linux file find command details

1, Find file from index library: locate

  • Index library: the operating system will periodically traverse the root file system, and then generate the index library
  • Update index library manually: updatedb
  • Syntax: locate [OPTION]... PATTERN
  • Match basename only: - b
  • Count the number of qualified documents: - c
  • Use basic regular expression: - r
  • Note: to build an index, you need to traverse the entire root file system, which consumes a lot of resources.

2, Search directly from the file system: find

The following [file], including files and folders

Compared with locate, find is accurate, real-time search, not as fast as locate.

  • Usage: find [options] [find start path] [find method] [find finished, action to be processed]

  • Find start path: Specifies the start path for the search target. If not specified, it is the current directory.

  • Find by: Specifies options and ways to find. According to the file name, file size, file type, dependency, mode, etc.

    If no lookup method is specified, all files in the specified directory will be found.

  • To find out the file, make specific operations, such as delete. The default operation is to output the search results to standard output.

options :

  • Do not look up subdirectories: - maxdepth 1

Find by:

  • Find by file name: - name (case sensitive); - Iname (case insensitive)

    -name/-iname pattern

    pattern: support glob Syntax, but regular expressions are not supported.

    # ls test/
    Passwd  Passwd.txt
    # ls passwd
    passwd
    # find ./ -name passwd
    ./passwd
    # find ./ -iname passwd
    ./passwd
    ./test/Passwd
    Passwd.txt It is not an exact match, so it does not meet the search criteria.
    
    # find ./ -iname "passwd*"
    ./passwd
    ./test/Passwd
    ./test/Passwd.txt
    //Because of glob configuration, Passwd.txt meets the search criteria.
    
    # find ./ -iname "npasswd?"
    ./test/npasswdo
    ./test/npasswd-
    # find ./ -iname "npasswd[^[:alpha:]]"
    ./test/npasswd-
    # find ./ -iname "npasswd[[:alpha:]]"
    ./test/npasswdo
  • Find by owner of file:

    -user name/uid

    -uid uid

    # find /tmp/ -user za1
    /tmp/f1
    # id za1
    uid=1001(za1) gid=1001(za1) groups=1001(za1),1000(ys),1002(zg1),1004(gentoo)
    # find /tmp/ -user 1001
    /tmp/f1
    # find /tmp/ -uid 1001
    /tmp/f1
  • Find by file group:

    -group name/gid

    -gid gid

    # find /tmp/ -group zg1
    /tmp/f1
    /tmp/d1/inittab
    # find /tmp/ -group 1002
    /tmp/f1
    /tmp/d1/inittab
    # find /tmp/ -gid 1002
    /tmp/f1
    /tmp/d1/inittab
  • Find the deleted files of g group

    # find /tmp/ -nogroup
    /tmp/f1
    /tmp/d1/inittab
    /tmp/d1/issue
    /tmp/fld
    /tmp/test
    # ll -d f1 fld test
    -rw-r-----. 1 1001 1002 511 Dec 18 14:38 f1
    drwxrwxr-x. 2 root 1002   6 Dec 17 22:39 fld
    drwxrwxr-x. 2 ys   1002  85 Dec 23 21:16 test
    # ll d1
    -rwxr-xr--. 1 gentoo 1002 511 Dec 18 14:43 inittab
    -rwxr-xr--. 1 gentoo 1002  23 Dec 18 14:43 issue
  • Find files whose owner has been deleted

    # find /tmp/ -nouser
    /tmp/f1
    [root@localhost tmp]# ll f1
    -rw-r-----. 1 1001 1002 511 Dec 18 14:38 f1
  • It's very dangerous to have files that don't belong to a master or a group, so you need to check these files regularly and assign the masters and groups of these files to root.

  • Find by file type: - type TYPE

    • f: Common documents

    • d: Catalog file

    • l: Symbolic link file

      # find /etc/ -type l
    • b: Block device file

      # find /dev -type b -ls
       20033    0 brw-rw----   1 root     disk     253,   2 Dec 23 08:55 /dev/dm-2
       12288    0 brw-rw----   1 root     disk     253,   1 Dec 23 08:55 /dev/dm-1
    • c: Character device file

    • p: Pipeline file

    • s: Socket file

  • Combined search: any search method can be combined, such as - name and - size

    • And: - a do not specify that the default is - A.
    • Or: -o
    • Not: - not or!

    Exercise 1: find out the file whose / tmp directory is not root and whose file name does not contain fstab.

    Note: for the usage of bracket, the bracket must be escaped, and there should be spaces around the bracket.

    # find /tmp/ -not -user "root" -not -name "*fstab*"  -ls | wc -l
    98
    # find /tmp/ -not -user "root" -a -not -name "*fstab*"  -ls | wc -l
    98
    # find /tmp/ -not \( -user "root" -o -name "*fstab*" \)  -ls | wc -l
    98
  • Find by file size: - size

    • Usage: ` - size [+ | -] ාunit
    • #Number (positive)
    • Common units: K, M, G
    • #UNIT: (#-1, #]
    • -#UNIT: [0, #-1]
    • +#UNIT: (ා, positive infinity)
  • Find by time

    • In days

      -atime [+ | -] # (#: Access time

      • #: [#,#+1)

        For example, if × = 1, it is to find the file accessed [1,2] days ago

        # date
        Tue Dec 24 09:49:21 CST 2019
        # stat /tmp/atime2
        Access: 2019-12-22 08:35:00.000000000 +0800
        # find /tmp/ -atime 1
        #The / tmp/atime2 file cannot be found because it has not been accessed for more than 2 days
        # touch -at 1912230800.00 /tmp/atime2
        # stat /tmp/atime2
        Access: 2019-12-23 08:00:00.000000000 +0800
        # find /tmp/ -atime 1
        /tmp/atime2 #More than 1 day and less than 2 days no visit, so found.
        # touch -at 1912231000.00 /tmp/atime2
        Access: 2019-12-23 10:00:00.000000000 +0800
        # find /tmp/ -atime 1
        #The / tmp/atime2 file could not be found because it was not accessed in less than 1 day.
      • +#[× + 1, positive infinity)

        For example, if × = 1, it is to find the file accessed [2, positive infinity] days ago

        # date
        Tue Dec 24 10:03:57 CST 2019
        # stat /tmp/atime2
        Access: 2019-12-22 11:00:00.000000000 +0800
        # find /tmp/ -atime +1 | grep "atime"
        #The / tmp/atime2 file could not be found because it was not accessed in less than 2 days.
        # touch -at 1912221000.00 /tmp/atime2
        # stat /tmp/atime2
        Access: 2019-12-22 10:00:00.000000000 +0800
        # find /tmp/ -atime +1 | grep "atime"
        /tmp/atime2#I haven't visited for more than 2 days, so I found it.
      • -#: [0, #)

        For example, if × = 1, it is to find the files accessed [0,1] days ago (within 24 hours)

        # date
        Tue Dec 24 10:13:55 CST 2019
        # stat /tmp/atime2
        Access: 2019-12-23 10:12:00.000000000 +0800
        find /tmp/ -atime -1 | grep "atime"
        #The / tmp/atime2 file could not be found because it was not accessed for more than 1 day
        # touch -at 1912231020.00 /tmp/atime2
        # stat /tmp/atime2
        Access: 2019-12-23 10:20:00.000000000 +0800
        # find /tmp/ -atime -1 | grep "atime"
        /tmp/atime2#I haven't visited in less than 1 day, so I found it.

      -mtime: Modify time

      -ctime: Change time

    • In minutes

      -amin [+ | -] # (#: Access time

      -mmin: Modify time

      -cmin: Change time

  • Find by permission

    • Syntax: ` - perm [-|/]mode

      • mode: exact match

        # ll
        total 0
        ---x--x--x. 1 root root 0 Dec 24 13:20 a
        -rw-r--r--. 1 root root 0 Dec 24 13:20 b
        -rw-r--r--. 1 root root 0 Dec 24 13:20 c
        -rw-r--r--. 1 root root 0 Dec 24 13:20 d
        -rw-r--r--. 1 root root 0 Dec 24 13:20 e
        # find ./ -perm 111 -ls
        1692196    0 ---x--x--x   1 root     root            0 Dec 24 13:20 ./a
        # find ./ ! -perm  111 -ls
        1692200    0 drwxrwxr-x   2 ys       1002           69 Dec 24 13:20 ./
        1692205    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./b
        1692207    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./c
        1969792    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./d
        1754172    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./e
      • /mode: user || group || other

      • -mode: user && group && other

        # ls -al
        total 12
        drwxrwxr-x.  2 ys   1002   33 Dec 24 13:40 .
        drwxrwxrwt. 51 root root 8192 Dec 24 13:20 ..
        ---x--x--x.  1 root root    0 Dec 24 13:20 a
        -rwxrw-r--.  1 root root    0 Dec 24 13:20 b
        -rw-r--r--.  1 root root    0 Dec 24 13:20 c
        //If the owner has execution permission or the group has write permission, it is to find the object
        # find ./  -perm  /120 -ls
        1692200    0 drwxrwxr-x   2 ys       1002           33 Dec 24 13:40 ./
        1692196    0 ---x--x--x   1 root     root            0 Dec 24 13:20 ./a
        1692205    0 -rwxrw-r--   1 root     root            0 Dec 24 13:20 ./b
        //What the owner does not have execute permission and the group does not have write permission is to find the object
        # find ./ ! -perm  /120 -ls
        1692207    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./c
        //The owner has execution permission and the owner has write permission to find the object
        # find ./  -perm  -120 -ls
        1692200    0 drwxrwxr-x   2 ys       1002           33 Dec 24 13:40 ./
        1692205    0 -rwxrw-r--   1 root     root            0 Dec 24 13:20 ./b
        //What the owner does not have execute permission or the group does not have write permission is to find the object
        # find ./  ! -perm  -120 -ls
        1692196    0 ---x--x--x   1 root     root            0 Dec 24 13:20 ./a
        1692207    0 -rw-r--r--   1 root     root            0 Dec 24 13:20 ./c
  • The action to be processed after searching

    -print: output the search results to standard output. Default processing action.

    -ls: similar to executing the ls -l command on a found file, outputting the result to standard output.

    -fls /PATH/NAME: similar to executing ls -l command on the found file, outputting the result to the specified file.

    -Delete: delete the found file.

    -ok command {};: execute the command command for each found file, and each operation needs to be confirmed by the user. {} is the file name of the file found

    -exec command {};: the command command is executed for each file found without user confirmation.

    Note: find is to search first, and then pass the found results to the subsequent commands at one time, rather than finding one pass one by one. However, some commands cannot accept too long parameters, so the subsequent commands will fail to execute. Another way can be used to solve this problem.

    find | xargs command

    xargs will block the result of find, which ensures that subsequent commands will not crash.

    # find ./  ! -perm  -120
    ./a
    ./c
    [root@localhost test]# find ./  ! -perm  -120 -ok cp {} {}.back \;
    < cp ... ./a > ? y
    < cp ... ./c > ? y
    [root@localhost test]# ll
    total 0
    ---x--x--x. 1 root root 0 Dec 24 13:20 a
    ---x--x--x. 1 root root 0 Dec 24 14:40 a.back
    -rwxrw-r--. 1 root root 0 Dec 24 13:20 b
    -rw-r--r--. 1 root root 0 Dec 24 13:20 c
    -rw-r--r--. 1 root root 0 Dec 24 14:40 c.back
    # rm -f ./*.back
    [root@localhost test]# find ./  ! -perm  -120 -exec cp {} {}.back \;
    [root@localhost test]# ll
    total 0
    ---x--x--x. 1 root root 0 Dec 24 13:20 a
    ---x--x--x. 1 root root 0 Dec 24 14:41 a.back
    -rwxrw-r--. 1 root root 0 Dec 24 13:20 b
    -rw-r--r--. 1 root root 0 Dec 24 13:20 c
    -rw-r--r--. 1 root root 0 Dec 24 14:41 c.back

Practice:

1. Find all the files or directories whose primary directory is root and the group is mail under the / var directory.

# find /var -user root -group mail
/var/spool/mail
/var/spool/mail/root
# find /var -user root -group mail | xargs ls -ld
drwxrwxr-x. 2 root mail    167 Dec 23 16:42 /var/spool/mail
-rw-------. 1 root mail 463001 Dec 17 20:59 /var/spool/mail/root

2. Find all the files or directories under the / usr directory that do not belong to root, bin or gentoo. There are two methods.

# find /usr ! -user root ! -user bin ! -user gentoo | wc -l
14
# find /usr ! \( -user root -o -user bin -o -user gentoo \) | wc -l
14

3. Find the file or directory whose contents have been modified in the last week under the directory / tmp, and whose owner is neither root user nor gentoo user.

# find /tmp -mtime -7 ! -user root ! -user gentoo

4. Find the files or directories on the current system that have not been accessed in the last week.

#  find /tmp \( -nouser -o -nogroup \) -atime -7 -ls
67978820    4 -rw-r-----   1 1001     1002          511 Dec 18 14:38 /tmp/f1
67978822    4 -rwxr-xr--   1 gentoo   1002          511 Dec 18 14:43 /tmp/d1/inittab
67978823    4 -rwxr-xr--   1 gentoo   1002           23 Dec 18 14:43 /tmp/d1/issue
33599012    0 drwxrwxr-x   2 root     1002            6 Dec 17 22:39 /tmp/fld
1692200     0 drwxrwxr-x   2 ys       1002           33 Dec 24 14:43 /tmp/test

5. Look for all files larger than 1M in the / tmp directory with common files

# find /tmp -size +1M -type f | xargs ls -lh
-rw--w----. 1 root mageedu 2.3M Dec 18 10:44 /tmp/log/anaconda/journal.log
-rw--w----. 1 root mageedu 1.8M Dec 18 10:44 /tmp/log/audit/audit.log
-r---w----. 1 root mageedu 8.1M Dec 18 10:44 /tmp/log/audit/audit.log.1
-r---w----. 1 root mageedu 8.1M Dec 18 10:44 /tmp/log/audit/audit.log.2
-r---w----. 1 root mageedu 8.1M Dec 18 10:44 /tmp/log/audit/audit.log.3
-rw-rw-r--. 1 root mageedu 1.6M Dec 18 10:44 /tmp/log/firewalld
-rw-rw-r--. 1 root mageedu 1.2M Dec 18 10:44 /tmp/log/lastlog
-rw--w----. 1 root mageedu 1.1M Dec 18 10:44 /tmp/log/messages
-rw--w----. 1 root mageedu 4.4M Dec 18 10:44 /tmp/log/messages-20191206
-rw--w----. 1 root mageedu  49M Dec 18 10:44 /tmp/log/messages-20191215

6. Look for files in the / etc directory where all users have no write permission

# find /etc ! -perm /222 -type f | xargs ls -l
-r--r--r--. 1 root root     460 Apr 11  2018 /etc/dbus-1/system.d/cups.conf
----------. 1 root root     920 Dec 23 21:38 /etc/gshadow
----------. 1 root root     927 Dec 23 21:33 /etc/gshadow-
-r--r--r--. 1 root root      63 Nov  9  2018 /etc/ld.so.conf.d/kernel-3.10.0-957.el7.x86_64.conf

7. Find a directory. There are at least one kind of files that users do not have permission to execute

# ll
-rwxr-xr-x. 1 root root 0 Dec 24 15:45 a
-rwxr--r--. 1 root root 0 Dec 24 15:45 b
-rw-r-xr--. 1 root root 0 Dec 24 15:45 c
-rw-r-xr-x. 1 root root 0 Dec 24 15:45 d
[root@localhost test1]# find ./ ! -perm -111 -type f | xargs ls -l
-rwxr--r--. 1 root root 0 Dec 24 15:45 ./b
-rw-r-xr--. 1 root root 0 Dec 24 15:45 ./c
-rw-r-xr-x. 1 root root 0 Dec 24 15:45 ./d

8. Find all files in the directory / etc/init.d / where all users have execution permission and other users have write permission

# ll /etc/init.d/
total 40
-rw-r--r--. 1 root root 18281 Aug 24  2018 functions
-rwxr-xrwx. 1 root root  4569 Aug 24  2018 netconsole
-rwxr-xr-x. 1 root root  7923 Aug 24  2018 network
-rw-r--r--. 1 root root  1160 Oct 31  2018 README
# find /etc/init.d/ -perm -111 -perm /002 -type f -ls
101249165    8 -rwxr-xrwx   1 root     root         4569 Aug 24  2018 /etc/init.d/netconsole
# find /etc/init.d/ -perm -113 -type f -ls
101249165    8 -rwxr-xrwx   1 root     root         4569 Aug 24  2018 /etc/init.d/netconsole

QQ group of mutual learning in c/c + +: 877684253

My wechat: xiaoshitou5854

Keywords: Linux less socket Anaconda DBus

Added by realchamp on Tue, 24 Dec 2019 10:39:57 +0200