Searching for files
A system administrator needs tools to search for ﬁles matching certain criteria on the ﬁle system. This section discusses two commands that can search for ﬁles in the ﬁle-system hierarchy.
- The locate command searches a pre-generated index for ﬁle names or ﬁle paths and returns the results instantly.
- The find command searches for ﬁles in real-time by crawling through the ﬁle-system hierarchy.
Locating files by name
The locate command ﬁnds ﬁles based on the name or path to the ﬁle. It is fast because it looks up this information from the mlocate database. However, this database is not updated in real-time, and it must be frequently updated for results to be accurate. This also means that locate will not ﬁnd ﬁles that have been created since the last update of the database.
The locate database is automatically updated every day. However, at any time the root user can issue the updatedb command to force an immediate update.
[root@host ~]# updated
The locate command restricts results for unprivileged users. In order to see the resulting ﬁle name, the user must have search permission on the directory in which the ﬁle resides. Search for ﬁles with passwd in the name or path in directory trees readable by user on host.
[user@host ~]$ locate passwd /etc/passwd /etc/passwd /etc/pam.d/passwd /etc/security/opasswd /usr/bin/gpasswd /usr/bin/grub2-mkpasswd-pbkdf2 /usr/bin/lppasswd /usr/bin/passwd ...output omitted...
Results are returned even when the ﬁle name or path is only a partial match to the search query.
[root@host ~]# locate image /etc/selinux/targeted/contexts/virtual_image_context /usr/bin/grub2-mkimage /usr/lib/sysimage /usr/lib/dracut/dracut.conf.d/02-generic-image.conf /usr/lib/firewalld/services/ovirt-imageio.xml /usr/lib/grub/i386-pc/lnxboot.image ...output omitted...
The -i option performs a case-insensitive search. With this option, all possible combinations of upper and lowercase letters match the search.
[user@host ~]$ locate -i messages ...output omitted... /usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES /usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES/vim.mo /usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES /usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES/vim.mo /usr/share/vim/vim80/syntax/messages.vim /usr/share/vim/vim80/syntax/msmessages.vim /var/log/messages
The -n option limits the number of returned search results by the locate command. The following example limits the search results returned by locate to the ﬁrst ﬁve matches:
[user@host ~]$ locate -n 5 snow.png //cdn.thegeeksearch.com/usr/share/icons/HighContrast/16x16/status/weather-snow.png //cdn.thegeeksearch.com/usr/share/icons/HighContrast/22x22/status/weather-snow.png //cdn.thegeeksearch.com/usr/share/icons/HighContrast/24x24/status/weather-snow.png //cdn.thegeeksearch.com/usr/share/icons/HighContrast/256x256/status/weather-snow.png //cdn.thegeeksearch.com/usr/share/icons/HighContrast/32x32/status/weather-snow.png
Searching for file in real time
The find command locates ﬁles by performing a real-time search in the ﬁle-system hierarchy. It is slower than locate, but more accurate. It can also search for ﬁles based on criteria other than the ﬁle name, such as the permissions of the ﬁle, type of ﬁle, its size, or its modiﬁcation time. The find command looks at ﬁles in the ﬁle system using the user account that executed the search. The user invoking the find command must have read and execute permission on a directory to examine its contents.
The ﬁrst argument to the find command is the directory to search. If the directory argument is omitted, find starts the search in the current directory and looks for matches in any subdirectory. To search for ﬁles by ﬁle name, use the -name FILENAME option. With this option, find returns the path to ﬁles matching FILENAME exactly. For example, to search for ﬁles named sshd_config starting from the / directory, run the following command:
[root@host ~]# find / -name sshd_config /etc/ssh/sshd_config
Wildcards are available to search for a ﬁle name and return all results that are a partial match. When using wildcards, it is important to quote the ﬁle name to look for to prevent the terminal from interpreting the wildcard In the following example, search for ﬁles starting in the / directory that end in .txt:
[root@host ~]# find / -name '*.txt' /etc/pki/nssdb/pkcs11.txt /etc/brltty/brl-lt-all.txt /etc/brltty/brl-mb-all.txt /etc/brltty/brl-md-all.txt /etc/brltty/brl-mn-all.txt ...output omitted...
To search for ﬁles in the /etc/ directory that contain the word, pass, anywhere in their names on host, run the following command:
[root@host ~]# find /etc -name '*pass*' /etc/security/opasswd /etc/pam.d/passwd /etc/pam.d/password-auth /etc/passwd /etc/passwd /etc/authselect/password-auth
To perform a case-insensitive search for a given ﬁle name, use the -iname option, followed by the ﬁle name to search. To search ﬁles with case-insensitive text, messages, in their names in the / directory on host, run the following command:
[root@host ~]# find / -iname '*messages*' ...output omitted... /usr/share/vim/vim80/lang/zh_CN.UTF-8/LC_MESSAGES /usr/share/vim/vim80/lang/zh_CN.cp936/LC_MESSAGES /usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES /usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES /usr/share/vim/vim80/syntax/messages.vim /usr/share/vim/vim80/syntax/msmessages.vim
Searching Files Based on Ownership or Permission
The find command can search for ﬁles based on their ownership or permissions. Useful options when searching by owner are -user and -group, which search by name, and -uid and -gid, which search by ID.
1. Search for ﬁles owned by user in the /home/user directory on host.
[user@host ~]$ find -user user . ./.bash_logout ./.bash_profile ./.bashrc ./.bash_history
2. Search for ﬁles owned by the group user in the /home/user directory on host.
[user@host ~]$ find -group user . ./.bash_logout ./.bash_profile ./.bashrc ./.bash_history
3. Search for ﬁles owned by user ID 1000 in the /home/user directory on host.
[user@host ~]$ find -uid 1000 . ./.bash_logout ./.bash_profile ./.bashrc ./.bash_history
4. Search for ﬁles owned by group ID 1000 in the /home/user directory on host.
[user@host ~]$ find -gid 1000 . ./.bash_logout ./.bash_profile ./.bashrc ./.bash_history
5. The -user, and -group options can be used together to search ﬁles where ﬁle owner and group owner are different. The example below list ﬁles that are both owned by user root and afﬁliated with group mail.
[root@host ~]# find / -user root -group mail /var/spool/mail ...output omitted...
6. The -perm option is used to look for ﬁles with a particular set of permissions. Permissions can be described as octal values, with some combination of 4, 2, and 1 for read, write, and execute. Permissions can be preceded by a / or – sign. A numeric permission preceded by / matches ﬁles that have at least one bit of user, group, or other for that permission set. A ﬁle with permissions r–r–r– does not match /222, but one with rw-r–r– does. A – sign before a permission means that all three instances of that bit must be on, so neither of the previous examples would match, but something like rw-rw-rw-> would.
To use a more complex example, the following command matches any ﬁle for which the user has read, write, and execute permissions, members of the group have read and write permissions, and others have read-only access:
[root@host ~]# find /home -perm 764
To match ﬁles for which the user has at least write and execute permissions, and the group has at least write permissions, and others have at least read access:
[root@host ~]# find /home -perm -324
To match ﬁles for which the user has read permissions, or the group has at least read permissions, or others have at least write access:
[root@host ~]# find /home -perm /442
When used with / or -, a value of 0 works like a wildcard, since it means a permission of at least nothing. To match any ﬁle in the /home/user directory for which others have at least read access on host, run:
[user@host ~]$ find -perm -004
Find all ﬁles in the /home/user directory where other has write permissions on host.
[user@host ~]$ find -perm -002
Searching Files Based on Size
The find command can look up ﬁles that match a size speciﬁed with the -size option, followed by a numerical value and the unit. Use the following list as the units with the -size option:
- k, for kilobyte
- M, for megabyte
- G, for gigabyte
1. The example below shows how to search for ﬁles with a size of 10 megabytes, rounded up.
[user@host ~]$ find -size 10M
2. To search the ﬁles with a size more than 10 gigabytes.
[user@host ~]$ find -size +10G
3. To list all ﬁles with a size less than 10 kilobytes.
[user@host ~]$ find -size -10k
Searching Files Based on Modiﬁcation Time
The -mmin option, followed by the time in minutes, searches for all ﬁles that had their content changed at n minutes ago in the past. The ﬁle’s timestamp is always rounded down. It also supports fractional values when used with ranges (+n and -n).
1. To ﬁnd all ﬁles that had their ﬁle content changed 120 minutes ago on host, run:
[root@host ~]# find / -mmin 120
2. The + modiﬁer in front of the amount of minutes looks for all ﬁles in the / that have been modiﬁed more than n minutes ago. In this example, ﬁles that were modiﬁed more than 200 minutes ago are listed.
[root@host ~]# find / -mmin +200
3. The – modiﬁer changes the search to look for all ﬁles in the / directory which have been changed less than n minutes ago. In this example, ﬁles that were modiﬁed less than 150 minutes ago are listed.
[root@host ~]# find / -mmin -150
Searching Files Based on File Type
The -type option in the find command limits the search scope to a given ﬁle type. Use the following list to pass the required ﬂags to limit the scope of search:
- f, for regular ﬁle
- d, for directory
- l, for soft link
- b, for block device
1. Search for all directories in the /etc directory on host.
[root@host ~]# find /etc -type d /etc /etc/tmpfiles.d /etc/systemd /etc/systemd/system /etc/systemd/system/getty.target.wants ...output omitted...
2. Search for all soft links on host.
[root@host ~]# find / -type l
3. Generate a list of all block devices in the /dev directory on host:
[root@host ~]# find /dev -type b /dev/vda1 /dev/vda
4. The -links option followed by a number looks for all ﬁles that have a certain hard link count. The number can be preceded by a + modiﬁer to look for ﬁles with a count higher than the given hard link count. If the number is preceded with a – modiﬁer, the search is limited to all ﬁles with a hard link count that is less than the given number.
5. Search for all regular ﬁles with more than one hard link on host:
[root@host ~]# find / -type f -links +1