Finding Files

Date: May 29, 2020Author: MrN00b0t 0 Comments

A selection of Linux commands useful for finding files.

find

find requires a starting point (current working directory as default) and a pattern to match.

find -name Document
#searches the current directory for a file/directory called Document
#This is EXACT. a directory Documents WILL NOT be returned.

find . -name 'Doc*'
#searches current directory (and sub directories) for files/directories starting with Doc
#note that the pattern is encased in '' to allow find to interpret the glob *

#find may throw a number of errors as it tries to access directories the user does not have permissions for

find . -name 'Doc*' 2>/dev/null
#directs all errors to /dev/null resulting in a tidier return

-iname DOCUMENTS #case insensitive
-mtime -3 #files modified less than three days ago
-mmin -10 #files modified less than 10 minutes ago
-size +1M #files larger than 1 megabyte
-user mrnoobot #files owned by user mrnoobot
-nouser #files not owned by a user
-empty #empty files
-type d #files of type d (ie directories)
-maxdepth 1 #one level of recursion (do not enter sub directories)

find . -name 'Doc*' -a -user mrnoobot -maxdepth 1 2>/dev/null
#find all files in current directory starting with Doc that are also owned by mrnoobot
# the -a acts as a logical AND

find . -name 'Doc*' -o -user mrnoobot -maxdepth 1 2>/dev/null
#find all files in current directory starting with Doc OR those which are owned by mrnoobot (OR both)
#the -o acts as a logical OR operator

find . -name 'Doc*' -o \(-user mrnoobot -a -size +1M\) -maxdepth 1
#find all files in current directory starting with Doc OR files which are both owned by mrnoobot AND are greater in size than 1 Megabyte
#the () are used to break up logical operations, with the preceding \ used as escape characters.

find . -name 'Doc*' -maxdepth 1 -exec ls -l {} \;
#find all files in the current directory starting with Doc then execute the "long list" command (ls -l) on JUST THOSE files.
#{} is used to represent each individual result of find
#\ is used to escape the semicolon
#; provides a delimiter between chained commands

find . -name 'Doc*' -maxdepth 1 -ok rm {} \;
#find all files in current directory starting with Doc then ask if I want to execute the remove command (rm) on each of those files ONLY.

find . -newer noobfile
#find all files created/modified more recently than noobfile
#can be useful when using the touch command to create a file with a spcific timestamp and then use it as a reference.

types
b #block (disks/storage)
c #character (keyboard/mouse)
d #directory
p #pipes
f #normal file
s #socket

find -inum INODE
#find file by inode number

find / -type f -perm -4000 2>/dev/null | less
find / -type f -perm -2000 2>/dev/null | less
#find files with setuid/setgid set

find / -perm -4000 -o -perm -2000 -ls 2>/dev/null|less
#find all files/folders with either setuid/setgid set

locate

locate searches a database of file locations on the system. It is fast but may be out of date. The database can be updated prior to searching using the updatedb command. Only returns results to which the user has access.

locate noob
#display files and directories containing the string 'noob' 
#this is CASE SENSITIVE

-i #sets results to CASE INSENSITIVE
-r #use regular expression (Regex) to pattern match

type

type can be used to display information about commands or aliases

type cat
#will display location of the cat command

type -a echo
#will display location of command for a shell built in (eg echo)

type echo cat sudo
#displays information on multiple commands

type -t echo cat sudo
#displays short hand command type eg 'builtin' 'file'

updatedb

updatedb updates the database of all files found on the computer. It may take time to perform this operation. Running this command prior to the locate command will provide the latest results. updatedb will run itself automatically according to a defined schedule typically every day. The command should be run with administrative privilege.

sudo updatedb

whereis

whereis searches the PATH variable to locate a command, returning the location of the command itself, the man page and the info page in that order.

whereis cat
#displays the location of the cat binary, manual and info page (if present)

whereis -b cat
#displays location of binary only

whereis -m cat
#displays location of man page only

whereis -s cat
#displays location of source code for cat (if present)

whereis -m -u *
#displays list of all files in the current directory that DO NOT have a manual - the -u is used to check for null

-B -M -S are used as per their lower case counterparts BUT a path and a search pattern must be specified eg

whereis -B /home/mrnoobot -f noobbin
#searches for BINARY called noobbin in the /home/mrnoobot directory

which

which identifies the file being executed when a specific command is being run, in the case of duplicates

which bash
#identifies which binary is used by default when bash is run

which -a bash
#identifies all executables called bash - may be useful to identify malware masquerading as a specific command

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: