Finding the hard links to a file using find

% ls -li /usr/bin/at
lists that there are 4 links to the file.

% df /usr/bin/at
will give the filesystem on which this file resides.

% find /usr -xdev -inum 8041 -print
Start the find on the top of that filesystem, use -xdev to restrict search to that filesystem only, and use the inode number to find the various files that use the same inode.

find and -exec and other options

% find . -exec echo {} \;
The ';' is used by shell aos, so it is necessary to escape the character with a backslash or quotes.

% find `pwd` -type d -group staff -exec find {} -type l -print \;
The above command is used to list every symbolic link in every directory owned by a group staff under the current directory.

% find . -perm -20 -exec chmod g-w {} \;
or:
% find . -perm -20 -print | xargs chmod g-w
is used to search for all files with group-write permission under the current directory and to remove the permission.

If you accidentally created a file with a control character in it, and cannot delete it, then it can be done using find and -exec, with input from the command `ls -il` in the following way:
% find . -inum 31246 -exec rm {} ';'

In order to rename some files from {} to {}.orig, the following shell script comes in handy: (gnu find does it using a find . -group staff -exec mv {} {}.orig \; itself.)
$ find ... -print |
> while read file
> do mv "$file" "$file.orig"
> done

% find . -exec beauty {} \; -print
If you have a program called beauty that returns 0 if a file is beautiful, and non-zero otherwise, then this command prints the names of all beautiful files.

% find . -name "*.[ch]" -exec beauty {} \; -print

% find . -name \*.cc -exec grep -n "GetRaw(" {} \; -print

Finding many things with one command:
% find . \( -type d -a -exec chmod 771 {} \; \) -o \( -name "*.sh" -a -exec chmod 600 {} \; \) -o \( -name "*.txt" -a -exec chmod 644 {} \; \)

% find . -name "*.c" -print
multiple operators are ANDed by default.

% find . -type f -print | xargs ls -l

% find . -size 1234c -print
The c is used to specify the size in bytes.

% find . -size +100000c -size -320000 -print
When more than one operator is given, both must be true.

To find all directories with group write permission:
% find . -type d -perm -20 -print
The above command will match the following permissions: 777, 775, 666, 664, 660.

To find files that are set user ID root:
% find . -user root -perm -4000 -print

To find files that are set group ID staff:
% find . -group staff -perm -2000 -print

Normal find (not Gnu find) will not let this work:
% find . -type d -exec mkdir /usr/project/{} \;
Instead, you should do something like:
% find . -type d -print | sed 's@^@/usr/project/@' | xargs mkdir

% egrep '^[0-9].*SALE PRICE' `find . -type f -print`

mounting as a loopback device

Securityfocus Forensics thread:

http://www.securityfocus.com/archive/104/317858/2003-04-03/2003-04-09/1Link: http://talk.trekweb.com/~jasonb/articles/linux_loopback.shtml

fdisk -l

To list the partition details from command prompt

Ex:

[root@localhost grub]# fdisk -l

Disk /dev/hda: 255 heads, 63 sectors, 4864 cylinders
Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 2432 19535008+ 7 HPFS/NTFS
/dev/hda2 2433 4864 19535040 f Win95 Ext'd (LBA)
/dev/hda5 2433 4813 19125351 83 Linux
/dev/hda6 4814 4864 409626 82 Linux swap

touch and find

To create a file dated 4 p.m., March 20, give the command:

% touch -t 03201600 /tmp/4pmyesterday

Then to find the files created after this:

% find . -newer /tmp/4pmyesterday -print

For files created between 10:46 a.m. on July 3, 1999 and 9:37 p.m. on June 4, 2001:

% touch -t 199907031046 /tmp/file1
% touch -t 200106042137 /tmp/file2
% find . -newer /tmp/file1 \! -newer /tmp/file2 -print
% rm /tmp/file[12]

xargs

xargs executes its arguments as commands ad reads standard input to specify arguments to that command.

% find / -print | xargs ls -ld

du - disk usage for all files

du : displays disk space usage by all the files, and does it recursively.

du -h : shows it in a human readable form: 12K or 1.2G etc.

find

% find path operators

operators:
-name burst
-type d
-user root
-perm 705

find . -name "*.o" -ok rm {} \;
find . -name "*.o" -exec rm {} \;

ls -l `find . -print` // Command Substitution
find . -ls

RUF: Reading unmounted filesystems

./ruf /dev/hda7

The utility can read files from a damaged file system. Since the utility attempts to read only those structures it requires, damaged areas of the disk can be avoided. Files can be accessed by their inode number alone, bypassing damage to structures above it in the directory hierarchy.

mke2fs to format partitions

mke2fs -i 8825 /dev/hda7

This formats /dev/hda7 with a particular number of inodes per group.

From the mke2fs manpage:

-i bytes-per-inode
Specify the bytes/inode ratio. mke2fs creates an inode for every bytes-per-inode bytes of space on the disk. The larger the bytes-per-inode ratio, the fewer inodes will be created. This value generally shouldn't be smaller than the blocksize of the filesystem, since then too many inodes will be made. Be warned that is not possible to expand the number of inodes on a filesystem after it is created, so be careful deciding the correct value for this parameter.

I wanted two partitions formatted similarly with respect to certain parameters. The number of block groups will differ based on the size of the partition, but the number of inodes in each block group had to be the same in both partitions. This is needed to avoid problems while copying datablocks from the src partition to the dest partition. When I copy an inode (with inode number 'n' say) from srcDisk to destDisk, I will look for the offset of inode 'n' in the dest disk using the information read from the superblock of the destination partition. But when I find a block number say '100' in inode 'n' and try to copy that block's contents in the source disk to block '100' of the destination disk, I do not want to overwrite some inodes' contents of the destination disk in the process. So, we can make sure that if block 100 stores data in the source disk, block 100 of the destination disk also stores data, and not inodes or other control structures.

The magic number 8825 is for one particular case. I had to find that number by trial and error.

Using 'od' to see partition contents in hex

Do cd /tmp;
dd if=/dev/zero of=e2fs bs=1024 count=10000;
mke2fs -F e2fs;
od -Ax -tx4 e2fs.

To check partitions:
od -Ax -tx4 /dev/hda7


(This creates an empty ext2 filesystem in the file /tmp/e2fs, and prints its contents.)

Sed - Ellie Quigley - Chap 4 exercise

1. sed 's/Jon/Jonathan/' datebook
2. sed '1,3d' datebook
3. sed -n '5,10p' datebook
4. sed '/Lane/d' datebook
5. sed -n '/:1[12]\//p' datebook
6. sed '/^Fred/{s/$/***/;}' datebook
7. using sed script
/Jose/cJOSE HAS RETIRED
8. sed '/Popeye/s/:3\/19\/35/:11\/14\/46/' datebook
9. sed '/^ *$/d' datebook
10. sed script
#Answer to Q.10 of exercise:
1iPERSONNEL FILE--------------
s/[0-9]*500.$//
s/^\([A-Z][a-z]*\) \([A-Z][a-z]*\)/\2 \1/
$aTHE END

Sed - Ellie Quigley - Chap 4

4.6.8: Appending: The a command

Tried this many times, but would not work!

$sed '/^north /a\-->THE NORTH SALES DISTRICT HAS MOVED<--' datafile

always kept receiving error:
sed: -e expression #1, char 11: Extra characters after command

Neither does the insert command

4.6.9: Insert command
tried:
$sed '/eastern/i> --> NEW ENGLAND <--
> -----------------0--' datafile