Shell tips: различия между версиями
Sirmax (обсуждение | вклад) (Новая: Категория:Linux Категория:Shell Категория:Bash =Короткие заметки по shell-программированию=) |
Sirmax (обсуждение | вклад) |
||
Строка 3: | Строка 3: | ||
[[Категория:Bash]] |
[[Категория:Bash]] |
||
=Короткие заметки по shell-программированию= |
=Короткие заметки по shell-программированию= |
||
+ | |||
+ | ==find== |
||
+ | |||
+ | For example: |
||
+ | <PRE> |
||
+ | find . -mtime 0 # find files modified between now and 1 day ago |
||
+ | # (i.e., within the past 24 hours) |
||
+ | find . -mtime -1 # find files modified less than 1 day ago |
||
+ | # (i.e., within the past 24 hours, as before) |
||
+ | find . -mtime 1 # find files modified between 24 and 48 hours ago |
||
+ | find . -mtime +1 # find files modified more than 48 hours ago |
||
+ | |||
+ | find . -mmin +5 -mmin -10 # find files modified between |
||
+ | # 6 and 9 minutes ago |
||
+ | </PRE> |
||
+ | Using the "-printf" action instead of the default "-print" is useful to control the output format better than you can with ls or dir. You can use find with -printf to produce output that can easily be parsed by other utilities or imported into spreadsheets or databases. See the man page for the dozens of possibilities with the -printf action. (In fact find with -printf is more versatile than ls and is the preferred tool for forensic examiners even on Windows systems, to list file information.) For example the following displays non-hidden (no leading dot) files in the current directory only (no subdirectories), with an custom output format: |
||
+ | <PRE> |
||
+ | find . -maxdepth 1 -name '[!.]*' -printf 'Name: %16f Size: %6s\n' |
||
+ | </PRE> |
||
+ | "-maxdepth" is a Gnu extension. On a modern, POSIX version of find you could use this: |
||
+ | |||
+ | find . -path './*' -prune ... |
||
+ | |||
+ | On any version of find you can use this more complex (but portable) code: |
||
+ | <PRE> |
||
+ | find . ! -name . -prune ... |
||
+ | </PRE> |
||
+ | which says to "prune" (don't descend into) any directories except ".". |
||
+ | |||
+ | Note that "-maxdepth 1" will include "." unless you also specify "-mindepth 1". A portable way to include "." is: |
||
+ | <PRE> |
||
+ | find . \( -name . -o -prune \) ... |
||
+ | </PRE> |
||
+ | [This information posted by Stephane Chazelas, on 3/10/09 in newsgroup comp.unix.shell.] |
||
+ | |||
+ | As a system administrator you can use find to locate suspicious files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates). Here's a final more complex example (which I saved as a shell script): |
||
+ | <PRE> |
||
+ | find / -noleaf -wholename '/proc' -prune \ |
||
+ | -o -wholename '/sys' -prune \ |
||
+ | -o -wholename '/dev' -prune \ |
||
+ | -o -wholename '/windows-C-Drive' -prune \ |
||
+ | -o -perm -2 ! -type l ! -type s \ |
||
+ | ! \( -type d -perm -1000 \) -print |
||
+ | </PRE> |
||
+ | This says to seach the whole system, skipping the directories /proc, /sys, /dev, and /windows-C-Drive (presumably a Windows partition on a dual-booted computer). The Gnu -noleaf option tells find not to assume all remaining mounted filesystems are Unix file systems (you might have a mounted CD for instance). The "-o" is the Boolean OR operator, and "!" is the Boolean NOT operator (applies to the following criteria). |
||
+ | |||
+ | So these criteria say to locate files that are world writable ("-perm -2", same as "-o=w") and NOT symlinks ("! -type l") and NOT sockets ("! -type s") and NOT directories with the sticky (or text) bit set ("! \( -type d -perm -1000 \)"). (Symlinks, sockets and directories with the sticky bit set are often world-writable and generally not suspicious.) |
||
+ | |||
+ | A common request is a way to find all the hard links to some file. Using "ls -li file" will tell you how many hard links the file has, and the inode number. You can locate all pathnames to this file with: |
||
+ | <PRE> |
||
+ | find mount-point -xdev -inum inode-number |
||
+ | </PRE> |
||
+ | Since hard links are restricted to a single filesystem, you need to search that whole filesystem so you start the search at the filesystem's mount point. (This is likely to be either "/home" or "/" for files in your home directory.) The "-xdev" options tells find to not search any other filesystems. |
||
+ | |||
+ | (While most Unix and all Linux systems have a find command that supports the "-inum" criterion, this isn't POSIX standard. Older Unix systems provided the "ncheck" utility instead that could be used for this.) |
Версия 10:03, 20 августа 2010
Короткие заметки по shell-программированию
find
For example:
find . -mtime 0 # find files modified between now and 1 day ago # (i.e., within the past 24 hours) find . -mtime -1 # find files modified less than 1 day ago # (i.e., within the past 24 hours, as before) find . -mtime 1 # find files modified between 24 and 48 hours ago find . -mtime +1 # find files modified more than 48 hours ago find . -mmin +5 -mmin -10 # find files modified between # 6 and 9 minutes ago
Using the "-printf" action instead of the default "-print" is useful to control the output format better than you can with ls or dir. You can use find with -printf to produce output that can easily be parsed by other utilities or imported into spreadsheets or databases. See the man page for the dozens of possibilities with the -printf action. (In fact find with -printf is more versatile than ls and is the preferred tool for forensic examiners even on Windows systems, to list file information.) For example the following displays non-hidden (no leading dot) files in the current directory only (no subdirectories), with an custom output format:
find . -maxdepth 1 -name '[!.]*' -printf 'Name: %16f Size: %6s\n'
"-maxdepth" is a Gnu extension. On a modern, POSIX version of find you could use this:
find . -path './*' -prune ...
On any version of find you can use this more complex (but portable) code:
find . ! -name . -prune ...
which says to "prune" (don't descend into) any directories except ".".
Note that "-maxdepth 1" will include "." unless you also specify "-mindepth 1". A portable way to include "." is:
find . \( -name . -o -prune \) ...
[This information posted by Stephane Chazelas, on 3/10/09 in newsgroup comp.unix.shell.]
As a system administrator you can use find to locate suspicious files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates). Here's a final more complex example (which I saved as a shell script):
find / -noleaf -wholename '/proc' -prune \ -o -wholename '/sys' -prune \ -o -wholename '/dev' -prune \ -o -wholename '/windows-C-Drive' -prune \ -o -perm -2 ! -type l ! -type s \ ! \( -type d -perm -1000 \) -print
This says to seach the whole system, skipping the directories /proc, /sys, /dev, and /windows-C-Drive (presumably a Windows partition on a dual-booted computer). The Gnu -noleaf option tells find not to assume all remaining mounted filesystems are Unix file systems (you might have a mounted CD for instance). The "-o" is the Boolean OR operator, and "!" is the Boolean NOT operator (applies to the following criteria).
So these criteria say to locate files that are world writable ("-perm -2", same as "-o=w") and NOT symlinks ("! -type l") and NOT sockets ("! -type s") and NOT directories with the sticky (or text) bit set ("! \( -type d -perm -1000 \)"). (Symlinks, sockets and directories with the sticky bit set are often world-writable and generally not suspicious.)
A common request is a way to find all the hard links to some file. Using "ls -li file" will tell you how many hard links the file has, and the inode number. You can locate all pathnames to this file with:
find mount-point -xdev -inum inode-number
Since hard links are restricted to a single filesystem, you need to search that whole filesystem so you start the search at the filesystem's mount point. (This is likely to be either "/home" or "/" for files in your home directory.) The "-xdev" options tells find to not search any other filesystems.
(While most Unix and all Linux systems have a find command that supports the "-inum" criterion, this isn't POSIX standard. Older Unix systems provided the "ncheck" utility instead that could be used for this.)