CONTENTS |
The find command is used to locate files by traversing the UNIX tree structure. You can start from any point on the system, even the root level, and traverse through the entire hierarchy. After finding files, you can also perform actions on them. |
The general format of the find command is as follows:
find path operators
path is the directory in which find will begin a search. operators are one or more of the many find options you specify. The end of this section contains a list of commonly used operators to find. We'll work with several of the most commonly used operators in some of the upcoming examples.
The most common result of find is to produce a list of files. You can produce a list of files in the current working directory, specified by a dot (.), and print those files, as shown in the following example:
# cd /home # # ls -l total 3 drwxr-xr-x 3 col users 1024 Nov 8 14:09 col drwxr-xr-x 6 root root 1024 Nov 8 14:08 ftp drwxr-xr-x 6 root root 1024 Nov 8 14:08 httpd # # find . -print . ./httpd ./httpd/apache ./httpd/apache/doc ./httpd/apache/doc/manual.ps.gz ./httpd/cgi-bin ./httpd/cgi-bin/HelpIndex ./httpd/cgi-bin/HelpScreen ./httpd/html ./httpd/html/dt ./httpd/html/dt/dt.html ./httpd/html/dt/dt.html.idx ./httpd/html/dt/dt.index ./httpd/html/dt/expert.gif ./httpd/html/dt/hint.gif ./httpd/html/dt/index.gif ./httpd/html/dt/info2.gif ./httpd/html/dt/note.gif ./httpd/html/dt/sysadm.gif ./httpd/html/dt/up.gif ./httpd/html/dt/warning.gif ./httpd/icons ./ftp ./ftp/bin ./ftp/bin/gzip ./ftp/bin/ls ./ftp/bin/tar ./ftp/bin/zcat ./ftp/etc ./ftp/etc/group ./ftp/etc/passwd ./ftp/lib ./ftp/pub ./col ./col/.bashrc ./col/.cshrc ./col/.login ./col/.profile ./col/lg ./col/lg/lg_layouts ./col/lg/lg_layouts/User ./col/lg/lg3_prefs ./col/lg/lg3_soundPref ./col/lg/lg3_startup
This find operation was performed from the /home directory. Notice that there are only three home directories under /home, and the find command traverses the hierarchy for each of the three home directories. Keep in mind that you probably don't want to perform this find operation at the root level. You will traverse the entire hierarchy and get a list of every file on the system.
When using find, you may discover that you receive a message like the following when a file or directory is encountered for which you do not have adequate permission to traverse:
find: /var/spool/cron: Permission denied
This is not an ucommon message when running find, so don't panic. Users working outside their home directory often encounter this message when running a variety of commands, including find.
A typical find command will specify the path in which to search for a specific file. In this case, the expression is the name of the file for which you wish to search, as shown in the following example:
# find /home -name ftp /home/ftp
In this example, we search the path /home looking for the name ftp.
You may want to perform a find operation to produce a list of files only and not include directories in the operation. The following find is similar to what we performed earlier, but this time it produces a list of files only. This is achieved by specifying that we are looking for type f for files:
# find /home -type f -print /home/httpd/apache/doc/manual.ps.gz /home/httpd/cgi-bin/HelpIndex /home/httpd/cgi-bin/HelpScreen /home/httpd/html/dt/dt.html /home/httpd/html/dt/dt.html.idx /home/httpd/html/dt/dt.index /home/httpd/html/dt/expert.gif /home/httpd/html/dt/hint.gif /home/httpd/html/dt/index.gif /home/httpd/html/dt/info2.gif /home/httpd/html/dt/note.gif /home/httpd/html/dt/sysadm.gif /home/httpd/html/dt/up.gif /home/httpd/html/dt/warning.gif /home/ftp/bin/gzip /home/ftp/bin/ls /home/ftp/bin/tar /home/ftp/etc/group /home/ftp/etc/passwd /home/col/.bashrc /home/col/.cshrc /home/col/.login /home/col/.profile /home/col/lg/lg_layouts/User /home/col/lg/lg3_prefs /home/col/lg/lg3_soundPref /home/col/lg/lg3_startup
You can search for a variety of different types such as f for a file as shown in the example, b for a block special file, l for a symbolic link, and so on.
A useful test when performing a find operation is to locate empty files. The following example searches for all empty files and directories on the system with the -empty operator that is available on some UNIX variants, including Linux. This is only a partial output because it's so long:
# find / -empty -print /lost+found /var/adm/LST/analyse /var/spool/lpd /var/spool/news /var/spool/uucp /var/spool/mqueue /var/spool/atjobs/.SEQ /var/spool/atspool /var/spool/cron /var/spool/fax/outgoing/locks /var/spool/fax/incoming /var/spool/voice/incoming /var/spool/voice/messages /var/spool/rwho /var/spool/uucppublic /var/lib/LST/log /var/lib/LST/analyse /var/lib/LST/disks /var/lib/LST/catalog /var/lib/LST/conflicts /var/lib/LST/saved /var/lib/LST/replaced /var/lib/LST/deleted /var/lib/games /var/local /var/lock/subsys/inet /var/lock/subsys/ipx /var/lock/subsys/syslog /var/lock/subsys/amd /var/lock/subsys/cron /var/lock/subsys/atd /var/lock/subsys/mta /var/lock/subsys/rstatd /var/lock/subsys/httpd /var/log/httpd/apache/access_log /var/log/xferlog /var/log/uucp /var/log/secure /var/log/spooler /var/named /var/nis /var/preserve /var/run/xlaunch /var/tmp . . . /proc/net/snmp /proc/net/raw /proc/net/igmp /proc/net/arp /proc/net/unix /proc/cpuinfo /proc/pci /proc/version /proc/kmsg /proc/meminfo /proc/uptime /proc/loadavg /proc/mdstat /etc/modules/options /etc/motd /etc/exports /etc/ppp/options /tmp/LST /tmp/.XF86Setup235/f51cb27-315ae55/ServerOut-2 /tmp/.XF86Setup246/13617839-11c71c71/ServerOut-2 /tmp/.XF86Setup262/1f2cc0a9-aea314d/ServerOut-2 /tmp/.XF86Setup288/17963ff7-21ca966f/ServerOut-2 /tmp/fsslog /mnt/floppy /mnt/cdrom /usr/doc/html/woven/LDP/install-guide-2.2.2.html/images.idx /usr/lib/games /usr/lib/groff/tmac/mm/locale /usr/lib/groff/tmac/mm/se_locale /usr/lib/kbd/keytables/patch_tables.orig /usr/lib/perl5/i386-linux/5.003/auto/GDBM_File/GDBM_File.bs /usr/lib/perl5/i386-linux/5.003/auto/DB_File/DB_File.bs /usr/lib/perl5/i386-linux/5.003/auto/Fcntl/Fcntl.bs /usr/lib/perl5/i386-linux/5.003/auto/FileHandle/FileHandle.bs /usr/lib/perl5/i386-linux/5.003/auto/NDBM_File/NDBM_File.bs /usr/lib/perl5/i386-linux/5.003/auto/POSIX/POSIX.bs /usr/lib/perl5/i386-linux/5.003/auto/SDBM_File/SDBM_File.bs /usr/lib/perl5/i386-linux/5.003/auto/Safe/Safe.bs /usr/lib/perl5/i386-linux/5.003/auto/Socket/Socket.bs /usr/lib/perl5/i386-linux/5.003/auto/Text/ParseWords /usr/lib/perl5/site_perl/i386-linux /usr/lib/linuxdoc-sgml/null.sty /usr/etc /usr/include/g++ /usr/include/netax25 /usr/include/netipx /usr/include/readline /usr/local/bin /usr/local/doc /usr/local/etc /usr/local/games /usr/local/info /usr/local/lib /usr/local/man/man1 /usr/local/man/man2 /usr/local/man/man3 /usr/local/man/man4 /usr/local/man/man5 /usr/local/man/man6 /usr/local/man/man7 /usr/local/man/man8 /usr/local/man/man9 /usr/local/man/mann /usr/local/sbin /usr/local/src /usr/man/man9 /usr/man/mann /usr/src/linux-2.0.29/include/linux/modules /usr/src/linux-2.0.29/modules /usr/src/redhat/BUILD /usr/src/redhat/RPMS/i386 /usr/src/redhat/SOURCES /usr/src/redhat/SPECS /usr/src/redhat/SRPMS /usr/X11R6/doc /usr/X11R6/lib/X11/x11perfcomp /usr/visix/fss/En_US.8859 /usr/visix/vls/En_US.8859 /usr/openwin/share/src/xview /auto /initrd /home/httpd/icons /home/ftp/lib /home/ftp/pub /opt/bin /opt/man /root/lg/lg3_hosts /amd/nycald1/auto/.vTRASH # # ll /auto total 0
All the files and directories listed as a result of this find operation are empty. The long listing of /auto shown as part of the example, confirms this fact. Keep in mind that -empty is not available on all UNIX variants.
Let's perform a couple of independent finds and then combine the criteria of the finds. The finds in the following example are performed on a small, desktop system. This allows me to search the entire system for files meeting various criteria. You may be working on a much larger, more elaborate system, so use caution when searching the entire system for files. You may slow down other users for a long period of time, depending on the number of files on the system both locally and accessible over the network.
First, let's find for all files on the system ending in.c with the command below:
# find / -name *.c -print /usr/X11R6/include/X11/Xaw/Template.c /usr/X11R6/include/Xaw3d/Template.c /usr/X11R6/lib/X11/etc/et4000clock.c /usr/doc/glibc-2.1.1/examples.threads/ex1.c /usr/doc/glibc-2.1.1/examples.threads/ex2.c /usr/doc/glibc-2.1.1/examples.threads/ex3.c /usr/doc/glibc-2.1.1/examples.threads/ex4.c /usr/doc/glibc-2.1.1/examples.threads/ex5.c /usr/doc/glibc-2.1.1/examples.threads/ex6.c . . . /usr/doc/bind-8.2/notes/db_names.c /usr/doc/libpng-1.0.3/example.c /usr/doc/FAQ/html/clone.c /usr/doc/gnome-libs-devel/devel-docs/gnomeui/gnomeui-scan.c #
You can see from this find that there are many files on the system ending in.c. I included only the beginning and end of this search because the entire output would be too long.
I also ran this command and piped the output to wc, which showed 1737 files on the system ending in.c, as shown in the following example:
# find / -name *.c | wc 1737 1737 77044 #
Now we can search for all files on the system greater than 500,000 characters in size with the find command below:
# find / -size +500000c -print /dev/core /etc/X11/core /var/lib/rpm/packages.rpm /var/lib/rpm/fileindex.rpm /var/lib/dosemu/hdimage.freedos /var/lib/slocate/slocate.db /var/lock/samba/SHARE_MEM_FILE /proc/kcore /home/ftp/lib/libc-2.1.1.so /home/test/linux1.xwd /lib/libc-2.1.1.so /lib/libdb-2.1.1.so /lib/libm-2.1.1.so /root/core . . . /usr/share/gnome/help/users-guide/C/figs/full.gif /usr/share/emacs/20.3/etc/DOC-20.3.1 /usr/share/emacs/20.3/leim/quail/ZIRANMA.el /usr/share/emacs/20.3/leim/quail/ZIRANMA.elc /usr/share/emacs/20.3/leim/skk/skkdic.el /usr/share/emacs/20.3/leim/skk/skkdic.elc /usr/share/emacs/20.3/lisp/loaddefs.el /usr/share/sounds/card_shuffle.wav /usr/share/sounds/startup2.wav /usr/share/guavac/classes.zip
I only included the beginning and end of this listing as well since there were many files of size greater than 500,000 characters on the system.
I also ran this command and piped the output to wc, which showed 215 files on the system with a size greater than 500,000 characters, as shown in the following example:
# find / -size +500000c -print | wc 215 215 6281 #
Let's now combine the two commands and see how many of the files on the system ending in.c are also greater than 500,000 characters in size:
# find / -name *.c -size +500000c -print /usr/src/drivers/scsi/advansys.c #
Of the 1737 files on the system ending in.c and the 215 files greater than 500,000 characters in size, only one file, advansys.c, meets both criteria. There is an implied and in the previous find command. We could have explicitly specified an and; however, it is implied in the find command. The find did indeed result in files that end in.c and are greater than 500,000 characters. The upcoming find uses the or operator, which is not implied.
What if we wanted to find both files ending in.c and.o that are greater than 500000 characters in size? We could use the -o operator which would "or" the files ending in.c and.o. The following example shows this find operation:
find / -size +500000c \( -name *.c -o -name *.a \) -print find / -size +500000c \( -name *.c -o -name *.a \) -print | wc # find / -size +500000c \( -name *.c -o -name *.a \) -print /usr/X11R6/lib/libMagick.a /usr/X11R6/lib/libX11.a /usr/lib/bind/lib/libbind.a /usr/lib/bind/lib/libbind_r.a /usr/lib/libbfd.a /usr/lib/libBLT.a /usr/lib/libstdc++-2-libc6.1-1-2.9.0.a /usr/lib/libc.a . . . /usr/lib/libinn.a /usr/lib/libtiff.a /usr/lib/liblinuxconf.a /usr/lib/libform_g.a /usr/lib/libncurses_g.a /usr/lib/python1.5/config/libpython1.5.a /usr/lib/libpisock.a /usr/lib/libcustoms.a /usr/lib/libqt.a /usr/lib/libst.a /usr/src/drivers/scsi/advansys.c #
The two file extensions for which we are searching are placed in parentheses. A backslash is required before the open and close parentheses because the parentheses have meaning to the shell and we want them to be used only to specify the precedence in our find command and not to be used by the shell. The result of this find shows that many files ending in.a and.c meet the criteria of greater than 500,000 characters.
Let's now pipe the output of this commnd to wc to see precisely the number of files ending in either.c or.o and have a size greater than 500,000 characters:
# find / -size +500000c \( -name *.c -o -name *.a \) -print | wc 39 39 982 #
Of the 39 files that meet the criteria, we know that 38 ended in.a because our earlier example showed that only one file ending in.c met the criteria.
You can find objects on the system owned by particular users and groups. To find all of the objects owned by user "news" on the system, we would use the following command:
# find / -user news -print /etc/rc.d/rc.news /etc/news /etc/news/cleanfeed.conf /etc/news/actsync.cfg /etc/news/actsync.ign /etc/news/control.ctl /etc/news/cycbuff.conf /etc/news/distrib.pats /etc/news/expire.ctl /etc/news/incoming.conf /etc/news/inn.conf /etc/news/innfeed.conf /etc/news/innreport.conf /etc/news/innwatch.ctl /etc/news/moderators /etc/news/motd.news /etc/news/news2mail.cf /etc/news/newsfeeds /etc/news/nnrp.access /etc/news/nnrpd.track /etc/news/nntpsend.ctl /etc/news/overview.ctl /etc/news/overview.fmt /etc/news/passwd.nntp /etc/news/storage.conf . . . /usr/man/man8/tally.control.8 /usr/man/man8/tally.unwanted.8 /usr/man/man8/writelog.8
Using the -user operator we can specify either the name of the user, in this case "news", or the user identification number. The following example shows performing the same find operation using the user identification number of "news," in this case "9," instead of the name "news":
# find / -user 9 -print /etc/rc.d/rc.news /etc/news /etc/news/cleanfeed.conf /etc/news/actsync.cfg /etc/news/actsync.ign /etc/news/control.ctl /etc/news/cycbuff.conf /etc/news/distrib.pats /etc/news/expire.ctl /etc/news/incoming.conf /etc/news/inn.conf /etc/news/innfeed.conf /etc/news/innreport.conf /etc/news/innwatch.ctl /etc/news/moderators /etc/news/motd.news /etc/news/news2mail.cf /etc/news/newsfeeds /etc/news/nnrp.access /etc/news/nnrpd.track /etc/news/nntpsend.ctl /etc/news/overview.ctl /etc/news/overview.fmt /etc/news/passwd.nntp /etc/news/storage.conf . . . /usr/man/man8/tally.control.8 /usr/man/man8/tally.unwanted.8 /usr/man/man8/writelog.8
This find operation produced exactly the same results using the name "news" and the user idenfication number "9."
You can search for a variety of different types such as f for a file, as shown in the example, b for a block special file, l for a symbolic link, and so on. We could add type -d to find only directories belonging "news" as in the following command:
# find / -user news -type d -perm 775 -print /etc/news /var/lib/news /var/log/news /var/log/news/OLD /var/spool/news /var/spool/news/archive /var/spool/news/articles /var/spool/news/incoming /var/spool/news/incoming/bad /var/spool/news/innfeed /var/spool/news/outgoing /var/spool/news/overview /var/spool/news/uniover /var/spool/slrnpull /usr/bin/auth /usr/bin/control /usr/bin/filter /usr/bin/rnews.libexec
This is another example of using the implied and of find meaning that the find will print items that are both owned by "news" and are directories only.
Let's now add a specific permission for the directories to our implied and. We'll find only objects belonging to "news" that are directories with a permission of 775 in the following example:
# find / -user news -type d -perm 775 -print /etc/news /var/lib/news /var/log/news /var/log/news/OLD /var/spool/news /var/spool/news/archive /var/spool/news/articles /var/spool/news/incoming /var/spool/news/incoming/bad /var/spool/news/innfeed /var/spool/news/outgoing /var/spool/news/overview /var/spool/news/uniover /var/spool/slrnpull /usr/bin/auth /usr/bin/control /usr/bin/filter /usr/bin/rnews.libexec
We searched for directories belonging to "news" in which both the owner and those in the group have read-write-execute permission, and others have read-execute access. This is a common type of find operation for system administrators to perform - looking for files and directories belonging to a specific user and having specific permissions.
We all have old files on our systems and in our home directories that have not been accessed in a long time. To find files in a home directory that have not been accessed in the last 200 days, you would issue the following command:
# find . -atime +200 -print ./hp/.Xdefaults ./hp/.bash_logout ./hp/.bash_profile ./hp/.bashrc ./hp/.kde/share/apps/kfm/desktop ./hp/.kde/share/config/desktop0rc ./hp/.kde/share/config/kcmdisplayrc ./hp/.kde/share/config/kfmrc ./hp/.kde/share/config/kpanelrc ./hp/.kde/share/config/kvtrc ./hp/.kderc ./hp/Desktop/.directory ./hp/Desktop/Printer.kdelnk ./hp/Desktop/Templates/Device.kdelnk ./hp/Desktop/Templates/Ftpurl.kdelnk ./hp/Desktop/Templates/MimeType.kdelnk ./hp/Desktop/Templates/Program.kdelnk ./hp/Desktop/Templates/URL.kdelnk ./hp/Desktop/Templates/WWWUrl.kdelnk ./hp/Desktop/cdrom.kdelnk ./hp/Desktop/floppy.kdelnk ./hp/.screenrc ./hp/.bash_history ./test/.Xdefaults ./test/.bash_logout ./test/.bash_profile ./test/.bashrc ./test/.kde/share/apps/kfm/desktop ./test/.kde/share/config/desktop0rc ./test/.kde/share/config/kcmdisplayrc ./test/.kde/share/config/kfmrc ./test/.kde/share/config/kpanelrc ./test/.kde/share/config/kvtrc ./test/.kderc ./test/Desktop/.directory ./test/Desktop/Printer.kdelnk ./test/Desktop/Templates/Device.kdelnk ./test/Desktop/Templates/Ftpurl.kdelnk ./test/Desktop/Templates/MimeType.kdelnk ./test/Desktop/Templates/Program.kdelnk ./test/Desktop/Templates/URL.kdelnk ./test/Desktop/Templates/WWWUrl.kdelnk ./test/Desktop/cdrom.kdelnk ./test/Desktop/floppy.kdelnk ./test/.screenrc ./test/linux1.xwd ./test/.bash_history #
Several files were produced as a result of this search. I could run the same command and add to it an ls -l command so I could look at additional information on the file with the following command:
# find . -atime +200 -exec ls -l {} \; -rw-r--r-- 1 hp hp 1422 Aug 28 ./hp/.Xdefaults -rw-r--r-- 1 hp hp 24 Aug 28 ./hp/.bash_logout -rw-r--r-- 1 hp hp 230 Aug 28 ./hp/.bash_profile -rw-r--r-- 1 hp hp 124 Aug 28 ./hp/.bashrc -rw-r--r-- 1 hp hp 260 Aug 28 ./hp/.kde/share/apps/kfm/desktop -rw-r--r-- 1 hp hp 234 Aug 28 ./hp/.kde/share/config/desktop0rc -rw-r--r-- 1 hp hp 49 Aug 28 ./hp/.kde/share/config/kcmdisplayrc -rw-r--r-- 1 hp hp 95 Aug 28 ./hp/.kde/share/config/kfmrc -rw-r--r-- 1 hp hp 456 Aug 28 ./hp/.kde/share/config/kpanelrc -rw-r--r-- 1 hp hp 255 Aug 28 ./hp/.kde/share/config/kvtrc -rw-r--r-- 1 hp hp 966 Aug 28 ./hp/.kderc -rw-r--r-- 1 hp hp 85 Aug 28 ./hp/Desktop/.directory -rw-r--r-- 1 hp hp 222 Aug 28 ./hp/Desktop/Printer.kdelnk -rw-r--r-- 1 hp hp 607 Aug 28 ./hp/Desktop/Templates/Device.kdelnk -rw-r--r-- 1 hp hp 296 Aug 28 ./hp/Desktop/Templates/Ftpurl.kdelnk -rw-r--r-- 1 hp hp 324 Aug 28 ./hp/Desktop/Templates/MimeType.kdelnk -rw-r--r-- 1 hp hp 170 Aug 28 ./hp/Desktop/Templates/Program.kdelnk -rw-r--r-- 1 hp hp 411 Aug 28 ./hp/Desktop/Templates/URL.kdelnk -rw-r--r-- 1 hp hp 458 Aug 28 ./hp/Desktop/Templates/WWWUrl.kdelnk -rw-r--r-- 1 hp hp 376 Aug 28 ./hp/Desktop/cdrom.kdelnk -rw-r--r-- 1 hp hp 378 Aug 28 ./hp/Desktop/floppy.kdelnk -rw-rw-r-- 1 hp hp 3505 Aug 28 ./hp/.screenrc -rw------- 1 hp hp 34 Aug 28 ./hp/.bash_history -rw-r--r-- 1 test test 1422 Aug 28 ./test/.Xdefaults -rw-r--r-- 1 test test 24 Aug 28 ./test/.bash_logout -rw-r--r-- 1 test test 230 Aug 28 ./test/.bash_profile -rw-r--r-- 1 test test 124 Aug 28 ./test/.bashrc -rw-r--r-- 1 test test 260 Aug 28 ./test/.kde/share/apps/kfm/desktop -rw-r--r-- 1 test test 234 Aug 28 ./test/.kde/share/config/desktop0rc -rw-r--r-- 1 test test 49 Aug 28 ./test/.kde/share/config/kcmdisplayrc -rw-r--r-- 1 test test 95 Aug 28 ./test/.kde/share/config/kfmrc -rw-r--r-- 1 test test 456 Aug 28 ./test/.kde/share/config/kpanelrc -rw-r--r-- 1 test test 255 Aug 28 ./test/.kde/share/config/kvtrc -rw-r--r-- 1 test test 966 Aug 28 ./test/.kderc -rw-r--r-- 1 test test 85 Aug 28 ./test/Desktop/.directory -rw-r--r-- 1 test test 222 Aug 28 ./test/Desktop/Printer.kdelnk -rw-r--r-- 1 test test 607 Aug 28 ./test/Desktop/Templates/Device.kdelnk -rw-r--r-- 1 test test 296 Aug 28 ./test/Desktop/Templates/Ftpurl.kdelnk -rw-r--r-- 1 test test 324 Aug 28 ./test/Desktop/Templates/MimeType.kdelnk -rw-r--r-- 1 test test 170 Aug 28 ./test/Desktop/Templates/Program.kdelnk -rw-r--r-- 1 test test 411 Aug 28 ./test/Desktop/Templates/URL.kdelnk -rw-r--r-- 1 test test 458 Aug 28 ./test/Desktop/Templates/WWWUrl.kdelnk -rw-r--r-- 1 test test 376 Aug 28 ./test/Desktop/cdrom.kdelnk -rw-r--r-- 1 test test 378 Aug 28 ./test/Desktop/floppy.kdelnk -rw-rw-r-- 1 test test 3505 Aug 28 ./test/.screenrc -rwxrwxrwx 1 root root 614955 Aug 28 ./test/linux1.xwd -rw------- 1 test test 13 Aug 28 ./test/.bash_history #
This command produces the same output as the previous example and puts the output of find in the place where the curly brackets appear. The ls -l will use the file name produced by find, whichis inside the curly brackets, as an argument. You follow the command with a semicolon so that the shell knows where the command ends, and you must use the backslash as an escape for the semicolon so the find command recognizes the semicolon.
This chapter contained many examples of common find operations. There are many addtional find operators that were not covered. The following is a summary of some of the more commonly used operators of find. There is also a manual page at the end of this chapter describing find in more detail. Depending on the UNIX variant you are using, the -print option may or may not be needed.
find - Search for files.
Commonly used operators or options:
-atime n
Find files that were accessed n days ago. +n finds files accessed greater than n days ago and -n will find files accessed fewer than n days ago.
-ctime n
Find files in which the inode was modified n days ago. +n finds files in which the inode was modified greater than n days ago and -n will find files in which the inode modified fewer than n days ago.
-exec command
Execute command.
-group name
Find files belonging to the given group name where name can also be the group ID number.
-mount
Do not descend directories on other file systems (not available on all UNIX variants.)
-mtime n
Find files that were modified n days ago. +n finds files modified greater than n days ago and -n will find files modified fewer than n days ago.
-newer file
File was modified more recently than file.
-name pattern
Look for file name of pattern.
-ok command
Check to see if it is okay to execute command before doing so. This is similar to -exec except that you are prompted for permission.
-perm mode
Find files with the specified access mode. You would supply the access mode in octal.
Print the current file name to standard output.
-type t
File has a type of t, such as d for directory and f for file.
-size n
Find files with a size of n blocks. A block is usually 512 bytes. Using +n will find files greater than n blocks, nc will find files n characters in size and +nc will find files greater than n characters in size.
-user uname
File is owned by uname.
Multiple Criteria:
-a to and two operators (operator1 -a operator2)
-o to or two operators (operator1 -o operator2)
! to specify the operator not be matched (!operator)
\( expression )\ to specify that this expression be evaluated before others to specify preference.
The following is the HP-UX manual page for the find command. Commands often differ among UNIX variants, so you may find differences in the options or other areas for this command; however, the following manual pages serve as an excellent reference.
find - Find the files on system by recursively searching through the hierarchy.
find(1) find(1) NAME find - find files SYNOPSIS find pathname_list [expression] DESCRIPTION The find command recursively descends the directory hierarchy for each path name in pathname_list (that is, one or more path names) seeking files that match a Boolean expression written in the primaries given below. By default, find does not follow symbolic links. The Boolean expression is evaluated using short-circuit evaluation. This means that whenever the result of a Boolean operation (AND or OR) is known from evaluating the left-hand argument, the right-hand argument is not evaluated. In the descriptions of the primaries, the argument n represents a decimal integer; +n means more than n, -n means less than n, and n means exactly n. The following primaries are recognized: -depth A position-independent term which causes descent of the directory hierarchy to be done so that all entries in a directory are acted on before the directory itself. This can be useful when find is used with cpio(1) to transfer files that are contained in directories without write permission. It is also useful when using cpio(1) and the modification dates of directories must be preserved. Always true. -follow A position-independent term which causes find to follow symbolic links. Always true. -fsonly FStype A position-independent term which causes find to stop descending any directory whose file system is not of the type specified by FStype, where FStype is one of cdfs, hfs, or nfs, representing the CDFS, HFS, or NFS file system type, respectively. In this context, mount points inherit the FStype of their parent directory. This means that when -fsonly hfs has been specified and find encounters an NFS mount point that is mounted on an HFS file system, the mount point will be visited but entries below that mount point will not. It is important to note that when -fsonly nfs has been specified, any HFS file systems that are beneath the mount point of an NFS file system are not traversed. Always true. -xdev A position-independent term that causes find to avoid crossing any file system mount points that exist below starting points enumerated in pathname_list. The mount point itself is visited, but entries below the mount point are not. Always true. -mountstop Identical to -xdev. This primary is provided for backward compatibility only. -xdev is preferred over -mountstop. -name file True if file matches the last component of the current file name. The matching is performed according to Pattern Matching Notation (see regexp(5)). -path file Same as -name except the full path (as would be output by -print) is used instead of just the base name. Note that / characters are not treated as a special case. For example, */.profile matches ./home/fred/.profile. -perm [-]mode In this primary, the argument mode is used to represent file mode bits. The argument is identical in format to the mode operand as described in chmod(1), with the exception that the first character must not be the - operator. When using the symbolic form of mode, the starting template is assumed to have all file mode bits cleared. If the leading minus is omitted, this primary is true when the file permission bits exactly match the value of mode. Bits associated with the symbolic attributes s (set-user-ID, set-group-ID) and t (sticky bit) are ignored when the minus is omitted. If mode is preceded by a minus, this primary is true if all of the bits that are set in mode are also set in the file permission bits. In this case, the bits associated with the symbolic attributes s and t are significant. -fstype FStype True if the file system to which the file belongs is of type FStype, where FStype is one of cdfs, hfs, or nfs, corresponding to the CDFS, HFS, or NFS file system type, respectively. -type c True if the type of the file is c, where c is one of: f Regular file d Directory b Block special file c Character special file p FIFO (named pipe) l Symbolic link s Socket n Network special file M Mount point -links n True if the file has n links. -user uname True if the file belongs to the user uname. If uname is numeric and does not appear as a login name in the /etc/passwd file, it is taken as a user ID. The uname operand can be preceded by a + or - to modify the comparison operation as described previously. -group gname True if the file belongs to the group gname. If gname is numeric and does not appear in the /etc/group file, it is taken as a group ID. The gname operand can be preceded by a + or - to modify the comparison operation as described previously. -nouser True if the file belongs to a user ID that is not listed in the password database. See passwd(4). -nogroup True if the file belongs to a group ID that is not listed in the group database. See group(4). -size n[c] True if the file is n blocks long. If n is followed by a c, the size is in bytes. -atime n True if the file has been accessed in n days. The access time of directories in pathname_list is changed by find itself. -mtime n True if the file has been modified in n days. -ctime n True if the file inode has been changed in n days. -newer file True if the current file has been modified more recently than the argument file. -newer[tv1[tv2]] file True if the indicated time value (tv1) of the current file is newer than the indicated time value (tv2) of file. The time values tv1 and tv2 are each selected from the set of characters: a The time the file was last accessed c The time the inode of the file was last modified m The time the file was last modified If the tv2 character is omitted, it defaults to m. Note that the -newer option is equivalent to -newermm. Syntax examples; -newera file -newermc file -inum n True if the file serial number (inode number) is n. Note that file serial numbers are unique only within a given file system. Therefore, matching file serial numbers does not guarantee that the referenced files are the same unless you restrict the search to a single file system. -linkedto path True if the file is the same physical file as the file specified by path (i.e., linked to path). This primary is similar to -inum, but correctly detects when a file is hard-linked to path, even when multiple file systems are searched. -print Causes the current path name to be printed. Always true. -exec cmd True if the executed cmd returns a zero value as exit status. The end of cmd must be punctuated by a semicolon (semicolon is special to the shell and must be escaped). Any command argument {} is replaced by the current path name. -ok cmd Same as -exec except that the generated command line is printed with a question mark first, and is executed only if the user responds by typing y. -cpio device Write the current file on device in cpio(4) format (517-byte records). The use of -cpio implies -depth. Always true. -ncpio Same as -cpio but adds the -c option to cpio. The use of -ncpio implies -depth. Always true. -prune If the current entry is a directory, cause find to skip that directory. This can be useful to avoid walking certain directories, or to avoid recursive loops when using cpio -p. Note, however, that -prune is useless if the -depth option has also been given. See the description of -only and the EXAMPLES section, below, for more information. Always true. -only This is a positive-logic version of -prune. A -prune is performed after every directory, unless -only is successfully evaluated for that directory. As an example, the following three commands are equivalent: find . -fsonly hfs -print find . -print -fstype hfs -only find . -print ! -fstype hfs -prune Note, however, that -only is useless if the -depth option has also been given. Always true. ( expression ) True if the parenthesized expression is true. The spaces are required. Parentheses are special to the shell and must be escaped, as in \( and \). Primaries can be combined by using the following operators (in order of decreasing precedence): ! expression Logical NOT operator. True if expression is not true. expression [-a] expression Logical AND operator. True if both of the expressions are true. expression -o expression Logical OR operator. True if either or both of the expressions are true. If expression is omitted, or if none of -print, -ok, -exec, -cpio, or -ncpio is specified, -print is assumed. Access Control Lists The -acl primary enables the user to search for access control list entries. It is true if the file's access control list matches an access control list pattern or contains optional access control list entries (see acl(5)). It has three forms: -acl aclpatt Match all files whose access control list includes all (zero or more) pattern entries specified by the aclpatt pattern. -acl =aclpatt Match a file only if its access control list includes all (zero or more) pattern entries specified by the aclpatt pattern, and every entry in its access control list is matched by at least one pattern entry specified in the aclpatt pattern. -acl opt Match all files containing optional access control list entries. The aclpatt string can be given as an operator or short form pattern; see acl(5). By default, -acl is true for files whose access control lists include all the (zero or more) access control list patterns in aclpatt. A file's access control list can also contain unmatched entries. If aclpatt begins with =, the remainder of the string must match all entries in a file's access control list. The aclpatt string (by default, or the part following =) can be either an access control list or an access control list pattern. However, if it is an access control list, aclpatt must include at least the three base entries ((user.%, mode), (%.group, mode), and (%.%, mode)). As a special case, if aclpatt is the word opt, the primary is true for files with access control list entries. EXTERNAL INFLUENCES Environment Variables If an internationalization variable is not specified or is null, it defaults to the value of LANG. If LANG is not specified or is null, it defaults to C (see lang(5)). If LC_ALL is set to a nonempty string value, it overrides the values of all the other internationalization variables. If any internationalization variable contains an invalid setting, all internationalization variables default to C (see environ(5)). LC_CTYPE determines the interpretation of text as single and/or multibyte characters, the classification of characters as printable, and the characters matched by character class expressions in regular expressions. LC_MESSAGES determines the locale that should be used to affect the format and contents of diagnostic messages written to standard error and informative messages written to standard output. NLSPATH determines the location of message catalogues for the processing of LC_MESSAGES. International Code Set Support Single- and multibyte character code sets are supported. EXAMPLES Search the two directories /example and /new/example for files containing the string Where are you and print the names of the files: find /example /new/example -exec grep -l 'Where are you' {} \; Remove all files named a.out or *.o that have not been accessed for a week: find / \( -name a.out -o -name '*.o' \) -atime +7 -exec rm {} \; Note that the spaces delimiting the escaped parentheses are required. Print the names of all files on this machine. Avoid walking nfs directories while still printing the nfs mount points: find / -fsonly hfs -print Copy the entire file system to a disk mounted on /Disk, avoiding the recursive copy problem. Both commands are equivalent (note the use of -path instead of -name): cd /; find . ! -path ./Disk -only -print | cpio -pdxm /Disk cd /; find . -path ./Disk -prune -o -print | cpio -pdxm /Disk Copy the root disk to a disk mounted on /Disk, skipping all mounted file systems below /. Note that -xdev does not cause / to be skipped, even though it is a mount point. This is because / is the starting point and -xdev only affects entries below starting points. cd /; find . -xdev -print | cpio -pdm /Disk Change permissions on all regular files in a directory subtree to mode 444, and permissions on all directories to 555: find <pathname> -type f -print | xargs chmod 444 find <pathname> -type d -print | xargs chmod 555 Note that output from find was piped to xargs(1) instead of using the -exec primary. This is because when a large number of files or directories is to be processed by a single command, the -exec primary spawns a separate process for each file or directory, whereas xargs collects file names or directory names into multiple arguments to a single chmod command, resulting in fewer processes and greater system efficiency. Access Control List Examples Find all files not owned by user karl that have access control lists with at least one entry associated with karl, and one entry for no specific user in group bin with the read bit on and the write bit off: find / ! -user karl -acl 'karl.*, %.bin+r-w' -print Find all files that have a read bit set in any access control list entry: find / -acl '*.*+r' -print Find all files that have the write bit unset and execute bit set in every access control list entry: find / -acl '=*.*-w+x' -print Find all files that have optional access control list entries: find / -acl opt -print DEPENDENCIES NFS The -acl primary is always false for NFS files. WARNINGS Because of interoperability goals, cpio does not support archiving files larger than 2GB or files that have user/group IDs larger than 60,000 (60K). Files with user/group IDs greater than 60K are archived and restored under the user/group ID of the current process. AUTHOR find was developed by AT&T and HP. FILES /etc/group Group names /etc/mnttab Mount points /etc/passwd User names SEE ALSO chacl(1), chmod(1), cpio(1), sh(1), test(1), xargs(1), mknod(2), stat(2), cpio(4), fs(4), group(4), passwd(4), acl(5), environ(5), lang(5), regexp(5). STANDARDS CONFORMANCE find: SVID2, SVID3, XPG2, XPG3, XPG4, POSIX.2
CONTENTS |