Linux‎ > ‎

find command useful examples

Thank you for visiting this page, this page has been update in another link find command useful examples
find is a tool to search for files in a directory hierarchy, very easy to use but with a lot of options to chose. It also has some security considerations, let's start from simple first.
$find ./mtx-1.3.12 -name *.c -print
$find ./mtx-1.3.12 -name *.c -print0
./mtx-1.3.12/scsi_freebsd.c./mtx-1.3.12/mam2debug2.c./mtx-1.3.12/vms/scsi.c./mtx-1.3.12/vms/ldrset.c./mtx-1.3.12/mtx-inventory.c./mtx-1.3.12/scsi_hpux.c./mtx-1.3.12/scsi_linux.c./mtx-1.3.12/nsmhack.c./mtx-1.3.12/scsieject.c./mtx-1.3.12/sg_err.c./mtx-1.3.12/mtxl-driveinfo.c./mtx-1.3.12/mtx-driveinfo.c./mtx-1.3.12/mtxl-inventory.c./mtx-1.3.12/tapeinfo.c./mtx-1.3.12/scsi_sgi.c./mtx-1.3.12/scsi_win32.c./mtx-1.3.12/du/scsi.c./mtx-1.3.12/mtxl.c./mtx-1.3.12/mtx.c./mtx-1.3.12/scsi_aix.c./mtx-1.3.12/mam2debug.c./mtx-1.3.12/scsi_sun.c./mtx-1.3.12/scsitape.c./mtx-1.3.12/loaderinfo.c[Thu Oct 10 12:31:22 simon@xldesk:~/tape]$

-print is a default behaviour of find, unless -print0 is used, which is often used in more securier environment, particularly if action options are involved, will mention it later.
              True; print the full file name on the standard output, followed by a null character (instead  of  the  newline  character  that -print  uses).   This allows file names that contain newlines or other types of white space to be correctly interpreted by programs that process the find output.  This option corresponds to the -0 option of xargs.

Another thing need to mention is that treatment of symbolic, good part is that find will not follow symbolic links in default behaviour, which is much safer, if you do want, see the following options description
       The -H, -L and -P options control the treatment of symbolic links.

       -P     Never  follow symbolic links.  This is the default behaviour.  When find examines or prints information a file, and the file is a symbolic link, the information used shall be taken from the properties of the symbolic link itself.

       -L     Follow symbolic links.  When find examines or prints information about files, the information used  shall  be  taken  from  the properties  of  the  file  to  which  the link points, not from the link itself (unless it is a broken symbolic link or find is unable to examine the file to which the link points).  Use of this option implies -noleaf.  If you later  use  the  -P  option, -noleaf  will  still  be in effect.  If -L is in effect and find discovers a symbolic link to a subdirectory during its search, the subdirectory pointed to by the symbolic link will be searched.

              When the -L option is in effect, the -type predicate will always match against the type of the file that a symbolic link points to  rather than the link itself (unless the symbolic link is broken).  Using -L causes the -lname and -ilname predicates always to return false.

       -H     Do not follow symbolic links, except while processing the command line arguments.  When find  examines  or  prints  information about  files, the information used shall be taken from the properties of the symbolic link itself.   The only exception to this behaviour is when a file specified on the command line is a symbolic link, and the link can be resolved.  For  that  situation,the information used is taken from whatever the link points to (that is, the link is followed).  The information about the link itself is used as a fallback if the file pointed to by the symbolic link cannot be examined.  If -H is in effect and one of the paths  specified on the command line is a symbolic link to a directory, the contents of that directory will be examined (though of course -maxdepth 0 would prevent this).

The following 5 searching options are useful when you want to start advanced way.
       -maxdepth levels
              Descend at most levels (a non-negative integer) levels of directories below the command line arguments.  -maxdepth 0 means only apply the tests and actions to the command line arguments.

       -mindepth levels
              Do  not  apply  any  tests or actions at levels less than levels (a non-negative integer).  -mindepth 1 means process all files except the command line arguments.
       -regextype type
              Changes the regular expression syntax understood by -regex and -iregex tests which occur later on the command line.  Currently implemented types are emacs (this is the default), posix-awk, posix-basic, posix-egrep and posix-extended.
              Measure times (for -amin, -atime, -cmin, -ctime, -mmin, and -mtime) from the beginning of today rather than from 24 hours  ago.
              This option only affects tests which appear later on the command line.

       -depth Process each directory's contents before the directory itself.  The -delete action also implies depth.
       or -d option in A synonym for -depth, for compatibility with FreeBSD, NetBSD, MacOS X and OpenBSD.

TEST options:

$find ./mtx-1.3.12 -newer ./mtx-1.3.12/mtx.c -type f -name *.c

Check files access in last 2 minutes, cmin or mmin can be used in the same way
$find ./mtx-1.3.12/  -amin +0 -amin -2

Measure times from the beginning of today rather than from 24 hours ago. So, to list the regular files in your home directory that were modified yesterday, do
find ~/ -daystart -type f -mtime 1
.. .recently-used.xbel

Of course you can easily use atime, ctime in a same way.

Here is some interesting about option -newerXY
       -newerXY reference
              Compares  the  timestamp of the current file with reference.  The reference argument is normally the name of a file (and one of its timestamps is used for the comparison) but it may also be a string describing an absolute time.  X and Y  are  placeholders for other letters, and these letters select which time belonging to how reference is used for the comparison.

              a   The access time of the file reference
              B   The birth time of the file reference
              c   The inode status change time of reference
              m   The modification time of the file reference
              t   reference is interpreted directly as a time

              Some combinations are invalid; for example, it is invalid for X to be t.  Some combinations are not implemented on all systems; for example B is not supported on all systems.  If an invalid or unsupported combination of XY  is  specified,  a fatal  error results.   Time  specifications  are interpreted as for the argument to the -d option of GNU date.  If you try to use the birth time of a reference file, and the birth time cannot be determined, a fatal error message results.  If you specify a test  which refers to the birth time of files being examined, this test will fail for any files where the birth time is unknown.
There are two ways to list files in /usr modified after February 1 of the current year. One uses ‘-newermt’:

     find /usr -newermt "Feb 1"

The other way of doing this works on the versions of find before 4.3.3:

     touch -t 02010000 /tmp/stamp$$
     find /usr -newer /tmp/stamp$$
     rm -f /tmp/stamp$$

-type, -size, -fstype, example is to find /usr directory, filesystem=ext4, filetype is file, 20MB > filesize >10MB
$ find /usr/ -type f -fstype ext4 -size +10M -size -20M


Some other options, easy to tell what they are going to do
# find / -perm /u=r
# find / -type d -perm 777
# find / -type d ! -perm 777
# find / -perm 2644

Action options:

As long as you know how to search files, action option is just actions to the file list you searched. But, have to mention it again, most security consideration come from here, I suggest you read the link below first before you put action options into your high security environment.Here is what find manual says
       If  you  are  using find in an environment where security is important (for example if you are using it to search directories that are writable by other users), you should read the "Security Considerations" chapter of the findutils documentation, which is called  Finding  Files  and comes with findutils.   That document also includes a lot more detail and discussion than this manual page, so you may find it a more useful source of information.

Find files named core in or below the directory /tmp and delete them.  Note that this will work incorrectly if there are any filenames containing newlines or spaces.
       find /tmp -name core -type f -print | xargs /bin/rm -f

Find files named core in or below the directory /tmp and delete them, processing filenames in such a way that file or directory  names containing spaces or newlines are correctly handled.
       find /tmp -name core -type f -print0 | xargs -0 /bin/rm -f

Find  files  named  core in or below the directory /tmp and delete them, but more efficiently than in the previous example (because we avoid the need to use fork(2) and exec(2) to launch rm and we don't need the extra xargs process).
       find /tmp -depth -name core -type f -delete

 With -exec option, the command  is executed  in  the starting directory.   There are unavoidable security problems surrounding use of the -exec action; you should use the -execdir option instead.

      -execdir command {} +
              Like  -exec,  but  the  specified  command  is run from the subdirectory containing the matched file, which is not normally the directory in which you started find.  This a much more secure method for invoking commands, as it avoids race conditions during resolution  of the paths to the matched files.  As with the -exec action, the ‘+’ form of -execdir will build a command line to process more than one matched file, but any given invocation of command will only list files that exist in the  same  subdirectory. If you  use  this  option,  you must ensure that your $PATH environment variable does not reference ‘.’; otherwise, an attacker can run any commands they like by leaving an appropriately-named file in a directory in which you will  run  -execdir.
              The same applies to having entries in $PATH which are empty or which are not absolute directory names.

For example, to compare each c file in different directories:
mtx-1.2.18rel]$find . -type f -name '*.c' -execdir diff -q '{}' ../mtx-1.3.12/ ';'
Files ./scsi_freebsd.c and ../mtx-1.3.12/scsi_freebsd.c differ
Files ./mam2debug2.c and ../mtx-1.3.12/mam2debug2.c differ

Some other types of usecase.
See this
find bills -type f -execdir sort -o '{}.sorted' '{}' ';'    

It's equivelent with the one

find bills -type f | xargs -I XX sort -o XX.sorted XX

But, the second one has a potential issue is that when you use the ‘-I’ option, each line read from the input is buffered internally. This means that there is an upper limit on the length of input line that xargs will accept when used with the ‘-I’ option. To work around this limitation, you can use the ‘-s’ option to increase the amount of buffer space that xargs uses, and you can also use an extra invocation of xargs to ensure that very long lines do not occur.

I introduced xargs in another article
Here is another way for it, you can borrow from it.
find ./x* -print0 | xargs -0 -n 1 -P 5 bzip2
for i in `seq 1 100` | xargs -n 1 -P 5 mytask

where, -n controls number of parameters to be processes
-P controls how many CPU/processes to run in parallel