In our today’s guide, we are going to learn how to locate and find files on Linux filesystem. Linux distributions come in all shapes and sizes, but one thing that almost all of them share is that they follow the Filesystem Hierarchy Standard (FHS), which defines a standard layout for the filesystem thus making interoperation and system administration much easier. As a good System Administrator you should know important various methods of locating and finding files in order to solve problem quickly. It will also save your time as you perform your administrative tasks.
Understanding The Filesystem Hierarchy Standard
Sometimes, trying to locate files on your Linux system is tricky. Fortunately, there’s a standard file location guide for the Linux called the Linux filesystem hierarchy standard (FHS) that can offer assistance. The FHS defines core folder names and locations that should be present on every Linux system and what type of data they should contain.
The basic directory structure is as follows;
/: This is the root directory, the topmost directory in the hierarchy. Every other directory is located inside it. A filesystem is often compared to a “tree”, so this would be the “trunk” to which all branches are connected.
/bin: Essential binaries, available to all users.
/boot: Files needed by the boot process, including the Initial RAM Disk (initrd) and the Linux kernel itself.
/dev: Device files. These can be either physical devices connected to the system (for example,
/dev/sdawould be the first SCSI or SATA disk) or virtual devices provided by the kernel.
/etc: Host-specific configuration files. Programs may create subdirectories under
/etcto store multiple configuration files if needed.
/home: Each user in the system has a “home” directory to store personal files and preferences, and most of them are located under
/home. Usually, the home directory is the same as the username, so the user John would have his directory under
/home/john. The exceptions are the superuser (root), which has a separate directory (
/root) and some system users.
/lib: Shared libraries needed to boot the operating system and to run the binaries under
/media: User-mountable removable media, like flash drives, CD and DVD-ROM readers, floppy disks, memory cards and external disks are mounted under here.
/mnt: Mount point for temporarily mounted filesystems.
/opt: Application software packages.
/root: Home directory for the superuser (root).
/run: Run-time variable data.
/sbin: System binaries.
/srv: Data served by the system. For example, the pages served by a web server could be stored under
/tmp: Temporary files.
/usr: Read-only user data, including data needed by some secondary utilities and applications.
/proc: Virtual filesystem containing data related to running processes.
/var: Variable data written during system operation, including print queue, log data, mailboxes, temporary files, browser cache, etc.
You should know that some of those directories, like
/var, contain a whole hierarchy of subdirectories under them.
Employing Various Tools to Find and Locate Files
Besides using the FHS as a guide, there are many ways to find files on your Linux system. We are going to explore several tools that assist in locating files below.
Using Find Command
find command is very flexible. It allows you to locate files based on data, such as who owns the file, when the file was last modified, permissions set on the file, and so on.
find [PATH…] [OPTION] [EXPRESSION]
PATH argument: is a starting point directory, because you designate a starting point in a directory tree and find will search through that directory and all its subdirectories (recursively) for the file or files you seek. You can use a single period (.) to designate your present working directory as the starting point directory.
EXPRESSIONcommand argument and its preceding
OPTIONcontrol what type of metadata filters are applied to the search as well as any settings that may limit the search.
Find Command Commonly Used OPTION and EXPRESSION Combinations.
-user USERNAME: Matches files owned by the user
-group GROUPNAME: Matches files owned by the group
-readable: Matches files that are readable by the current user.
-writable: Matches files that are writable by the current user.
-executable: Matches files that are executable by the current user. In the case of directories, this will match any directory that the user can enter (
-perm NNNN: This will match any files that have exactly the NNNN permission. For example,
-perm 0664will match any files which the user and group can read and write to and which others can read (or rw-rw-r–). You can add a
-before NNNN to check for files that have at least the permission specified. For example,
-perm -644would match files that have at least
644(rw-r—r–) permissions. This includes a file with
664(rw-rw-r–) or even
-empty: Will match empty files and directories.
-size N: Will match any files of
Nby default is a number of 512-byte blocks. You can add suffixes to
Nfor other units:
Ncwill count the size in bytes,
Nkin kibibytes (KiB, multiples of 1024 bytes),
NMin mebibytes (MiB, multiples of 1024 * 1024) and
NGfor gibibytes (GiB, multiples of 1024 * 1024 * 1024). You can add the
-prefixes (here meaning bigger than and smaller than) to search for relative sizes. For example, -size -10M will match any file less than 10 MiB in size.
-mmin N: This will match files that have been accessed, had attributes changed or were modified (respectively) N minutes ago. For
-cmin Nany attribute change will cause a match, including a change in permissions, reading or writing to the file. This makes these parameters especially powerful, since practically any operation involving the file will trigger a match.
-mtime N: This will match files that were accessed, had attributes changed or were modified N*24 hours ago. For
-ctime Nany attribute change will cause a match, including a change in permissions, reading or writing to the file. This makes these parameters especially powerful, since practically any operation involving the file will trigger a match.
Looking for files in the present working directory’s tree with a .txt file extension;
$ find . -name "*.txt" ./dejavu-fonts-ttf-2.37/unicover.txt ./dejavu-fonts-ttf-2.37/status.txt ./dejavu-fonts-ttf-2.37/langcover.txt ./fontawesome-free-5.14.0-web/LICENSE.txt
In the above output we notice that the
-name option’s pattern uses quotation marks to avoid unpredictable results.
find utility with
-maxdepth option will search only two directories: the current directory and one subdirectory level down;
$ find . -maxdepth 2 -name "*.txt" ./dejavu-fonts-ttf-2.37/unicover.txt ./dejavu-fonts-ttf-2.37/status.txt ./dejavu-fonts-ttf-2.37/langcover.txt ./fontawesome-free-5.14.0-web/LICENSE.txt
find command to audit a server. The
-perm option is useful for one of these audit types;
$ sudo find /usr/bin -perm /6000 /usr/bin/passwd /usr/bin/chsh /usr/bin/umount /usr/bin/crontab /usr/bin/pkexec /usr/bin/wall /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/mount /usr/bin/expiry /usr/bin/sudo /usr/bin/bsd-write /usr/bin/su /usr/bin/fusermount /usr/bin/chage /usr/bin/ssh-agent /usr/bin/chfn
In the above output, the /usr/bin directory is being audited for the potentially dangerous SUID permission by using the find utility and its
-perm option. The expression used is /6000, which will ask the find utility to search for SUID settings (octal code 4) and, due to the forward slash (/) in front of the number, ignore the other file permissions (octal codes 000). The resulting filenames all legitimately use SUID, and thus, nothing suspicious is going on here.
find command to search for all files in the home directory (and subdirectories) whose name ends in
$ find ~ -name "*.jpg" /home/frank/Pictures/mypic.jpg /home/frank/Pictures/linux.jpg /home/frank/Pictures/frank.jpg /home/frank/Pictures/hero.jpg
The above command will match any file whose last four characters of the name are
.jpg, no matter what comes before it, as
* is a wildcard. However, see what happens if another
* is added at the end of the pattern;
$ find ~ -name "*.jpg*" /home/frank/Pictures/mypic.jpg /home/frank/Pictures/linux.jpg /home/frank/Pictures/arch.jpg.zip /home/frank/Pictures/frank.jpg /home/frank/Pictures/hero.jpg
/home/frank/Pictures/arch.jpg.zip (highlighted above) was not included in the previous listing, because even if it contains
.jpg on its name, it did not match the pattern as there where extra characters after it. The new pattern means “anything
.jpg anything”, so it matches.
Finding files in the home directory which has been modified less than 24 hours ago and is smaller than 5 MiB;
$ find ~ -mtime -1 -size -5M /home/frank /home/frank/.vboxclient-draganddrop.pid /home/frank/Pictures /home/frank/Pictures/mypic.jpg /home/frank/Pictures/linux.jpg /home/frank/Pictures/bett.png /home/frank/Pictures/frank.png /home/frank/Pictures/arch.jpg.zip /home/frank/Pictures/frank.jpg /home/frank/Pictures/hero.jpg /home/frank/.vboxclient-clipboard.pid /home/frank/.local/share/tracker/data /home/frank/.local/share/tracker/data/tracker-store.journal /home/frank/.local/share/clipit/history /home/frank/.local/share/xorg /home/frank/.local/share/xorg/Xorg.0.log /home/frank/.config/pulse/ad5374a0ad924145aa7e52553286d87e-default-source /home/frank/.config/pulse/ad5374a0ad924145aa7e52553286d87e-default-sink /home/frank/.vboxclient-display-svga-x11.pid /home/frank/.vboxclient-seamless.pid /home/frank/.cache/tracker/meta.db-wal /home/frank/.cache/tracker/meta.db-shm
Using locate and updatedb Commands
A very convenient and simple utility to use in finding files is the
locate program. This utility searches a database,
mlocate.db, which is located in the /var/lib/mlocate/ directory, to determine if a particular file exists on the local system.
locate [OPTION]… PATTERN…
The syntax that the
locate utility uses a pattern list to find files. Thus, you can employ partial filenames and regular expressions and, with the command options, ignore case.
locate Command’s Commonly Used Options
--all: Display filenames that match all the patterns, instead of displaying files that match only one pattern in the pattern list.
--basename: Display only filenames that match the pattern and do not include any directory names that match the pattern.
--count: Display only the number of files whose name matches the pattern instead of displaying filenames.
--ignore-case: Ignore case in the pattern for matching filenames.
--quiet: Do not display any error messages, such as permission denied, when processing.
--regexp R: Use the regular expression, R, instead of the pattern list to match filenames.
--wholename: Display filenames that match the pattern and include any directory names that match the pattern. This is default behavior.
To find a file with the
locate command, enter
locate followed by the
filename. If the file is on your system and you have permission to view it, the
locate utility will display the file’s directory path and name.
locate command to find a file;
$ sudo updatedb $ locate classified.txt /home/frank/Desktop/classified.txt
PATTERN can be a little tricky, due to default pattern file globbing. But if you want to search for the base name frank, with no file globbing, you must add quotation marks (single or double) around the pattern and precede the pattern with the
locate command with file globbing;
$ locate -b frank /etc/systemd/system/media-frank.mount.old /home/frank /home/frank/.zcompdump-frank-5.8 /home/frank/.cache/p10k-dump-frank.zsh /home/frank/.cache/p10k-dump-frank.zsh.zwc /home/frank/.cache/p10k-frank /home/frank/.cache/p10k-instant-prompt-frank.zsh /home/frank/.cache/p10k-instant-prompt-frank.zsh.zwc /home/frank/.gnupg/.#lk0x000055abf9fb1f20.frank.15380 /home/frank/Desktop/New frank /home/frank/Desktop/New frank/frank /opt/lampp/var/mysql/frank.err /var/log/teamviewer15/frank
The above output shows what would happen if you allow the default file globbing to occur. Many more files are displayed than those named frank. So many files are displayed that the listing had to be snipped to fit.
locate command with no file globbing;
$ locate -b '\frank' /home/frank /home/frank/Desktop/New frank/frank /var/log/teamviewer15/frank
In the above output, file globbing is turned off with the use of quotation marks and the
\ character. Using this pattern with the
locate utility provides the desired results of displaying files named frank.
Displaying filenames that match all the patterns;
$ locate -A buttons .zip /usr/lib/libreoffice/share/config/wizard/web/buttons/glas-blue.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/glas-green.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/glas-red.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/round-gorilla.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/round-white.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/simple.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/square-blue.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/square-gray.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/square-green.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/square-red.zip /usr/lib/libreoffice/share/config/wizard/web/buttons/square-yellow.zip
The example above would show any file matching the
locate to display only the number of files whose name matches the pattern instead of displaying filenames;
$ locate -c .zip 31
The above output shows that the no of
.zip files is
locate command with a pattern list;
$ locate -b '\frank' '\group' /etc/group /etc/iproute2/group /home/frank /snap/core/10958/etc/group /snap/core/10958/etc/iproute2/group /snap/core/10958/usr/share/X11/xkb/symbols/group /snap/core/10958/var/lib/extrausers/group /snap/core/11081/etc/group /snap/core/11081/etc/iproute2/group
Controlling the Behavior of updatedb
The behavior of
updatedb can be controlled by the file
/etc/updatedb.conf. This is a text file where each line controls one variable. Blank likes are ignored and lines that start with the
# character are treated as comments.
$ cat /etc/updatedb.conf PRUNE_BIND_MOUNTS="yes" # PRUNENAMES=".git .bzr .hg .svn" PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph /home/.ecryptfs /var/lib/schroot" PRUNEFS="NFS afs autofs binfmt_misc ceph cgroup cgroup2 cifs coda configfs curlftpfs debugfs devfs devpts devtmpfs ecryptfs ftpfs fuse.ceph fuse.cryfs fuse.encfs fuse.glusterfs fuse.gvfsd-fuse fuse.mfs fuse.rozofs fuse.sshfs fusectl fusesmb hugetlbfs iso9660 lustre lustre_lite mfs mqueue ncpfs nfs nfs4 ocfs ocfs2 proc pstore rpc_pipefs securityfs shfs smbfs sysfs tmpfs tracefs udev udf usbfs"
The updatedb.conf file contents;
PRUNEFS=: Any filesystem types indicated after this parameter will not be scanned by
updatedb. The list of types should be separated by spaces, and the types themselves are case-insensitive, so
nfsare the same.
PRUNENAMES=: This is a space-separated list of directory names that should not be scanned by
PRUNEPATHS=: This is a list of path names that should be ignored by
updatedb. The path names must be separated by spaces and specified in the same way they would be shown by
PRUNE_BIND_MOUNTS=: This is a simple
novariable. If set to
yesbind mounts (directories mounted elsewhere with the
mount --bindcommand) will be ignored.
mlocate.db database is updated via the
Finding Binaries, Manual Pages and Source Code
Using which Command
which command shows you the full path name of a shell command passed as an argument.
which command to find the program location;
$ which ls /usr/bin/ls
The output above displays the full path name of
For shutdown Command;
$ which shutdown /usr/sbin/shutdown
shutdown utility is located in an sbin directory.
-a option is added the command will show all pathnames that match the executable;
$ which mkfs.ext4 /usr/sbin/mkfs.ext4
Now you can see the difference.
$ which -a mkfs.ext4 /usr/sbin/mkfs.ext4 /sbin/mkfs.ext4
Using whereis Command
whereis utility allows you to locate any command’s program binaries and locate source code files as well as any manual pages.
$ whereis locate locate: /usr/bin/locate /usr/bin/locate.findutils /usr/lib/x86_64-linux-gnu/locate /usr/share/man/man1/locate.1.gz
The results above include binaries (
/usr/bin/locate) and compressed manual pages (
You can quickly filter the results using commandline switches like
-b, which will limit them to only the binaries,
-m, which will limit them to only man pages, or
-s, which will limit them to only the source code. Repeating the example above, you would get:
$ whereis -b locate locate: /usr/bin/locate /usr/bin/locate.findutils /usr/lib/x86_64-linux-gnu/locate
Showing Man Pages;
$ whereis -m locate locate: /usr/share/man/man1/locate.1.gz
Using type Command
type utility will display how a file is interpreted by the Bash shell if it is entered at the command line. Three categories it returns are alias, shell built-in, and external command (displaying its absolute directory reference).
-a parameter works in the same way as in
which, showing all pathnames that match the executable;
$ type -a locate locate is /usr/bin/locate locate is /bin/locate
-t parameter will show the file type of the command which can be
For an alias;
$ type -t ll alias
For a file;
$ type -t locate file
For a builtin;
$ type -t type builtin
And that’s all about How To Locate or Find Files on Linux Filesystems. We hope this guide was helpful.