Linux find Command: 25 Practical Examples You Will Use Daily

The find Command Anatomy

Before diving into examples, let's understand the structure of a find command:

find [starting-directory] [options] [expression]

• Starting directory: Where to begin the search. Use . for the current directory, / for the entire filesystem, or any specific path.
• Options: Control behaviour (e.g. -maxdepth, -mindepth, -follow).
• Expression: Tests that files must match (-name, -type, -size) and actions to take (-print, -exec, -delete).

1. Find by Name

# Exact name match
find /var/www -name "config.php"

# Wildcard match - all .log files
find /var/log -name "*.log"

# Case-insensitive match
find /home -iname "readme*"

# Find files starting with "backup"
find /opt -name "backup*"

# Find files NOT matching a pattern
find . -not -name "*.jpg"

2. Find by Type

# Regular files only
find . -type f

# Directories only
find . -type d

# Symbolic links only
find /usr -type l

# Block devices
find /dev -type b

# Named pipes (FIFO)
find /tmp -type p

3. Find by Size

# Files larger than 100 MB
find /var -type f -size +100M

# Files smaller than 1 KB (likely empty or near-empty)
find . -type f -size -1k

# Files exactly 50 MB
find . -type f -size 50M

# Files between 10 MB and 100 MB
find . -type f -size +10M -size -100M

# Find the 10 largest files in /var
find /var -type f -printf "%s\t%p\n" | sort -rn | head -10

4. Find by Modification Date

# Modified in the last 7 days
find /var/www -mtime -7

# Modified more than 30 days ago
find /tmp -mtime +30

# Modified exactly 1 day ago
find . -mtime 1

# Accessed in the last 24 hours
find /var/log -atime -1

# Changed (metadata) in last 2 days
find . -ctime -2

# Newer than a reference file
find . -newer /etc/nginx/nginx.conf

# Modified in the last 60 minutes
find /var/log -mmin -60

5. Find by Permissions

# World-writable files (security risk)
find /var/www -type f -perm -o+w

# SUID files (can be a security concern)
find / -type f -perm /4000 2>/dev/null

# SGID files
find / -type f -perm /2000 2>/dev/null

# Files with exact permission 644
find . -type f -perm 644

# Files that are executable
find /usr/bin -type f -perm /u+x

# Directories with sticky bit set
find / -type d -perm /1000 2>/dev/null

6. Find by Ownership

# Files owned by a specific user
find /var/www -user www-data

# Files owned by a specific group
find /var/www -group www-data

# Files NOT owned by root
find /etc -not -user root

# Files without a valid owner (orphaned files)
find / -nouser 2>/dev/null

# Files without a valid group
find / -nogroup 2>/dev/null

7. Limit Search Depth

# Only search in the current directory (no subdirectories)
find . -maxdepth 1 -name "*.conf"

# Search up to 3 levels deep
find /etc -maxdepth 3 -name "*.conf"

# Start from depth 2 (skip top level)
find . -mindepth 2 -name "*.log"

8. Combine Multiple Conditions

# AND - both conditions must match (default behaviour)
find . -name "*.php" -size +1M

# OR - either condition matches
find . -name "*.jpg" -o -name "*.png"

# NOT - exclude matching files
find . -not -name "*.bak"

# Parentheses for grouping (escape required in shell)
find . \( -name "*.jpg" -o -name "*.png" \) -size +1M

9. Execute Actions with -exec

The -exec flag is what makes find truly powerful. It runs a command on every matching file. The {} placeholder is replaced by the filename, and \; terminates the command.

# Change permissions on all PHP files
find /var/www -name "*.php" -exec chmod 644 {} \;

# Delete all .tmp files
find /tmp -name "*.tmp" -type f -exec rm {} \;

# Move log files to archive
find /var/log -name "*.log.1" -exec mv {} /archive/ \;

# Compress old log files
find /var/log -name "*.log" -mtime +7 -exec gzip {} \;

# Print details of large files (like ls -lh)
find . -size +50M -exec ls -lh {} \;

# Run multiple commands with sh -c
find . -name "*.bak" -exec sh -c 'echo "Removing: $1"; rm "$1"' _ {} \;

Use -exec ... {} + instead of \; to batch files and run the command once with multiple arguments - much faster for operations on many files:

# Faster: chmod runs once with all matching files as arguments
find /var/www -name "*.php" -exec chmod 644 {} +

10. Use -delete for Fast Deletion

The -delete action is more efficient than -exec rm and also safer (always test with -print first):

# Preview what will be deleted
find /tmp -name "*.tmp" -mtime +7 -print

# Then delete
find /tmp -name "*.tmp" -mtime +7 -delete

# Delete empty directories
find . -type d -empty -delete

Always run find ... -print first to preview results before using -delete or -exec rm. Recursive deletion cannot be undone.

11. Real Sysadmin Use Cases

# Find all PHP webshells (suspicious: executable PHP in upload dirs)
find /var/www/uploads -name "*.php" -type f

# Find config files modified in the last 24 hours (detect unauthorized changes)
find /etc -name "*.conf" -mtime -1

# Disk space audit - find files larger than 500 MB
find / -type f -size +500M -printf "%s\t%p\n" 2>/dev/null | sort -rn

# Find world-writable directories (security hardening)
find /var/www -type d -perm -o+w

# Clean up old session files (PHP sessions)
find /var/lib/php/sessions -type f -mtime +7 -delete

# Find broken symlinks
find /usr -xtype l 2>/dev/null

# Count files in each subdirectory
find . -maxdepth 1 -type d | while read d; do echo "$d: $(find "$d" -type f | wc -l)"; done

# Find duplicate filenames (same name, different paths)
find . -type f -printf "%f\n" | sort | uniq -d

Step-by-Step: Auditing an Upload Directory

This is a common security task. You want to find any executable or PHP files that should not be in an upload directory:

1. List all non-image files: find /var/www/uploads -type f -not \( -name "*.jpg" -o -name "*.png" -o -name "*.gif" -o -name "*.pdf" \)
2. Find any PHP files: find /var/www/uploads -name "*.php" -o -name "*.phtml" -o -name "*.php5"
3. Find executable files: find /var/www/uploads -type f -perm /111
4. Check file sizes (scripts are usually small): find /var/www/uploads -type f -size -10k -printf "%s\t%p\n"
5. Remove dangerous files: After reviewing, delete them with -delete or move to quarantine with -exec mv {} /tmp/quarantine/ \;

Frequently Asked Questions

What is the difference between find -name and find -iname?

-name is case-sensitive: find . -name "README.md" will not match readme.md. -iname is case-insensitive and matches both. On Linux filesystems (ext4, xfs), filenames are case-sensitive, so README.md and readme.md can coexist as different files. Use -iname when you are unsure about the case of the filename you are searching for.

How do I suppress "Permission denied" errors in find output?

Redirect stderr to /dev/null: find / -name "*.conf" 2>/dev/null. This discards permission errors while still printing results. Alternatively, run find with sudo to search directories you normally cannot read.

What is the difference between -mtime, -atime, and -ctime?

-mtime filters by modification time (file contents changed). -atime filters by access time (file was read). -ctime filters by change time (metadata changed: permissions, owner, or content). For security audits, -mtime and -ctime are most useful. Note: many systems mount with noatime to avoid performance overhead, so -atime may not be reliable.

How do I find and count files matching a pattern?

Pipe the output to wc -l: find . -name "*.log" | wc -l. This counts the number of matching files. To count total size, use: find . -name "*.log" -exec du -ch {} + | tail -1

Is find -exec or xargs faster for processing many files?

For large numbers of files, xargs with find -print0 is generally faster because it batches files into fewer command invocations. Use find . -name "*.log" -print0 | xargs -0 rm instead of find . -name "*.log" -exec rm {} \;. The -print0/-0 pair handles filenames with spaces safely.

Use our free tool here → Chmod Calculator to compute the correct permission values after auditing files with find.