Introduction
Find searches in the real system. Is slower but always up-to-date and has more options (size, modification time,…)
Locate uses a previously built database (command updatedb). Is much faster, but uses an ‘older’ database and searches only names or parts of them.
locate and find both commands will find file. But each of them work in a quite different way.
Finding by Name
The most obvious way of searching for files is by name.
To find a file by name, type:
- find –name “query”
This will be case sensitive, meaning a search for “file” is different than a search for “File”.
To find a file by name, but ignore the case of the query, type:
- find –iname “query”
If you want to find all files that don’t adhere to a specific pattern, you can invert the search with “-not” or “!”. If you use “!”, you must escape the character so that bash does not try to interpret it before find can act:
- find –not –name “query_to_avoid”
Or
- find \! –name “query_to_avoid”
Finding by Type
You can specify the type of files you want to find with the “-type” parameter. It works like this:
- find –type type_descriptor query
Some of the most common descriptors that you can use to specify the type of file are here:
f: regular file
d: directory
l: symbolic link
c: character devices
b: block devices
For instance, if we wanted to find all of the character devices on our system, we could issue this command:
- find / –type c
We can search for all files that end in “.conf” like this:
- find / –type f –name “*.conf”
Filtering by Time and Size
Find gives you a variety of ways to filter results by size and time.
Size
You can filter by size with the use of the “-size” parameter.
We add a suffix on the end of our value that specifies how we are counting. These are some popular options:
c: bytes
k: Kilobytes
M: Megabytes
G: Gigabytes
b: 512-byte blocks
To find all files that are exactly 50 bytes, type:
- find / –size 50c
To find all files less than 50 bytes, we can use this form instead:
- find / –size –50c
To Find all files more than 700 Megabytes, we can use this command:
- find / –size +100M
Time
Linux stores time data about access times, modification times, and change times.
Access Time: Last time a file was read or written to.
Modification Time: Last time the contents of the file were modified.
Change Time: Last time the file’s inode meta-data was changed.
We can use these with the “-atime”, “-mtime”, and “-ctime” parameters. These can use the plus and minus symbols to specify greater than or less than, like we did with size.
The value of this parameter specifies how many days ago you’d like to search.
To find files that have a modification time of a day ago, type:
- find / –mtime 1
If we want files that were accessed in less than a day ago, we can type:
- find / –atime -1
To get files that last had their meta information changed more than 3 days ago, type:
- find / –ctime +3
There are also some companion parameters we can use to specify minutes instead of days:
- find / –mmin -1
This will give the files that have been modified type the system in the last minute.
Find can also do comparisons against a reference file and return those that are newer:
- find / –newer myfile
Finding by Owner and Permissions
You can also search for files by the file owner or group owner.
You do this by using the “-user” and “-group” parameters respectively. Find a file that is owned by the “syslog” user by entering:
- find / –user syslog
Similarly, we can specify files owned by the “shadow” group by typing:
- find / –group shadow
We can also search for files with specific permissions.
If we want to match an exact set of permissions, we use this form:
- find / –perm 644
This will match files with exactly the permissions specified.
If we want to specify anything with at least those permissions, you can use this form:
- find / –perm –644
This will match any files that have additional permissions. A file with permissions of “744” would be matched in this instance.
You can specify the maximum depth of the search under the top-level search directory:
- find –maxdepth num –name query
To find “file1” only in the “level1” directories and above, you can specify a max depth of 2 (1 for the top-level directory, and 1 for the level1 directories):
- find –maxdepth 2 –name file1
That is a much more manageable list.
You can also specify a minimum directory if you know that all of the files exist past a certain point under the current directory:
- find –mindepth num –name query
We can use this to find only the files at the end of the directory branches:
- find –mindepth 4 –name file
Again, because of our branching directory structure, this will return a large number of results (1000).
You can combine the min and max depth parameters to focus in on a narrow range:
- find –mindepth 2 –maxdepth 3 –name file
Executing and Combining Find Commands
You can execute an arbitrary helper command on everything that find matches by using the “-exec” parameter. This is called like this:
- find find_parameters –exec command_and_params {} \;
The “{}” is used as a placeholder for the files that find matches. The “\;” is used so that find knows where the command ends.
For instance, we could find the files in the previous section that had “644” permissions and modify them to have “664” permissions:
- find . –type f –perm 644 –exec chmod 664 {} \;
We could then change the directory permissions like this:
- find . –type d –perm 755 –exec chmod 700 {} \;
If you want to chain different results together, you can use the “-and” or “-or” commands. The “-and” is assumed if omitted.
- find . –name file1 –or –name file9
Find Files Using Locate
An alternative to using find is the locate command. This command is often quicker and can search the entire file system with ease.
You can install the command with apt-get:
- sudo apt–get update
- sudo apt–get install mlocate
The reason locate is faster than find is because it relies on a database of the files on the filesystem.
The database is usually updated once a day with a cron script, but you can update it manually by typing:
- sudo updatedb
Run this command now. Remember, the database must always be up-to-date if you want to find recently acquired or created files.
To find files with locate, simply use this syntax:
locate query
You can filter the output in some ways.
For instance, to only return files containing the query itself, instead of returning every file that has the query in the directories leading to it, you can use the “-b” for only searching the “basename”:
- locate –b query
To have locate only return results that still exist in the filesystem (that were not remove between the last “updatedb” call and the current “locate” call), use the “-e” flag:
- locate –e query
To see statistics about the information that locate has cataloged, use the “-S” option:
- locate –S
Both find and locate are good ways to find files on your system. It is up to you to decide which of these tools is appropriate in each situation.
