How to Find Out Who is Using a File in Linux
In this article, we will explain how to find out who is using a particular file in Linux. This will help you know the system user or process that is using an open file.
We can use the lsof command to know if someone is using a file, and if they are, who. It reads kernel memory in its search for open files and helps you list all open files. In this case, an open file may be a regular file, a directory, a block special file, a character special file, a stream, a network file and many others – because in Linux everything is a file.
Lsof is used on a file system to identify who is using any files on that file system. You can run lsof command on Linux filesystem and the output identifies the owner and process information for processes using the file as shown in the following output.
$ lsof /dev/null
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 0r CHR 1,3 0t0 6 /dev/null sh 1501 tecmint 1w CHR 1,3 0t0 6 /dev/null dbus-daem 1530 tecmint 0u CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-ses 1603 tecmint 1w CHR 1,3 0t0 6 /dev/null at-spi-bu 1604 tecmint 0r CHR 1,3 0t0 6 /dev/null dbus-daem 1609 tecmint 0u CHR 1,3 0t0 6 /dev/null at-spi2-r 1611 tecmint 0u CHR 1,3 0t0 6 /dev/null xfconfd 1615 tecmint 0u CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 0r CHR 1,3 0t0 6 /dev/null xfwm4 1624 tecmint 1w CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 0r CHR 1,3 0t0 6 /dev/null xfce4-pan 1628 tecmint 1w CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 0r CHR 1,3 0t0 6 /dev/null Thunar 1630 tecmint 1w CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 0r CHR 1,3 0t0 6 /dev/null xfdesktop 1632 tecmint 1w CHR 1,3 0t0 6 /dev/null .
To list user specific opened files, run the following command replace tecmint with the actual user name.
$ lsof -u tecmint
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 tecmint cwd DIR 8,3 4096 2 / systemd 1480 tecmint rtd DIR 8,3 4096 2 / systemd 1480 tecmint txt REG 8,3 1595792 3147496 /lib/systemd/systemd systemd 1480 tecmint mem REG 8,3 1700792 3150525 /lib/x86_64-linux-gnu/libm-2.27.so systemd 1480 tecmint mem REG 8,3 121016 3146329 /lib/x86_64-linux-gnu/libudev.so.1.6.9 systemd 1480 tecmint mem REG 8,3 84032 3150503 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0 systemd 1480 tecmint mem REG 8,3 43304 3150514 /lib/x86_64-linux-gnu/libjson-c.so.3.0.1 systemd 1480 tecmint mem REG 8,3 34872 2497970 /usr/lib/x86_64-linux-gnu/libargon2.so.0 systemd 1480 tecmint mem REG 8,3 432640 3150484 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 systemd 1480 tecmint mem REG 8,3 18680 3150450 /lib/x86_64-linux-gnu/libattr.so.1.1.0 systemd 1480 tecmint mem REG 8,3 18712 3150465 /lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 systemd 1480 tecmint mem REG 8,3 27112 3150489 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 systemd 1480 tecmint mem REG 8,3 14560 3150485 /lib/x86_64-linux-gnu/libdl-2.27.so .
Another important use of lsof is to find out the process listening on a specific port. For example identify the process listening on port 80 using the following command.
$ sudo lsof -i TCP:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 903 root 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1320 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1481 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1482 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1493 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 1763 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2027 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2029 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 2044 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3199 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN) httpd 3201 apache 4u IPv6 20222 0t0 TCP *:http (LISTEN)
Note: Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may result into unpredictable outputs. This is one of the major downsides of using lsof command.
For more information, look at the lsof man page:
That’s all! In this article, we have explained how to know who is using a particular file in Linux. We have shown how to identify the owner and process information for processes using an open file. Use the feedback form below to reach us for any questions or comments.
Files being used by a unix process
The fuser command lets me know which processes are using a file or directory. I’m looking for command that does the opposite: lets me know which files are being used by a process.
Update
6 Answers 6
lsof stands for “LiSt Open Files”. This shell command seems deceptively simple: It lists information about files opened by processes on a UNIX box.
Despite its (apparent) modest mission statement, lsof is actually one of the most powerful and useful UNIX commands. Its raw power comes from one of UNIX’s design principle often described as ”in UNIX everything is a file”. What this means is that the lsof concept of an open file not only covers regular files but also the following:
- Directories
- Streams or network files (for example, Internet or UNIX domain sockets and NFS files)
- Native libraries (for example, .soor .dylibdynamic libraries linked to a process)
- Block and character special files (for example, disk volume, external hard drive, console, or mouse)
- Pipes
Wait, I Cannot Find lsof on My System!
lsof is such a popular tool that it has been ported to pretty much all UNIX dialects (Linux, Mac OS X, BSD, Solaris, and so on). If it is unavailable on your box, use your usual package management system to install it. You can find lsof packages for Solaris on Sun Freeware.
While I wouldn’t begrudge anyone learning Dtrace or gaining experience installing software, in Solaris there is a command to see the files a process has open: /usr/bin/pfiles
% tail -f /etc/motd & [1] 6033 % pfiles 6033 6033: tail -f /etc/motd Current rlimit: 256 file descriptors 0: S_IFREG mode:0644 dev:182,65538 ino:163065 uid:0 gid:3 size:54 O_RDONLY|O_LARGEFILE /etc/motd 1: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 2: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 - you can use ls command and grep to find out the files used by chrome
$ ls -l /proc/*/fd | grep «chrome»
lrwx—— 1 ba abc 64 Jul 16 22:19 104 -> /home/abc/.config/google-chrome/Default/Cookies
lr-x—— 1 abc abc 64 Jul 16 22:19 113 -> /opt/google/chrome/nacl_irt_x86_64.nexe
lrwx—— 1 abc abc 64 Jul 16 22:19 121 -> /home/abc/.cache/google-chrome/Default/Cache/data_0
lrwx—— 1 abc abc 64 Jul 16 22:19 122 -> /home/abc/.cache/google-chrome/Default/Cache/data_1
lrwx—— 1 abc abc 64 Jul 16 22:19 123 -> /home/abc/.cache/google-chrome/Default/Cache/data_2
lr-x—— 1 abc abc 64 Jul 16 22:19 125 -> /home/abc/.config/google-chrome/Dictionaries/en-US-3-0.bdic
Another command to find out the result using lsof and grep
$ lsof | grep «chrome»
chrome 2204 abc cwd DIR 8,5 4096 1441794 /home/abc
chrome 2204 abc rtd DIR 8,5 4096 2 /
chrome 2204 abc txt REG 8,5 87345336 5111885 /opt/google/chrome/chrome
chrome 2204 abc mem REG 8,5 4202496 1443927 /home/abc/.cache/google-chrome/Default/Media Cache/data_3
chrome 2204 abc mem REG 8,5 1056768 1443926 /home/abc/.cache/google-chrome/Default/Media Cache/data_2
chrome 2204 abc mem REG 8,5 270336 1443925 /home/abc/.cache/google-chrome/Default/Media Cache/data_1
chrome 2204 abc mem REG 8,5 45056 1443924 /home/abc/.cache/google-chrome/Default/Media Cache/data_0
This is a classic application for dtrace.
I can’t remember the syntax exactly, but you can have a trace fire every time a file is opened by any process on the system. It can be done on a running system without anywhere near as much overhead as I expected it would have. If you’re running solaris as an administrator, dtrace is your best friend. Even if you’re not a programmer, it is quite simple to learn and a VERY powerful system query tool.
I can not test it: it does not seem installed on my Solaris servers. If you can post an example, that would help.
Under some unix systems, ( IE: Linux ), all files opened by a process have a FD id.
ls -la /proc/2055/fd total 0 dr-x------ 2 kent kent 0 Nov 19 21:44 . dr-xr-xr-x 7 kent kent 0 Nov 19 21:42 .. lr-x------ 1 kent kent 64 Nov 19 21:44 0 -> /dev/null l-wx------ 1 kent kent 64 Nov 19 21:44 1 -> /home/kent/.xsession-errors lrwx------ 1 kent kent 64 Nov 19 21:44 10 -> socket:[3977613] lrwx------ 1 kent kent 64 Nov 19 21:44 11 -> /home/kent/.googleearth/Cache/dbCache.dat lrwx------ 1 kent kent 64 Nov 19 21:44 12 -> /home/kent/.googleearth/Cache/dbCache.dat.index lrwx------ 1 kent kent 64 Nov 19 21:44 13 -> socket:[3978765] lrwx------ 1 kent kent 64 Nov 19 21:44 14 -> socket:[3978763] lrwx------ 1 kent kent 64 Nov 19 21:44 15 -> socket:[3978766] lrwx------ 1 kent kent 64 Nov 19 21:44 17 -> socket:[3978764] l-wx------ 1 kent kent 64 Nov 19 21:44 2 -> /home/kent/.xsession-errors lr-x------ 1 kent kent 64 Nov 19 21:44 3 -> pipe:[3977583] l-wx------ 1 kent kent 64 Nov 19 21:44 4 -> pipe:[3977583] lr-x------ 1 kent kent 64 Nov 19 21:44 5 -> pipe:[3977584] l-wx------ 1 kent kent 64 Nov 19 21:44 6 -> pipe:[3977584] lr-x------ 1 kent kent 64 Nov 19 21:44 7 -> pipe:[3977587] l-wx------ 1 kent kent 64 Nov 19 21:44 8 -> pipe:[3977587] lrwx------ 1 kent kent 64 Nov 19 21:44 9 -> socket:[3977588] Additionally, sometimes you even get «FDINFO» ( I think this is a kernel flag on linux )
cat /proc/2055/fdinfo/11 pos: 232741818 flags: 02 HOW TO : Find list of files used by a process in Linux
Quick howto on finding the list of files being accessed by a process in Linux. I needed to find this for troubleshooting an issue where a particular process was using an abnormally high percentage of CPU. I wanted to find out what this particular process was doing and accessing.
- Find the process ID (pid) of the process you want to analyze by running[code] ps -ef | grep NAME_OF_PROCESS [/code]
- Find the files the process is accessing at a given time by running[code]sudo ls -l /proc/PROCESS_ID/fd [/code]
For example, if I wanted to find the list of files being accessed by mysql, the process would look as such
[code] ps -ef | grep mysqld [/code]
which would show the output as
[code][email protected]:~$ ps -ef | grep mysqld
mysql 3304 1 0 Feb04 ? 00:00:23 /usr/sbin/mysqld
samurai 23389 23374 0 14:57 pts/0 00:00:00 grep –color=auto mysqld
[/code]
I can then find the list of files being used by mysql by running
[code] sudo ls -l /proc/3304/fd [/code]
lrwx—— 1 root root 64 Feb 7 15:00 0 -> /dev/null
lrwx—— 1 root root 64 Feb 7 15:00 1 -> /var/log/mysql/error.log
lrwx—— 1 root root 64 Feb 7 15:00 10 -> socket:[4958]
lrwx—— 1 root root 64 Feb 7 15:00 11 -> /tmp/ibdu9WRh (deleted)
lrwx—— 1 root root 64 Feb 7 15:00 12 -> socket:[4959]
lrwx—— 1 root root 64 Feb 7 15:00 14 -> /var/lib/mysql/blog/wp_term_relatio nships.MYI
lrwx—— 1 root root 64 Feb 7 15:00 15 -> /var/lib/mysql/blog/wp_postmeta.MYI
lrwx—— 1 root root 64 Feb 7 15:00 17 -> /var/lib/mysql/blog/wp_term_relatio nships.MYD
lrwx—— 1 root root 64 Feb 7 15:00 18 -> /var/lib/mysql/blog/wp_term_taxonom y.MYI
lrwx—— 1 root root 64 Feb 7 15:00 2 -> /var/log/mysql/error.log
lrwx—— 1 root root 64 Feb 7 15:00 20 -> /var/lib/mysql/blog/wp_postmeta.MYD
lrwx—— 1 root root 64 Feb 7 15:00 21 -> /var/lib/mysql/blog/wp_term_taxonom y.MYD
lrwx—— 1 root root 64 Feb 7 15:00 22 -> /var/lib/mysql/blog/wp_terms.MYI
lrwx—— 1 root root 64 Feb 7 15:00 23 -> /var/lib/mysql/blog/wp_terms.MYD
lrwx—— 1 root root 64 Feb 7 15:00 3 -> /var/lib/mysql/ibdata1
lrwx—— 1 root root 64 Feb 7 15:00 4 -> /tmp/ibvANyz7 (deleted)
lrwx—— 1 root root 64 Feb 7 15:00 5 -> /tmp/ibonS0mU (deleted)
lrwx—— 1 root root 64 Feb 7 15:00 6 -> /tmp/ibcKctaH (deleted)
lrwx—— 1 root root 64 Feb 7 15:00 7 -> /tmp/ibB5DS5t (deleted)
lrwx—— 1 root root 64 Feb 7 15:00 8 -> /var/lib/mysql/ib_logfile0
lrwx—— 1 root root 64 Feb 7 15:00 9 -> /var/lib/mysql/ib_logfile1
[/code]