Examples of find and locate command to search files on Linux

Searching for files

A system administrator needs tools to search for files matching certain criteria on the file system. This section discusses two commands that can search for files in the file-system hierarchy.

  • The locate command searches a pre-generated index for file names or file paths and returns the results instantly.
  • The find command searches for files in real-time by crawling through the file-system hierarchy.

Locating files by name

The locate command finds files based on the name or path to the file. It is fast because it looks up this information from the mlocate database. However, this database is not updated in real-time, and it must be frequently updated for results to be accurate. This also means that locate will not find files that have been created since the last update of the database.

The locate database is automatically updated every day. However, at any time the root user can issue the updatedb command to force an immediate update.

[[email protected] ~]# updated

The locate command restricts results for unprivileged users. In order to see the resulting file name, the user must have search permission on the directory in which the file resides. Search for files with passwd in the name or path in directory trees readable by user on host.

[[email protected] ~]$ locate passwd
/etc/passwd
/etc/passwd
/etc/pam.d/passwd
/etc/security/opasswd
/usr/bin/gpasswd /usr/bin/grub2-mkpasswd-pbkdf2
/usr/bin/lppasswd
/usr/bin/passwd
...output omitted...

Results are returned even when the file name or path is only a partial match to the search query.

[[email protected] ~]# locate image
/etc/selinux/targeted/contexts/virtual_image_context
/usr/bin/grub2-mkimage
/usr/lib/sysimage
/usr/lib/dracut/dracut.conf.d/02-generic-image.conf
/usr/lib/firewalld/services/ovirt-imageio.xml
/usr/lib/grub/i386-pc/lnxboot.image
...output omitted...

The -i option performs a case-insensitive search. With this option, all possible combinations of upper and lowercase letters match the search.

[[email protected] ~]$ locate -i messages
...output omitted...
/usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES
/usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES/vim.mo
/usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES
/usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES/vim.mo
/usr/share/vim/vim80/syntax/messages.vim
/usr/share/vim/vim80/syntax/msmessages.vim
/var/log/messages

The -n option limits the number of returned search results by the locate command. The following example limits the search results returned by locate to the first five matches:

[[email protected] ~]$ locate -n 5 snow.png
/usr/share/icons/HighContrast/16x16/status/weather-snow.png
/usr/share/icons/HighContrast/22x22/status/weather-snow.png
/usr/share/icons/HighContrast/24x24/status/weather-snow.png
/usr/share/icons/HighContrast/256x256/status/weather-snow.png
/usr/share/icons/HighContrast/32x32/status/weather-snow.png

Searching for file in real time

The find command locates files by performing a real-time search in the file-system hierarchy. It is slower than locate, but more accurate. It can also search for files based on criteria other than the file name, such as the permissions of the file, type of file, its size, or its modification time. The find command looks at files in the file system using the user account that executed the search. The user invoking the find command must have read and execute permission on a directory to examine its contents.

The first argument to the find command is the directory to search. If the directory argument is omitted, find starts the search in the current directory and looks for matches in any subdirectory. To search for files by file name, use the -name FILENAME option. With this option, find returns the path to files matching FILENAME exactly. For example, to search for files named sshd_config starting from the / directory, run the following command:

[[email protected] ~]# find / -name sshd_config
/etc/ssh/sshd_config

Wildcards are available to search for a file name and return all results that are a partial match. When using wildcards, it is important to quote the file name to look for to prevent the terminal from interpreting the wildcard In the following example, search for files starting in the / directory that end in .txt:

[[email protected] ~]# find / -name '*.txt'
/etc/pki/nssdb/pkcs11.txt
/etc/brltty/brl-lt-all.txt
/etc/brltty/brl-mb-all.txt
/etc/brltty/brl-md-all.txt
/etc/brltty/brl-mn-all.txt
...output omitted...

To search for files in the /etc/ directory that contain the word, pass, anywhere in their names on host, run the following command:

[[email protected] ~]# find /etc -name '*pass*'
/etc/security/opasswd
/etc/pam.d/passwd
/etc/pam.d/password-auth
/etc/passwd
/etc/passwd
/etc/authselect/password-auth

To perform a case-insensitive search for a given file name, use the -iname option, followed by the file name to search. To search files with case-insensitive text, messages, in their names in the / directory on host, run the following command:

[[email protected] ~]# find / -iname '*messages*'
...output omitted...
/usr/share/vim/vim80/lang/zh_CN.UTF-8/LC_MESSAGES
/usr/share/vim/vim80/lang/zh_CN.cp936/LC_MESSAGES
/usr/share/vim/vim80/lang/zh_TW/LC_MESSAGES
/usr/share/vim/vim80/lang/zh_TW.UTF-8/LC_MESSAGES
/usr/share/vim/vim80/syntax/messages.vim
/usr/share/vim/vim80/syntax/msmessages.vim

Searching Files Based on Ownership or Permission

The find command can search for files based on their ownership or permissions. Useful options when searching by owner are -user and -group, which search by name, and -uid and -gid, which search by ID.

1. Search for files owned by user in the /home/user directory on host.

[[email protected] ~]$ find -user user
.
./.bash_logout
./.bash_profile
./.bashrc
./.bash_history

2. Search for files owned by the group user in the /home/user directory on host.

[[email protected] ~]$ find -group user
.
./.bash_logout
./.bash_profile
./.bashrc
./.bash_history

3. Search for files owned by user ID 1000 in the /home/user directory on host.

[[email protected] ~]$ find -uid 1000
.
./.bash_logout
./.bash_profile
./.bashrc
./.bash_history

4. Search for files owned by group ID 1000 in the /home/user directory on host.

[[email protected] ~]$ find -gid 1000
.
./.bash_logout
./.bash_profile
./.bashrc
./.bash_history

5. The -user, and -group options can be used together to search files where file owner and group owner are different. The example below list files that are both owned by user root and affiliated with group mail.

[[email protected] ~]# find / -user root -group mail
/var/spool/mail
...output omitted...

6. The -perm option is used to look for files with a particular set of permissions. Permissions can be described as octal values, with some combination of 4, 2, and 1 for read, write, and execute. Permissions can be preceded by a / or - sign. A numeric permission preceded by / matches files that have at least one bit of user, group, or other for that permission set. A file with permissions r–r–r– does not match /222, but one with rw-r–r– does. A - sign before a permission means that all three instances of that bit must be on, so neither of the previous examples would match, but something like rw-rw-rw-> would.

To use a more complex example, the following command matches any file for which the user has read, write, and execute permissions, members of the group have read and write permissions, and others have read-only access:

[[email protected] ~]# find /home -perm 764

To match files for which the user has at least write and execute permissions, and the group has at least write permissions, and others have at least read access:

[[email protected] ~]# find /home -perm -324

To match files for which the user has read permissions, or the group has at least read permissions, or others have at least write access:

[[email protected] ~]# find /home -perm /442

When used with / or -, a value of 0 works like a wildcard, since it means a permission of at least nothing. To match any file in the /home/user directory for which others have at least read access on host, run:

[[email protected] ~]$ find -perm -004

Find all files in the /home/user directory where other has write permissions on host.

[[email protected] ~]$ find -perm -002

Searching Files Based on Size

The find command can look up files that match a size specified with the -size option, followed by a numerical value and the unit. Use the following list as the units with the -size option:

  • k, for kilobyte
  • M, for megabyte
  • G, for gigabyte

1. The example below shows how to search for files with a size of 10 megabytes, rounded up.

[[email protected] ~]$ find -size 10M

2. To search the files with a size more than 10 gigabytes.

[[email protected] ~]$ find -size +10G

3. To list all files with a size less than 10 kilobytes.

[[email protected] ~]$ find -size -10k

Searching Files Based on Modification Time

The -mmin option, followed by the time in minutes, searches for all files that had their content changed at n minutes ago in the past. The file’s timestamp is always rounded down. It also supports fractional values when used with ranges (+n and -n).

1. To find all files that had their file content changed 120 minutes ago on host, run:

[[email protected] ~]# find / -mmin 120

2. The + modifier in front of the amount of minutes looks for all files in the / that have been modified more than n minutes ago. In this example, files that were modified more than 200 minutes ago are listed.

[[email protected] ~]# find / -mmin +200

3. The - modifier changes the search to look for all files in the / directory which have been changed less than n minutes ago. In this example, files that were modified less than 150 minutes ago are listed.

[[email protected] ~]# find / -mmin -150

Searching Files Based on File Type

The -type option in the find command limits the search scope to a given file type. Use the following list to pass the required flags to limit the scope of search:

  • f, for regular file
  • d, for directory
  • l, for soft link
  • b, for block device

1. Search for all directories in the /etc directory on host.

[[email protected] ~]# find /etc -type d
/etc
/etc/tmpfiles.d
/etc/systemd
/etc/systemd/system
/etc/systemd/system/getty.target.wants
...output omitted...

2. Search for all soft links on host.

[[email protected] ~]# find / -type l

3. Generate a list of all block devices in the /dev directory on host:

[[email protected] ~]# find /dev -type b
/dev/vda1
/dev/vda

4. The -links option followed by a number looks for all files that have a certain hard link count. The number can be preceded by a + modifier to look for files with a count higher than the given hard link count. If the number is preceded with a - modifier, the search is limited to all files with a hard link count that is less than the given number.

5. Search for all regular files with more than one hard link on host:

[[email protected] ~]# find / -type f -links +1