A find Tutorial and Primer

find

find is one of the most useful Linux/Unix tools in the toolbelt, but most people use only a fraction of its power. Many Linux/Unix questions seen online can be solved using the find command alone, getting familiar with its main functionality is one of the best things you can do for yourself in the long-term.

find lets you do anything from finding all your .jpg files to seeing “all of Michael’s text documents that have the execute bit set and have been modified since yesterday.” And when combined with exec or xargs, a properly constructed command can make quick work of some very heavy tasks.

First thing we need to do is understand how find works. Here are some of the key options:

  • -o : the OR operation to string multiple search criteria together

  • -name : find files by name

  • -iname : find files by name, ignoring case

  • -type f : find only files

  • -type d : find only directories

  • -size : find by size

  • -mtime : find by modified time

  • -mtime : find by modified time

There a number of variations of these, which we’ll talk about more below. It’s also possible to combine queries, like so:

Combine the -name and -type options

find . -name nasa -type d

It’s important to note that when searching using -name or -iname you need to by default specify the whole name to get a match, e.g.: searching for “disc” will not find “discovered”, but you can use common techniques (*) to widen the search.

Expand your searches using the *

find . -name *disc*

Let’s start simple by looking for things by name. Remember that thefirst argument you give find is where to look.

Find by name

find . -name “*.jpg”

...
./Pictures/iPhoto Library/Data/2006/Roll 20/00697_bluewaters_1440x900.jpg
./Pictures/iPhoto Library/Data/2006/Roll 20/00705_cloudyday_1440x900.jpg
./Pictures/iPhoto Library/Data/2006/Roll 20/00710_fragile_1600x1200.jpg
./Pictures/iPhoto Library/Data/2006/Roll 20/00713_coolemoticon_1440x900.jpg
./Pictures/iPhoto Library/Data/2006/Roll 20/00714_cloudyday_1440x900.jpg
...

Note that by default when you give a location to start from (in our case“.”), the find command starts there and drills all the way down duringits search. So in this case I started from my home directory and itfound the files all the way down in “~/Pictures/iPhotoLibrary/Data/2006/Roll 20” as well.

[ Placing quotes around the search criteria avoids issues with wildcardcharacters and is probably a good habit to get into. You can also use-iname instead of -name; it’s the same but it’s case insensitive ]

You can also define another search location which will be evaluatedrecursively as well.

Search the entire filesystem for a file

find / -name “*.jpg”

Figuring out what a user is trivial using lsof. Simply provide the username and see everything they’re doing on the system.

Find out what a given user is up to

find . -user daniel

...
./Music/iTunes/iTunes Music/Tool/Undertow/01 Intolerance.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/02 Prison Sex.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/03 Sober.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/04 Bottom.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/05 Crawl Away.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/06 Swamp Song.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/07 Undertow.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/08 4 Degrees.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/09 Flood.m4a
./Music/iTunes/iTunes Music/Tool/Undertow/69 Disgustipated.m4a
...

[ Also works for groups (-group) ]

You can also look for files or directories separately.

Find only directories

find . -type d

...
./Development/envelope
./Development/mhp
./Development/mservers
./Development/mservers/fortune100
./Development/mst
./Development/mst/nmap
./Development/mst/services
...

Those are all directories, and to look for the others (files, links, or sockets), just substitute f, l, s for the d in the command above.

It’s often useful to find things on your drive that are taking up space and need to be dealt with.

Find everything over a megabyte in size

find ~/Movies/ -size +1024M

...
/Movies/Comedy/Funny.mpg
/Movies/Drama/Sad.avi
...

[ +M indicates that you’re searching in megabytes, but you can also search in bytes or kilobytes if so desired. ]

You can also search based on when something was last updated or modified.

find also has a number of options that help one answer forensics-oriented questions such as when a file’s contents or permissions were last changed.

Show me what content owned by root have been modified within the last minute

find /etc/ -user root -mtime 1

...
/etc/passwd
/etc/shadow
...

The checks you can use here are:

  • -atime: when the file was last accessed

  • -ctime: when the file’s permissions were last changed

  • -mtime: when the file’s data was last modified

These searches are done in 24 hour increments and followed by a number n. If you want to match the exact 24 hour period you use n by itself. More frequently, however, you’ll want to say everything since yesterday, or everything “more than 3 days ago.” This is accomplished using the -n and +n options respectively.

There are also minute versions of the atime, ctime, and mtime arguments:

  • -amin: when (in minutes) the file was last accessed

  • -cmin: when (in minutes) the file’s permissions were last changed

  • -mmin: when (in minutes) the file’s data was last modified

Another option is to find things based on what permissions they have. This is especially helpful when looking for content on your system that is too wide open from a security standpoint.

Find everything in my home directory with wide open permissions

# find all files in my directory with open permissions

find ~ -perm 777

...
~/testfile.txt
~/lab.rtf
...

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Find all files on your system that are world writeable

find / – perm -0002

You can also use some options to search for things related to forensics.

  • -nouser: shows output that’s not associated with an existing userid

  • -nogroup: shows output not associated with an existing groupid

  • -links n: file has n links

  • -newer file: file was modified more recently than file.

  • -perm mode: file has mode permissions.

What’s the fun in finding a bunch of stuff if you’re not going to do something with it? While it’s interesting to say, “find me stuff”, it’s far more useful to say, “Take every text file owned by ex-employee Jason that’s hasn’t been accessed in 60 days and move it to a remote backup folder.

Many use find in conjunction with exec, which then runs on the results. This is usually acceptable, but I prefer to use xargs because it executes more elegantly.

xargs, unlike exec, executes all arguments as a single command instead of running multiple commands. So if I run>:

find . -name something -exec ls -l {} ;

…I will ultimately be running ls as many times as there are contents in my home directory. But if I run this instead:

find . -name something | xargs -0 ls

…I will only run ls once, with the directory contents as arguments. While on modern computers the performance gain on this is often trivial, I simply prefer the aesthetic of it.

[ NOTE: The -print0 option terminates results with a null character instead of the default newline, making it cleaner and less likely to balk in many cases related to spaces, special characters, etc. in the input. ]

Here are some examples.

Delete all files now owned by valid users

find / -nouser | xargs -0 rm

Find image files and move them to the pictures directory

find ~/Desktop -name “*.jpg” -o -name “*.gif” -o -name “*.png” -print0 | xargs -0 mv –target-directory ~/Pictures

Correct the permissions on your web directory

find /your/webdir/ -type d -print0 | xargs -0 chmod 755;find /your/webdir -type f | xargs chmod 644

Find files that have been modified within the last month and copy them somewhere

find /etc/ -mtime -30 | xargs -0 cp /a/path

Just as with any good unix/linux command, the real power comes in combining options. You can combine find arguments using and, or, and not. By default if you use two different arguments you’re and‘ing them. If you want to use or you give the -o option, and if you want to get everything except something, you use the ! option.

Daniel’s files of type jpeg

find . -user daniel -type f -name *.jpg

...
./Pictures/iPhoto Library/autumn_woods.jpg
./Pictures/iPhoto Library/blue_forest.jpg
./Pictures/iPhoto Library/brothers.jpg
...

Daniel’s jpeg files without autumn in the name

find . -user daniel -type f -name *.jpg ! -name autumn*

...
./Pictures/iPhoto Library/blue_forest.jpg
./Pictures/iPhoto Library/brothers.jpg
...

Root’s ruby files accessed in the last two minutes

find /apps/ -user root -type f -amin -2 -name *.rb

...
/apps/testing.rb
/apps/runme.rb
...

References

  1. The find Man Pagehttp://www.netadmintools.com/html/find.man.html”

Related posts: