Things You May or May Not Know About Linux “find” Command – part III

Things You May or May Not Know About Linux “find” Command – part IIIIn the third part of our closer encounter with the find command [(for previous posts, see Part I and Part II] we are going to look into searching for files based on their size, type, owner and permission in accessing/using them.

1. Search using size-related information.

One of the most common tasks of a Linux sysadmin is to find files that are too big. This happens when your file system starts filling up. Less often you will need to find files that are too small, empty files or files with a size different than expected. (Any of above might indicate that a process doesn’t run properly.) There are two find tests that are useful for such scenarios.

  • -size n[bcwkMG]– this will return a list of files having size “n” (of course as discussed at the beginning of part II the list can consist of files bigger than n (+n), smaller (-n) or equal n. The letter after the number define size unit. Use:
    • b – for 512 bytes blocks (b for blocks);
    • c – for bytes (c for – I have no idea, probably b was already in use);
    • w – for two bytes words (w for words);
    • k – for Kilobytes (1024 bytes);
    • M – for Megabytes (1048576 bytes);
    • G – for Gigabytes (1073741824 bytes).

    For example to find big log files (bigger than 1 gigabytes) you can use the following command:

    find /var/log -size +1G
  • -empty– searches for empty files. Empty means size 0; it does not mean files without content. If you are not sure about the difference, please try following these commands:
    touch test1.txt
    echo ‘’ > test2.txt
    find -maxdepth 1 -empty -name test?.txt

    You should get only test1.txt not test2.txt. (By the way, -maxdepth is an option controlling the depth of search into the directory tree, and I used it to cut down search time).

There are also three other tests to use to search for files related to file size:

  • -links n – searches for file with n links.
  • -inum n – searches files with n inode.
  • -samefile name – find files refer to the same inode as name (hard links).

2. Search using type-related information.

Sometimes you need to search a specific type of file. The most common scenario is searching for a regular file — among thousands of files — in the heap of directories, subdirectories or symbolic links (symlinks). To perform such task you can use test -type or its variant -xtype.

  • -type c– creates the list of files based on their type define by c as:
    • b – block (buffered) special,
    • c – character (unbuffered) special,
    • d – directory,
    • p – named pipe (FIFO),
    • f  – regular file,
    • l  – symbolic link; this test might return different results depends on use option -H, -L and -P (the last one is default),
    • s  – socket,
    • D – door (Solaris only).


  • -xtype c – behaves exactly the same as -type unless the file is a symlink. With default option (-P), it adds symlink to the list if it points onto file type c. For more information check the find manual page.To understand difference between -type and -xtype, test the following set of commands:
    mkdir a
    ln -s a b
    find -type l
    find -xtype l
    find -xtype d
    find -type d

3. Search using information about a file owner.

In many situations, you may need to find a file based on its ownership. There are six tests that allow you to find a file base of information about its owner.

  • uid n– returns a list of files with user id equal to “n”. For example, you’ve done something as administrator in your home directory, and you want to ensure that you don’t miss any files owned by root:
    find $HOME -uid 0
  • -user uname– gives you a list of files belonging to a user with “uname”. To find your own (variable $USERNAME) files  in /var/www/htdocs directory use this command:
    find /var/www/htdocs -user $USERNAME
  • -gid n– as uid, but this searches for a file whose group id equal to “n”. Let say you want to find all devices belonged to group dialout (uid 20 on my desktop machine, but it might differ on other distributions):
    find /dev -uid 20
  • -group gname– creates a list of files belonging to gname group. Lets take an example command from -uid test. Say, you have found all files belonged to root, changed their ownership, but you are not sure about the group. You can check it by:
    find $HOME -group root
  • -nouser– returns a list of files that have uid but do not match any user (for example files belonging to an invalid or removed user).
    find /home -nouser
  • -nogroup – returns a list like above but it reflects “gid” not matching any group.

4. Search using information about file permissions.

Finding files having specific access permission is a very important part of hardening the Linux system. For example the .ssh directory has to be readable only by its owner. There are three simple tests allowing you to check which files you can read, write to and execute.

  • -readable – search for files which can be readable by a user running a command;
  • -writable as above but for writable files;
  • -executable – as above but for executable files.

Let say you want to find files you can write to in /var directory:

find /var -writable

You can also specify more detail permission using -perm test. There are 3 different ways (+ one deprecated) of doing it:

  • -perm mode– returns files exactly matching permission. You can use either numeric or octal mode definitions. However, using the former might lead to a very long string because you need to specify the various permissions (r for read, w for write and x for execute) for each level (u for user, g for group, o for others and a for all). The octal definition is much easier. You need to remember that read=4, write=2 and execute=1 and order of user is first, group second and other third. Please compare the following definitions:
    find ~ -maxdepth 2 -perm 744
    find ~ -maxdepth 2 -perm u=rwx,g=r,o=r
  • -perm -mode– lists files having permission at least as defined in mode.
    For example, see the following commands:
    find ~ -maxdepth 2 -perm -440
    find ~ -maxdepth 2 -perm -u=r,g=r

    These commands return lists of files which the user and IT group can read (but of course they can write and execute them as well).

  • -perm /mode– returns files having permission defined in mode, but it doesn’t have to be an exact match. For example:
    find ~ -maxdepth 2 -perm /111
    find ~ -maxdepth 2 -perm /a=x

returns the list of all files executable for everyone (you will find that most of them are probably directories. So, to find the filer, you can add -type “f,” as describe in second paragraph).

  • -perm +mode – deprecated, see manual for more information.

Appendix. ls and size

If you want to compare file size, sometimes you might want to try a simpler approach — using the ls command. To sort files according to their size please use ls with option -S (capitalize). Make sure you use this combination because you’ll get a list, but it will be confusing. Check out the following options and their meanings:

  • -S – sort by size,
  • -r – reverse order of sorting (with -S means that the biggest files are on the end),
  • -s – print size,
  • -h – print size in readable,
  • -1 – output in one column,
  • -l – use the long listing format (it is a an alternative  to the “s1” combination).

So you can try to run the following commands and compare the results:

ls -Srsh1
ls -lShr

By the way, for some filesystems the sorting order might be different for directories.

We hope that this information has been helpful. It’s always our goal at Monitis to make life easier for sysadmins — whether you’re a an old pro or a neophyte. In fact, we think sysadmins are so special, that we recently celebrated System Administrator Appreciation Day!