How To Use the Find Command In Linux

One of the most popular command-line utilities is the find command, mainly because of its simplicity and versatility. It's the default option to search for files across multiple UNIX based systems with a wide range of parameters and variables to narrow down our searches. It helps look for files matching a specific name, date, size, or even owner to provide a frame to append other commands to the list of files found. The basic structure of the find command is as follows. 

find [parameters] [path] [search patterns] 

Basic Searches

While the above syntax looks simple, with this utility, we can perform complex searches without trouble. We'll be discussing some of the most useful search patterns to make the most out of this command. Using the find command without any parameters, it will find all files or directories in the current location.

LiquidWeb$ find
 .
 ./bad_script.sh
 ./script.sh
 ./big.log
 ./test.txt
 ./example.file
 ./Example.file.
/exAmpLe.file
./example.directory
./image.png
./app.php

Now let’s see how we can do more specific queries.

Find a File or Directory By Name

The number one use for the find command is the basic file/directory search. If we want to search for a file or directory by name, we must use the -name tag (or -iname for case insensitive checks).

LiquidWeb$ find . -name
 "example.file"
 ./example.file
LiquidWeb$ find . -iname
"example.file"
./example.file
./Example.file
./exAmpLe.file

Here we use a period or “.” to represent the current directory. However, this can be substituted by any location on the directory tree. The -name tag displays only the exact matches to the name, whereas the -iname tag displays any matches no matter if they have uppercase or lowercase letters.

We can be more specific and limit the find command to look for files, directories, or other file types. The asterisk wildcard operator “*” means 0 or more characters. In our example, it matches any file that starts with the word “example.” With the wildcard operator’s help, we see that the first statement does not consider the file type.

LiquidWeb$ find . -iname "example*"
 ./example.file
 ./Example.file
 ./example.directory
 ./example.directory/example2.file
 ./exAmpLe.file

By adding the flag -type, we can narrow it down to only files or directories.

LiquidWeb$ find . -iname "example*" -type f
 ./example.file
 ./Example.file
 ./example.directory/example2.file
 ./exAmpLe.file
 LiquidWeb$ find . -iname "example*" -type d
 ./example.directory

Other file types include:

• l: symbolic link
• p: named pipe 
• c: character devices
• s: socket
• b: block devices

Special Variables

There are other variables that we can add to our search to get more accurate results. 

Include Symbolic Links

Performing the same search from the previous section, but introducing the directive “-L,” find will access symbolic links (in this case, link.directory linked to example.directory) and look for matches.

LiquidWeb$ find -L -iname "example*"
 ./example.file
 ./Example.file
 ./example.directory
 ./example.directory/example2.file
 ./exAmpLe.file
 ./link.directory/example2.file

Exclude Mount Points File Systems

The option -xdev allows the find command to list mount points or partitions in another file system, but it doesn't descend into them.

LiquidWeb$ find . -xdev -name "app*" -type f
 ./app2.php
 ./app.php

Max Depth

We can also set the range of our search by using -maxdepth. In the below example, we can see that find only descended 1 level below the starting point to find all files in /home. 

LiquidWeb$ find /home -maxdepth 1 -type f
 /home/testing_max_depth.file

Redirect Error Messages

If our search pattern is too ambiguous, or we don’t have any clues about where our file is and don’t have root directory access on our dedicated server, our screen can be filled with error messages like “Permission denied.” To avoid that, we can redirect the error messages to /dev/null, a unique device file that discards all data sent or written to it.

LiquidWeb$ find / -maxdepth 3 -name "my_file.txt"
 find: ‘/root’:
 Permission denied
 find: ‘/lost+found’:
 Permission denied
 LiquidWeb$ find / -maxdepth 3 -name "my_file.txt" 2>/dev/null
 LiquidWeb$

 Disk Space Investigations

The find command can be very useful to determine our exact space distribution during disk investigations on our VPS server. We’ll be digging into the most common uses. 

Find & List Files

One of the reasons this utility is so popular is that we can append other commands to execute for the list of files we just found. That’s what we just did in this example, by listing the files after find retrieved all the matches.

LiquidWeb$ find . -name "*.txt" -exec ls -lh {} \;
 -rw-r--r-- 1 root root 2.0M Jan 22 15:44 ./lecture.txt
 -rw-r--r-- 1 root root 4.2M Jan 22 15:45 ./test.txt
 -rw-r--r-- 1 root root 9.5M Jan 22 15:45 ./blog.txt

Let’s break down the command:

• find . -name "*.txt"  - The regular search of find by name, in this case, all text files. 
• -exec  - The exec command is the option to execute commands to the list of arguments. 
• ls -lh {} - The ls command is a command utility mainly used to list files. We also added -lh, which stands for “long listing” and “human-readable,” which prints detailed information about the files and displays the sizes in prefix multipliers (megabytes in this case). 

Find Empty Files or Directories

We will see that our disk usage is relatively low in some cases, but our inodes are through the roof. It might be caused by a disproportionate amount of empty files or directories, which we can track down using find and the tag -empty.

LiquidWeb$ find . -type f -empty
 ./empty2.file
 ./empty3.file
 ./empty.file

LiquidWeb$ find . -type d -empty
 ./empty_dir

Find Files or Directories by Date

To find files based on time, we can use the -newerXY directive. This is the list of options:

• mt: modified time
• at: access time
• ct: inode status change
• bt: birth time

LiquidWeb$ find . -type f !  -newermt 2021-01-23
 ./new_image.png
 ./another_app.php

LiquidWeb$ find . -type f ! -newermt 2015-12-19
./very_old_file.txt

LiquidWeb$ find . -type f ! -newerat 2015-12-19
./very_old_file.txt

In the displayed examples, we first looked for files whose modification date was equal to or newer than 2021-01-23. For subsequent statements, we introduced the “!” operator, which means “not.” In this case, we were looking for files with a modification date older than 2015-12-19, and in the third example, we used at or access time as a parameter. This is particularly useful when locating files in our managed cloud servers

Find Files or Directories by Size

The size option lets us find specific files that exceed, match, or are below a determined size threshold. In the below examples, we want to locate:

• Files with a size of exactly 950k.
• Files with sizes above 50M.
• Files with sizes below 25M.
• Files with sizes within the 2M-5M range.

LiquidWeb$ find . -type f -size 950k
 ./blog.txt (950k)

LiquidWeb$ find . -type f -size +50M
./55M_file

LiquidWeb$ find . -type f -size -25M
./20M_file

LiquidWeb$ find . -type f -size +2M -size 5M
./test.txt (4.2M)

Find and Delete

To remove unwanted files with the find command, add the -delete option to the files list.

LiquidWeb$ find /var/log/ -name "*.temp" -delete
LiquidWeb$

Security Oriented Inspections

If we suspect a security breach or malware infection, find can be very valuable during the preliminary investigations. 

Find Files by Permissions

Having files with 777 permissions is something to be avoided whenever possible. Using the -perm tag is really easy to find files or directories with incorrect permissions within our file system.

LiquidWeb$ find . -type f -perm 777
 ./not_malware.php 

LiquidWeb$ find . -type d -perm 777
 ./good_dir

If the files we found are not supposed to have those permissions, we can change them right away. For instance, if we want to set 644 permissions to the files, we can use the command below.

LiquidWeb$ find . -type f -perm 777 -exec chmod 644 {} \;

Find Files And Directories By Owner 

Files with the incorrect owner are not necessarily malicious. However, in some instances, that can be an indication of trouble. We can easily track them down with the -user tag.

LiquidWeb$ find . -user nobody
 ./bad_script.sh

Find Files by Modification Time

We can list the files based on the modification time. The -atime option is handy to determine the accessed files within a defined interval of days. In the first and second examples, we want to find files accessed within the last 30 days and the files accessed anytime before the last 30 days.

For the third command, we’ll be looking at the modification time instead. These directives follow the same pattern as those discussed in the Find Files or Directories by Date section above. 

LiquidWeb$ find . -name "*.png" -atime -30
 ./new_image.png 

LiquidWeb$ find . -name "*.png" -atime +30
./old_image.png

LiquidWeb$ find . -name "*.txt" -mtime -30
 ./lecture.txt
 ./test.txt
 ./blog.txt

Conclusion

We’ve gone through several practical uses for the find command. As we have seen, not only can we find files or directories, but it’s easy to perform disk investigations or notice strange patterns with our files when in doubt of malicious actions. We only scratched the surface of what find can do when we append other commands to its list of files. There is no doubt that this is a powerful tool with many potential applications in data manipulation.