Open Source

Using the find command

All operating systems have their own methods of searching for files. Linux is no stranger to this concept. In fact, in Linux, the find command comes in quite handy. Read on as Jim McIntyre explains this versatile command.

One of the most common problems for new Linux users is finding files on the system. The absence of the familiar C:\ prompt often leaves users unable to locate files needed to configure the system. Although there are several good file managers available for Linux, one of the most powerful tools available is the find command. Available with all Linux distributions and installed with all default installations, this powerful and flexible command offers users and administrators the ability to search for files and directories based on almost any criteria. In this article, I will cover many aspects of the find command, including:
  • Finding files by filename.
  • Finding files by owner, groups associated with a file, modification date, or age.
  • Finding files by type.
  • Using find to check file system security.
  • Using find for backups.

The first point to cover with any Linux command is the syntax used with the command. With the find command, the general syntax is:
find path -options actions

The options used with the find command are used to specify which file characteristics are actually searched for.

Filename substitution
When used with the find command, filename substitution gives the find command more flexibility and allows the user more control over excluding or including patterns in searches. Table A lists examples of metacharacter (a single character that is used in place of another character or set of characters) usage.

Table A
* Match any character, including a null string
? Match any single character
[....] Match any character enclosed in the brackets
[A-Z] Match files containing uppercase characters in the filename
[a-z] Match files containing lowercase characters in the filename
[0-9] Match files containing numeric characters in the filename
[!...] Exclude any character enclosed in the brackets
Metacharacters used in filename substitution

Now, let's see how we can use the find command in a real-world situation.

Searching for files by filename
The most common way to search for files is by filename. The -name option may be used by itself, or it may be used with other options. Here are some typical examples of searching for files based on filename.

To search the current directory and its subdirectories for all files with the extension .txt, use this:
find . -name "*txt" -print

To find all files in your home directory that are less than four days old and begin with two lowercase letters, followed by two numbers, and the extension .gif, use this:
find . -name "[a-z]a-z]0-9][0-9]gif"

Executing commands with -exec
Once you have performed a search and have found files, the administrator will usually want to perform another action on those files. The exec option is the most common way to perform actions on the output from find. The exec option takes the format:
find <path> <options> -exec <command-to-run> {} \;

To find files in /etc owned by root with read and execute permissions to the group and other users, and then to change these permissions to read permission for root only, use the command below:
find /etc -user root -perm 655 -exec chmod 400 {} \;

To find all files on your system that belong to members of the group finance and list the full pathname to these files, use the command:
find / -group finance -exec ls -l {} \;

Find files based on file permissions
The find command can be used to expose potential security holes caused by weak file and directory access permissions. An administrator could find all files in /etc that are owned by root and that have read and write permission set for both the group and everybody, and then change the permissions so that the root user has read access and all other users have no access. This would be accomplished by using the find command with exec option as shown in the example below:
find /etc -user root -perm 644 -exec chmod 400 {} \;

Another method would be to look for recently modified files. If the administrator wanted to check the /sbin directory for any files owned by root that are less than two days old and then delete these files, he or she could use the command below:
find /etc -user root -mtime -2 -exec rm. -f {} \;

One of the first goals of an intruder will be to place a rootkit on your system. This means that any commands and files used by the administrator to check security will be replaced by versions that mask the existence of files placed on your system by the intruder. When checking your system security, make sure you are working with versions of commands and files you know you can trust.

Finding or excluding files by file type
To find all the subdirectories of /etc, use the command:
find /etc -type d

To exclude types of files from a search, we use the logical NOT (!) operator. For example, to look for subdirectories in /etc and exclude symbolic links from the search results, use the command:
find  /etc ! -type -l

Using find with cpio for system backups
The find command can easily be used with the cpio to perform backups. For example, if a system administrator wanted to back up the /home, /etc, and /html directories, he or she could use the commands listed below:
cd /
su root
find etc home html -depth | cpio -ivcd65536 -o /dev/rmt0

These commands will first make the find command look at all files in the selected directories, and when all files are found, the output will be piped to the cpio utility. The cpio utility will then back the directories to the tape drive mounted on /dev/rmt.

The find command should be one of the first commands that Linux users learn. The ability to run the find command and perform actions on the output from find through the exec options makes find one of the best file administration utilities available. The power and flexibility of this command can make an administrator's job much easier.

Editor's Picks