escape brackets. You can also see the different permissions. The first file sets the SGID permission, and the second file sets the SUID permissions. The last operation in the above command is similar to the find effect with the-exec ls-dils operation. Control Find

Unlike many commands in Linux, find does not require the-R or-r option to go down to a subdirectory. This is done by default. However, sometimes you may want to limit this behavior. Therefore, Options-depth,-maxdepth and-mindepth, and operation-prune are useful.

We've seen how useful-prune is, so let's look at the-depth,-maxdepth, and-mindepth options.

The-maxdepth and-mindepth options allow you to specify which level of the directory tree you want the find search to go into. If you want find to look only at one level of the directory, you can use the maxdepth option.

You can see the-maxdepth effect by running the following command to find the log file in the first three levels of the tree. Use this option to produce much less output than if you did not use this option.

Find/-maxdepth 3  -name "*log"

You can also have find search in directories at least to the three levels of the directory tree:

Find/-mindepth 3  -name "*log"

The-DEPTH option ensures that lookups are made in one directory before they are found in their subdirectories. The following command provides an example:

Find-name "*test*"-depth/test/test/test./localbin/test.
/ Localbin/test.txt.
/test2/test/test.
/test2/test.
/test2

Find the World

We've seen some of the more useful and somewhat difficult features of find commands, but find can perform more tasks. For example, there are several options to make find compatible with a lower version of UNIX and other operating systems and allow you to perform operations such as printing output to multiple files. After reading this article, you now have a background to understanding the Find Reference Guide, and I encourage you to delve into this powerful and useful tool.