You know how to create, move, and delete files. But what about finding them? In a Linux system with millions of files across complex directory trees, the find command is your search engine. It's one of the most powerful and essential commands for system administrators.
Understanding find is critical for the LFCS exam. You'll use it constantly for locating configuration files, finding large files consuming disk space, searching by modification time, and identifying security issues like files with incorrect permissions.
๐ฏ What You'll Learn:
- Understanding find syntax and how it works
- Finding files by name with -name
- Finding by file type with -type
- Finding by size with -size
- Finding by modification time with -mtime
- Finding by permissions with -perm
- Suppressing permission errors with 2>/dev/null
- Combining find with other commands (-exec)
- Real-world file search scenarios
Series: LFCS Certification - Phase 1 (Post 28 of 52)
Understanding the find Command
The find command recursively searches directory trees for files matching specified criteria.
Basic Syntax
find [PATH] [OPTIONS] [TESTS] [ACTIONS]
Components:
PATH: Where to search (default: current directory)OPTIONS: How to searchTESTS: What to match (name, size, type, etc.)ACTIONS: What to do with matches (print, delete, execute)
Simplest Example
$ find /etc -name "hosts"
/etc/hosts
/etc/avahi/hosts
Finding by Name
Exact Name Match
$ find / -name "hosts" 2>/dev/null
/tmp/hosts
/tmp/files/photos/avahi/hosts
/etc/hosts
/etc/avahi/hosts
What happened:
- Searched entire filesystem (
/) - Found files named exactly "hosts"
2>/dev/nullsuppressed permission errors
Wildcard Patterns
# Files starting with "hosts"
$ find / -name "hosts*" 2>/dev/null
/etc/hosts
/etc/hosts.equiv
/usr/share/man/man5/hosts.5.gz
# Files containing "hosts"
$ find / -name "*hosts*" 2>/dev/null
/etc/hosts
/.ssh/known_hosts
/usr/bin/sss_ssh_knownhostsproxy
Case-Insensitive Search
$ find /etc -iname "HOSTS"
/etc/hosts
/etc/avahi/hosts
Suppressing Errors with 2>/dev/null
The Permission Problem
$ find / -name "hosts"
find: '/boot/efi/EFI/centos': Permission denied
find: '/boot/grub2': Permission denied
find: '/boot/loader/entries': Permission denied
# ... many permission errors ...
/etc/hosts
Why? As a regular user, you can't read many system directories.
The Solution
$ find / -name "hosts" 2>/dev/null
/etc/hosts
/etc/avahi/hosts
What 2>/dev/null does:
2>redirects stderr (error messages)/dev/nullis a "black hole" (discards everything)- Result: Clean output with only matches
๐ก Pro Tip: Always use 2>/dev/null when searching system-wide as a regular user. It makes output readable and prevents clutter.
Finding by File Type
The -type Option
# Find regular files
$ find /tmp -type f
# Find directories
$ find /tmp -type d
# Find symbolic links
$ find /etc -type l
/etc/bin -> usr/bin
/etc/lib -> usr/lib
Common types:
f= regular filed= directoryl= symbolic linkb= block devicec= character devices= socketp= named pipe
Finding by Size
The -size Option
# Find files larger than 2GB
$ sudo find / -size +2G 2>/dev/null
/proc/kcore
/var/log/journal/huge.log
# Find files exactly 1024 bytes
$ find /tmp -size 1024c
# Find files smaller than 10KB
$ find /home -size -10k
Size units:
c= bytesk= kilobytesM= megabytesG= gigabytes
Operators:
+= greater than-= less than- (none) = exactly
Finding by Time
Modification Time (-mtime)
# Files modified in last 24 hours
$ find /var/log -mtime 0
# Files modified more than 7 days ago
$ find /home -mtime +7
# Files modified exactly 7 days ago
$ find /home -mtime 7
Time options:
-mtime= modification time (days)-atime= access time (days)-ctime= status change time (days)-mmin= modification time (minutes)
Real-World Example
# Find and delete logs older than 30 days
$ find /var/log -name "*.log" -mtime +30 -delete
Finding by Permissions
# Find setuid files (security check)
$ sudo find / -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
Permission options:
-perm 644= exactly 644-perm /644= any of these bits set-perm -644= all these bits set
Combining Conditions
AND Logic (Default)
# Files named *.conf AND larger than 1MB
$ find /etc -name "*.conf" -size +1M
OR Logic (-o)
# Files ending in .txt OR .log
$ find /home -name "*.txt" -o -name "*.log"
NOT Logic (!)
# All files EXCEPT .txt
$ find /home ! -name "*.txt"
Actions with -exec
Execute Command on Each Match
# Delete all .tmp files
$ find /tmp -name "*.tmp" -exec rm {} \;
# Show detailed info for each match
$ find /etc -name "*.conf" -exec ls -lh {} \;
Syntax:
{}= placeholder for found file\;= end of command (must be escaped)
Confirm Before Action
# Interactive deletion
$ find /tmp -name "*.bak" -ok rm {} \;
# Prompts: rm ... /tmp/file.bak?
Real-World Use Cases
1. Find Large Files
# Find files larger than 100MB
$ find /home -type f -size +100M -exec ls -lh {} \; 2>/dev/null
2. Find Old Log Files
# Find logs older than 90 days
$ find /var/log -name "*.log" -mtime +90
3. Find Empty Files/Directories
# Empty files
$ find /tmp -type f -empty
# Empty directories
$ find /tmp -type d -empty
4. Find by Owner
# Find all files owned by user
$ find /home -user centos9
# Find files owned by group
$ find /var -group apache
5. Security Audit
# Find world-writable files
$ find / -type f -perm -002 2>/dev/null
# Find files without owner
$ find / -nouser 2>/dev/null
๐งช Practice Labs
Lab 1: Basic Name Search (Beginner)
Task: Find all files named "passwd" on the system.
Show Solution
$ find / -name "passwd" 2>/dev/null
/etc/passwd
/etc/pam.d/passwd
/usr/bin/passwd
Key concept: Use 2>/dev/null to suppress permission errors.
Lab 2: Wildcard Search (Beginner)
Task: Find all files in /etc that start with "host".
Show Solution
$ find /etc -name "host*"
/etc/hosts
/etc/hostname
/etc/host.conf
Key concept: Wildcards work with -name option.
Lab 3: Find by Type (Beginner)
Task: Find all symbolic links in /etc.
Show Solution
$ find /etc -type l
/etc/bin -> usr/bin
/etc/lib -> usr/lib
/etc/lib64 -> usr/lib64
Key concept: -type l finds symbolic links.
Lab 4: Find Large Files (Intermediate)
Task: Find files in /var larger than 50MB.
Show Solution
$ sudo find /var -type f -size +50M
/var/log/journal/system.journal
/var/cache/packagekit/metadata.db
Key concept: Use + for "greater than" with -size.
Lab 5: Find by Time (Intermediate)
Task: Find files in /tmp modified in the last hour.
Show Solution
$ find /tmp -type f -mmin -60
/tmp/recent_file.txt
/tmp/session.tmp
Key concept: -mmin uses minutes, - means "less than".
Lab 6: Find and Delete (Intermediate)
Task: Find and delete all .bak files in your home directory.
Show Solution
# First, find them
$ find ~ -name "*.bak"
# Then delete
$ find ~ -name "*.bak" -delete
# Or with confirmation
$ find ~ -name "*.bak" -ok rm {} \;
Key concept: Always test with plain find first, then add -delete.
Lab 7: Find Empty Files (Intermediate)
Task: Find all empty files in /tmp and remove them.
Show Solution
$ find /tmp -type f -empty
/tmp/empty1.txt
/tmp/empty2.log
$ find /tmp -type f -empty -delete
Key concept: -empty finds files with zero size.
Lab 8: Combining Conditions (Advanced)
Task: Find .log files in /var/log that are larger than 10MB and older than 30 days.
Show Solution
$ sudo find /var/log -name "*.log" -size +10M -mtime +30
/var/log/old-huge.log
Key concept: Multiple conditions use AND logic by default.
Lab 9: Find by Permissions (Advanced)
Task: Find all setuid binaries (potential security concern).
Show Solution
$ sudo find / -type f -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/su
Key concept: Setuid files run with owner's permissions.
Lab 10: Find and Execute (Advanced)
Task: Find all .conf files in /etc and count lines in each.
Show Solution
$ find /etc -name "*.conf" -exec wc -l {} \;
127 /etc/ssh/sshd_config
45 /etc/logrotate.conf
Key concept: -exec runs command on each match.
๐ Command Cheat Sheet
# By name
find / -name "filename" 2>/dev/null
find / -name "*.txt" 2>/dev/null
find / -iname "FILENAME" 2>/dev/null
# By type
find /etc -type f # Regular files
find /etc -type d # Directories
find /etc -type l # Symbolic links
# By size
find /var -size +100M # Larger than 100MB
find /tmp -size -1k # Smaller than 1KB
find /home -size 1M # Exactly 1MB
# By time
find /var/log -mtime +30 # Modified >30 days ago
find /tmp -mmin -60 # Modified <60 min ago
find /home -atime +7 # Accessed >7 days ago
# By permissions
find / -perm 777 2>/dev/null # Exactly 777
find / -perm /4000 2>/dev/null # Setuid files
# By owner
find /home -user username
find /var -group groupname
# Combining
find /var/log -name "*.log" -size +10M -mtime +30
# Actions
find /tmp -name "*.tmp" -delete
find /etc -name "*.conf" -exec ls -l {} \;
find /tmp -name "*.bak" -ok rm {} \;
๐ฏ Key Takeaways
Master These Concepts:
- find searches recursively from the starting path
- 2>/dev/null suppresses permission errors
- -name finds by filename (exact or wildcard)
- -type finds by file type (f/d/l)
- -size finds by file size (+/- operators)
- -mtime finds by modification time (days)
- -perm finds by permissions
- Multiple tests = AND logic by default
- -exec runs commands on matches
- Test before using -delete!
Quick Decision Guide:
- Know exact name โ
-name "filename" - Know pattern โ
-name "*.txt" - Need by size โ
-size +100M - Need by time โ
-mtime +30 - Need by type โ
-type f/d/l
๐ What's Next?
Coming Up Next:
- Post 29: Viewing File Contents (cat, less, more, head, tail)
- Post 30: Introduction to Text Editors (vi/vim basics)
๐ Congratulations! You've mastered the find command! You can now:
- Search the entire filesystem efficiently
- Find files by name, type, size, time, and permissions
- Suppress errors for clean output
- Combine multiple search criteria
- Execute actions on found files
The find command is indispensable for system administration. Practice these labs until searching for files becomes second nature! ๐
