In our today’s guide, we are going to learn how to locate and find files on Linux filesystem. Linux distributions come in all shapes and sizes, but one thing that almost all of them share is that they follow the Filesystem Hierarchy Standard (FHS), which defines a standard layout for the filesystem thus making interoperation and system administration much easier. As a good System Administrator you should know important various methods of locating and finding files in order to solve problem quickly. It will also save your time as you perform your administrative tasks.

Understanding The Filesystem Hierarchy Standard

Sometimes, trying to locate files on your Linux system is tricky. Fortunately, there’s a standard file location guide for the Linux called the Linux filesystem hierarchy standard (FHS) that can offer assistance. The FHS defines core folder names and locations that should be present on every Linux system and what type of data they should contain.

The basic directory structure is as follows;

  • /: This is the root directory, the topmost directory in the hierarchy. Every other directory is located inside it. A filesystem is often compared to a “tree”, so this would be the “trunk” to which all branches are connected.
  • /bin: Essential binaries, available to all users.
  • /boot: Files needed by the boot process, including the Initial RAM Disk (initrd) and the Linux kernel itself.
  • /dev: Device files. These can be either physical devices connected to the system (for example, /dev/sda would be the first SCSI or SATA disk) or virtual devices provided by the kernel.
  • /etc: Host-specific configuration files. Programs may create subdirectories under /etc to store multiple configuration files if needed.
  • /home: Each user in the system has a “home” directory to store personal files and preferences, and most of them are located under /home. Usually, the home directory is the same as the username, so the user John would have his directory under /home/john. The exceptions are the superuser (root), which has a separate directory (/root) and some system users.
  • /lib: Shared libraries needed to boot the operating system and to run the binaries under /bin and /sbin.
  • /media: User-mountable removable media, like flash drives, CD and DVD-ROM readers, floppy disks, memory cards and external disks are mounted under here.
  • /mnt: Mount point for temporarily mounted filesystems.
  • /opt: Application software packages.
  • /root: Home directory for the superuser (root).
  • /run: Run-time variable data.
  • /sbin: System binaries.
  • /srv: Data served by the system. For example, the pages served by a web server could be stored under /srv/www.
  • /tmp: Temporary files.
  • /usr: Read-only user data, including data needed by some secondary utilities and applications.
  • /proc: Virtual filesystem containing data related to running processes.
  • /var: Variable data written during system operation, including print queue, log data, mailboxes, temporary files, browser cache, etc.

You should know that some of those directories, like /etc/usr and /var, contain a whole hierarchy of subdirectories under them.

Employing Various Tools to Find and Locate Files

Besides using the FHS as a guide, there are many ways to find files on your Linux system. We are going to explore several tools that assist in locating files below.

Using Find Command

The find command is very flexible. It allows you to locate files based on data, such as who owns the file, when the file was last modified, permissions set on the file, and so on.

Syntax;

find [PATH…] [OPTION] [EXPRESSION]

Where;

  • PATH argument: is a starting point directory, because you designate a starting point in a directory tree and find will search through that directory and all its subdirectories (recursively) for the file or files you seek. You can use a single period (.) to designate your present working directory as the starting point directory.
  • EXPRESSION command argument and its preceding OPTION control what type of metadata filters are applied to the search as well as any settings that may limit the search.

Find Command Commonly Used OPTION and EXPRESSION Combinations.

  • -user USERNAME: Matches files owned by the user USERNAME.
  • -group GROUPNAME: Matches files owned by the group GROUPNAME.
  • -readable: Matches files that are readable by the current user.
  • -writable: Matches files that are writable by the current user.
  • -executable: Matches files that are executable by the current user. In the case of directories, this will match any directory that the user can enter (x permission).
  • -perm NNNN: This will match any files that have exactly the NNNN permission. For example, -perm 0664 will match any files which the user and group can read and write to and which others can read (or rw-rw-r–). You can add a - before NNNN to check for files that have at least the permission specified. For example, -perm -644 would match files that have at least 644 (rw-r—​r–) permissions. This includes a file with 664 (rw-rw-r–) or even 775 (rwxrwx-r-x).
  • -empty: Will match empty files and directories.
  • -size N: Will match any files of N size, where N by default is a number of 512-byte blocks. You can add suffixes to N for other units: Nc will count the size in bytes, Nk in kibibytes (KiB, multiples of 1024 bytes), NM in mebibytes (MiB, multiples of 1024 * 1024) and NG for gibibytes (GiB, multiples of 1024 * 1024 * 1024). You can add the + or - prefixes (here meaning bigger than and smaller than) to search for relative sizes. For example, -size -10M will match any file less than 10 MiB in size.
  • -amin N-cmin N-mmin N: This will match files that have been accessed, had attributes changed or were modified (respectively) N minutes ago. For -cmin N any attribute change will cause a match, including a change in permissions, reading or writing to the file. This makes these parameters especially powerful, since practically any operation involving the file will trigger a match.
  • -atime N-ctime N-mtime N: This will match files that were accessed, had attributes changed or were modified N*24 hours ago. For -ctime N any attribute change will cause a match, including a change in permissions, reading or writing to the file. This makes these parameters especially powerful, since practically any operation involving the file will trigger a match.

Looking for files in the present working directory’s tree with a .txt file extension;

$ find . -name "*.txt"
./dejavu-fonts-ttf-2.37/unicover.txt
./dejavu-fonts-ttf-2.37/status.txt
./dejavu-fonts-ttf-2.37/langcover.txt
./fontawesome-free-5.14.0-web/LICENSE.txt

In the above output we notice that the -name option’s pattern uses quotation marks to avoid unpredictable results.

Using find utility with -maxdepth option will search only two directories: the current directory and one subdirectory level down;

$ find . -maxdepth 2 -name "*.txt"
./dejavu-fonts-ttf-2.37/unicover.txt
./dejavu-fonts-ttf-2.37/status.txt
./dejavu-fonts-ttf-2.37/langcover.txt
./fontawesome-free-5.14.0-web/LICENSE.txt

Using the find command to audit a server. The -perm option is useful for one of these audit types;

$ sudo find /usr/bin -perm /6000
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/wall
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/expiry
/usr/bin/sudo
/usr/bin/bsd-write
/usr/bin/su
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/chfn

In the above output, the /usr/bin directory is being audited for the potentially dangerous SUID permission by using the find utility and its -perm option. The expression used is /6000, which will ask the find utility to search for SUID settings (octal code 4) and, due to the forward slash (/) in front of the number, ignore the other file permissions (octal codes 000). The resulting filenames all legitimately use SUID, and thus, nothing suspicious is going on here.

Using find command to search for all files in the home directory (and subdirectories) whose name ends in .jpg;

$ find ~ -name "*.jpg"
/home/frank/Pictures/mypic.jpg
/home/frank/Pictures/linux.jpg
/home/frank/Pictures/frank.jpg
/home/frank/Pictures/hero.jpg

The above command will match any file whose last four characters of the name are .jpg, no matter what comes before it, as * is a wildcard. However, see what happens if another * is added at the end of the pattern;

$ find ~ -name "*.jpg*"
/home/frank/Pictures/mypic.jpg
/home/frank/Pictures/linux.jpg
/home/frank/Pictures/arch.jpg.zip
/home/frank/Pictures/frank.jpg
/home/frank/Pictures/hero.jpg

The file /home/frank/Pictures/arch.jpg.zip (highlighted above) was not included in the previous listing, because even if it contains .jpg on its name, it did not match the pattern as there where extra characters after it. The new pattern means “anything .jpg anything”, so it matches.

Finding files in the home directory which has been modified less than 24 hours ago and is smaller than 5 MiB;

$ find ~ -mtime -1 -size -5M
/home/frank
/home/frank/.vboxclient-draganddrop.pid
/home/frank/Pictures
/home/frank/Pictures/mypic.jpg
/home/frank/Pictures/linux.jpg
/home/frank/Pictures/bett.png
/home/frank/Pictures/frank.png
/home/frank/Pictures/arch.jpg.zip
/home/frank/Pictures/frank.jpg
/home/frank/Pictures/hero.jpg
/home/frank/.vboxclient-clipboard.pid
/home/frank/.local/share/tracker/data
/home/frank/.local/share/tracker/data/tracker-store.journal
/home/frank/.local/share/clipit/history
/home/frank/.local/share/xorg
/home/frank/.local/share/xorg/Xorg.0.log
/home/frank/.config/pulse/ad5374a0ad924145aa7e52553286d87e-default-source
/home/frank/.config/pulse/ad5374a0ad924145aa7e52553286d87e-default-sink
/home/frank/.vboxclient-display-svga-x11.pid
/home/frank/.vboxclient-seamless.pid
/home/frank/.cache/tracker/meta.db-wal
/home/frank/.cache/tracker/meta.db-shm

Using locate and updatedb Commands

A very convenient and simple utility to use in finding files is the locate program. This utility searches a database, mlocate.db, which is located in the /var/lib/mlocate/ directory, to determine if a particular file exists on the local system.

Syntax;

locate [OPTION]… PATTERN…

The syntax that the locate utility uses a pattern list to find files. Thus, you can employ partial filenames and regular expressions and, with the command options, ignore case.

locate Command’s Commonly Used Options

  • -A or --all: Display filenames that match all the patterns, instead of displaying files that match only one pattern in the pattern list.
  • -b or --basename: Display only filenames that match the pattern and do not include any directory names that match the pattern.
  • -c or --count: Display only the number of files whose name matches the pattern instead of displaying filenames.
  • -i or --ignore-case: Ignore case in the pattern for matching filenames.
  • -q or --quiet: Do not display any error messages, such as permission denied, when processing.
  • -r or --regexp R: Use the regular expression, R, instead of the pattern list to match filenames.
  • -w or --wholename: Display filenames that match the pattern and include any directory names that match the pattern. This is default behavior.

To find a file with the locate command, enter locate followed by the filename. If the file is on your system and you have permission to view it, the locate utility will display the file’s directory path and name.

Using the locate command to find a file;

$ sudo updatedb
$ locate classified.txt
/home/frank/Desktop/classified.txt

Using the locate command PATTERN can be a little tricky, due to default pattern file globbing. But if you want to search for the base name frank, with no file globbing, you must add quotation marks (single or double) around the pattern and precede the pattern with the \ character.

Using locate command with file globbing;

$ locate -b frank
/etc/systemd/system/media-frank.mount.old
/home/frank
/home/frank/.zcompdump-frank-5.8
/home/frank/.cache/p10k-dump-frank.zsh
/home/frank/.cache/p10k-dump-frank.zsh.zwc
/home/frank/.cache/p10k-frank
/home/frank/.cache/p10k-instant-prompt-frank.zsh
/home/frank/.cache/p10k-instant-prompt-frank.zsh.zwc
/home/frank/.gnupg/.#lk0x000055abf9fb1f20.frank.15380
/home/frank/Desktop/New frank
/home/frank/Desktop/New frank/frank
/opt/lampp/var/mysql/frank.err
/var/log/teamviewer15/frank

The above output shows what would happen if you allow the default file globbing to occur. Many more files are displayed than those named frank. So many files are displayed that the listing had to be snipped to fit.

Using locate command with no file globbing;

$ locate -b '\frank'
/home/frank
/home/frank/Desktop/New frank/frank
/var/log/teamviewer15/frank

In the above output, file globbing is turned off with the use of quotation marks and the \ character. Using this pattern with the locate utility provides the desired results of displaying files named frank.

Displaying filenames that match all the patterns;

$ locate -A buttons .zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/glas-blue.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/glas-green.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/glas-red.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/round-gorilla.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/round-white.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/simple.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/square-blue.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/square-gray.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/square-green.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/square-red.zip
/usr/lib/libreoffice/share/config/wizard/web/buttons/square-yellow.zip

The example above would show any file matching the buttons and .zip patterns.

Using locate to display only the number of files whose name matches the pattern instead of displaying filenames;

$ locate -c .zip
31

The above output shows that the no of .zip files is 31.

Using the locate command with a pattern list;

$ locate -b '\frank' '\group'
/etc/group
/etc/iproute2/group
/home/frank
/snap/core/10958/etc/group
/snap/core/10958/etc/iproute2/group
/snap/core/10958/usr/share/X11/xkb/symbols/group
/snap/core/10958/var/lib/extrausers/group
/snap/core/11081/etc/group
/snap/core/11081/etc/iproute2/group

Controlling the Behavior of updatedb

The behavior of updatedb can be controlled by the file /etc/updatedb.conf. This is a text file where each line controls one variable. Blank likes are ignored and lines that start with the # character are treated as comments.

updatedb.conf file;

$ cat /etc/updatedb.conf
PRUNE_BIND_MOUNTS="yes"
# PRUNENAMES=".git .bzr .hg .svn"
PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /home/.ecryptfs /var/lib/schroot"
PRUNEFS="NFS afs autofs binfmt_misc ceph cgroup cgroup2 cifs coda configfs curlftpfs debugfs devfs devpts devtmpfs ecryptfs ftpfs fuse.ceph fuse.cryfs fuse.encfs fuse.glusterfs fuse.gvfsd-fuse fuse.mfs fuse.rozofs fuse.sshfs fusectl fusesmb hugetlbfs iso9660 lustre lustre_lite mfs mqueue ncpfs nfs nfs4 ocfs ocfs2 proc pstore rpc_pipefs securityfs shfs smbfs sysfs tmpfs tracefs udev udf usbfs"

The updatedb.conf file contents;

  • PRUNEFS=: Any filesystem types indicated after this parameter will not be scanned by updatedb. The list of types should be separated by spaces, and the types themselves are case-insensitive, so NFS and nfs are the same.
  • PRUNENAMES=: This is a space-separated list of directory names that should not be scanned by updatedb.
  • PRUNEPATHS=: This is a list of path names that should be ignored by updatedb. The path names must be separated by spaces and specified in the same way they would be shown by updatedb (for example, /var/spool /media)
  • PRUNE_BIND_MOUNTS=: This is a simple yes or no variable. If set to yes bind mounts (directories mounted elsewhere with the mount --bind command) will be ignored.

The mlocate.db database is updated via the updatedb utility.

Finding Binaries, Manual Pages and Source Code

Using which Command

The which command shows you the full path name of a shell command passed as an argument.

Using which command to find the program location;

$ which ls
/usr/bin/ls

The output above displays the full path name of /usr/bin/ls.

For shutdown Command;

$ which shutdown
/usr/sbin/shutdown

The shutdown utility is located in an sbin directory.

If the -a option is added the command will show all pathnames that match the executable;

$ which mkfs.ext4
/usr/sbin/mkfs.ext4

Now you can see the difference.

$ which -a mkfs.ext4
/usr/sbin/mkfs.ext4
/sbin/mkfs.ext4

Using whereis Command

The whereis utility allows you to locate any command’s program binaries and locate source code files as well as any manual pages.

Employing the whereis command;

$ whereis locate
locate: /usr/bin/locate /usr/bin/locate.findutils /usr/lib/x86_64-linux-gnu/locate /usr/share/man/man1/locate.1.gz

The results above include binaries (/usr/bin/locate) and compressed manual pages (/usr/share/man/man1/locate.1.gz).

You can quickly filter the results using commandline switches like -b, which will limit them to only the binaries, -m, which will limit them to only man pages, or -s, which will limit them to only the source code. Repeating the example above, you would get:

Showing Binaries;

$ whereis -b locate
locate: /usr/bin/locate /usr/bin/locate.findutils /usr/lib/x86_64-linux-gnu/locate

Showing Man Pages;

$ whereis -m locate
locate: /usr/share/man/man1/locate.1.gz

Using type Command

The type utility will display how a file is interpreted by the Bash shell if it is entered at the command line. Three categories it returns are alias, shell built-in, and external command (displaying its absolute directory reference).

The -a parameter works in the same way as in which, showing all pathnames that match the executable;

$ type -a locate
locate is /usr/bin/locate
locate is /bin/locate

The -t parameter will show the file type of the command which can be aliaskeywordfunctionbuiltin or file.

For an alias;

$ type -t ll
alias

For a file;

$ type -t locate
file

For a builtin;

$ type -t type
builtin

Conclusion

And that’s all about  How To Locate or Find Files on Linux Filesystems. We hope this guide was helpful.

Related Articles:

LPIC 101 – Maintaining The Integrity of Linux Filesystems

LPIC – 101 Managing Partitions and Filesystems on Linux

LPIC 101 – Managing File Permissions on Linux