Using find command in Linux/Unix

find is one of the unix power tools that searches for files within a directory hiererchy . It is a delight for Sys Admin and provides lots of options to refine our search.

Using find command :

Simple executing find in the current directory will give  a full listing of all files in the current directory and all subdirectories including hidden files:

$find

The syntax of find is as follows

 find   [path...]   [expression]

path:            the directory under which search is performed
expression:  expression is made of options , tests based on which find will perform its search operation. We can also perform some action based on the results of our search

Some of the useful options are:

-name:      To find based on file name
-perm:      To find based on file permission . We can also add [+|-] sign with -perm mode to refine our    search more . If the perm option is preceded by a `-(minus)` sign, then it searches for files wherein  atleast  all of the bits in the mode are set in the file's mode bits. If preceded by a `+(plus)` sign, it will search for files  if any of the bits in the mode are set in the file's mode bits .
-type:        To find based on file type . Some of the file types are:  f-regular file ,
                 d-directory, l-symbolic link , s-socket etc
-mtime :    To find files based on file modification time
-user    :    To find files based on file ownership
-prune  :    To find files omitting the directory

Some of the Actions are:

-exec :  with the -exec action , we can specify any command to perform any action on the search results
-ok    : same as -exec but will ask for a prior confirmation before executing the command.

Examples of find command

Let's now put some of the options in demonstration. We will start with a simple example

$$ Using find to search files based on  file name :

Suppose I want to identify all files starting with name 'vsftpd' under  /etc  directory

$ sudo find /etc/ -name vsftpd.\* -print
/etc/vsftpd.conf
/etc/log.d/conf/services/vsftpd.conf
/etc/log.d/conf/logfiles/vsftpd.conf
/etc/vsftpd/vsftpd.conf

If we are using wildcard character in the search pattern , then we need to put the search string in quotes, or precede it with a backslash so that the shell does not interpret it.

$$ Using find to search files based on file permission:

To identify files having rwx permission for all

$ sudo find /etc/ -type f  -perm 777 | xargs ls -l
-rwxrwxrwx  1 root root 0 Oct 30 11:16 /etc/test

Let's see another example to identify all files having rwx for world.

$ sudo find /etc/ -type f  -perm -o=rwx  | xargs ls -l
-rwxrwxrwx  1 root root 0 Oct 30 11:16 /etc/test

To identify files which are having SUID bit set .


 $ find /bin/ /usr/bin/ -type f -perm -4000 -exec ls -l {} \;
-rwsr-xr-x  1 root  wheel  85536 Mar  5  2008 /bin//ps
-r-sr-xr-x  1 root  wheel  56208 Nov 29  2007 /bin//rcp
-r-sr-xr-x  1 root  wheel  69552 Apr  9  2008 /usr/bin//at
-r-sr-xr-x  1 root  wheel  69552 Apr  9  2008 /usr/bin//atq


The ` -'  sign before the permission mode of 4000 tells  to identify files with the SUID bit set, regardless of what other permissions are set.

$$ Using find to search for files within a particular directory but omitting a subdirectory within it.

In this example , we will try to search files named 'vsftpd.conf' under /etc directory but omitting the '/etc/log.d' subdirectory within it.

$sudo find /etc/  -path '/etc/log.d' -prune  -o -name vsftpd.conf -print
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf


$$ To identify files based on their modification time

Let's try to identify files which are modified in the last two days.

$ sudo find /var/log/ -type f -mtime -3 -name messages\*  | xargs ls -l
-rw-------  1 root root 16928 Oct 27 15:22 /var/log/messages
-rw-------  1 root root 53282 Oct 25 04:02 /var/log/messages.1

Let's see another example to identify files which have not been modified for the last three days.

$ sudo find /var/log/ -type f -mtime +3 -name messages\*  | xargs ls -l
-rw-------  1 root root 67603 Oct 18 04:02 /var/log/messages.2
-rw-------  1 root root 56208 Oct 11 04:02 /var/log/messages.3
-rw-------  1 root root 52016 Oct  4 04:02 /var/log/messages.4

$$ Identify files based on file ownership. 

Suppose you are doing an auditing of your system and as a part of that you want to identify all files which are not own by the root user under /etc . In that case ,  we can use the 'user' option with find command.

$ sudo find /etc/  ! -user root | xargs ls -l
-rw-r--r--  1 amanda disk       500 Jun 29  2004 /etc/amanda/crontab.sample
-rw-r--r--  1 amanda disk     17638 Jun 29  2004 /etc/amanda/DailySet1/amanda.conf
-rw-r--r--  1 amanda disk      2099 Jun 29  2004 /etc/amanda/DailySet1/disklist
-rw-r--r--  1 amanda disk         0 Jun 29  2004 /etc/amandates

Performing actions on the search results of find command

We can also use use find command to execute some command like copy , remove etc  on our search result . For this , find provides  two options like -exec  and -ok . We will see now how to use these actions .

$$ To do a long listing after searching for files with rwx permission for world 

$ sudo find /etc -type f -perm -o=rwx -exec ls -l {} \;
-rw-r--rwx  1 root root 0 Oct 30 11:53 /etc/test.conf
-rw-r--rwx  1 root root 0 Oct 30 11:53 /etc/test

$$ To remove all files which are having rwx permission for world under /etc directory 

$ sudo find /etc -type f -perm -o=rwx -exec rm {} \;

$$ To remove all files which are having rwx permission for world under /etc directory with prompting us before executing the command.

$ sudo find /etc -type f -perm -o=rwx -ok rm {} \;
< rm ... /etc/test.conf > ? y
< rm ... /etc/test > ? y 

Conclusion:  

Thus we had seen using find command with some of the widely used options . It is a very powerful command and lots of other options to refine our search. It is worth spending some time to go through the manual pages.

Comments

Popular posts from this blog

PSSH : Parallel SSH to execute commands on a number of hosts

How to add check_http as a service in Nagios Monitoring using NRPE

Configuring Nagios to monitor services using NRPE