Linux files opened by process

7 Examples of lsof command in Linux

I guess at some point in time you have wondered if there is a way to show opened files by a process or a user. The good thing is that the answer to that question is lsof command.

You probably already know that ls command is short for ‘list’. lsof stands for ‘List Open Files’. And that’s exactly what it does, listing open files by processes, users, and process IDs.

Let me show you some of the most common usages of the lsof command.

lsof command examples

If you use lsof command without any options and arguments, it will list all opened files by all the processes in the system.

The output should be like this:

COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 252,1 4096 2 / systemd 1 root rtd DIR 252,1 4096 2 / systemd 1 root txt REG 252,1 1595792 17384 /lib/systemd/systemd systemd 1 root mem REG 252,1 1700792 2077 /lib/x86_64-linux-gnu/libm-2.27.so

The output is mostly self-explanatory but you may still wonder about FD and TYPE columns.

FD means file descriptor. Some of the common values for FD are:

• cwd – Current Working Directory
• txt – Text files
• mem – Memory mapped file
• mmap – Memory mapped device
• NUMBER – The actual file descriptor. It also has information about which file permission it is opened in.

TYPE is a no-brainer. It specifies the file type. Here are some examples:

• REG – Regular file
• DIR – Directory
• CHR – Character special file
• FIFO – First In First Out

Trust me. You wouldn’t want to run the lsof command without any arguments.

Why do I say this? Because it will start flooding your screen with thousands of results.

If I run the lsof command on an Ubuntu server and count the number of lines with wc command, here’s the result.

Yes! That’s right. There are over eleven thousand files opened by various processes in the system.

Don’t worry. lsof command is very helpful in debugging because you can see what processes open what files and which file is opened by which process.

If you are not logged in as root, the output of lsof command would be very limited. It is a good idea to use sudo if you are logged in as a non-root user.

1. List all the processes that have opened a certain file

This is simple. You just need to specify the path to the file.

2. List all the files opened by user

This comes handy in a multi-user environment. You can list all the files opened by a certain user in the following manner:

You can also specify more than one user like this:

3. List all opened files in a directory

If you are wondering which of the files have been opened in a certain directory, you can use lsof command with +D option.

The search is recursive. So it will list all the opened files in the mentioned directory and all of its sub-directories.

4. List all opened files by a process

You need to know the process id (pid) in this case. If you know the process id, you can use the -p option of the lsof command to find the files opened by it.

You can specify multiple process ids as well.

5. List all files opened by a command

This is specially helpful in debugging. Suppose you want to see what files are used by http daemon, you just need to specify the command name (httpd in our example).

6. Find files opened by a user and a command or a process

You can combine options like user and command and a process using the –a option. Think of it as the AND operator. This gives you an additional filter while trying to narrow down on your search.

lsof -a -u user_name -c command_name

7. List network connections and ports with lsof command

You can file all kinds of open ports with the -i option:

The output may look like this:

lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 920 root 3u IPv4 20507 0t0 TCP *:ssh (LISTEN) sshd 920 root 4u IPv6 20535 0t0 TCP *:ssh (LISTEN) docker-pr 1163 root 4u IPv6 21687 0t0 TCP *:https (LISTEN) docker-pr 1175 root 4u IPv6 21717 0t0 TCP *:http (LISTEN) sshd 7528 root 3u IPv4 39506588 0t0 TCP testing:ssh->212.91.91.19:58904 (ESTABLISHED) systemd-r 10993 systemd-resolve 12u IPv4 20901990 0t0 UDP localhost:domain systemd-r 10993 systemd-resolve 13u IPv4 20901991 0t0 TCP localhost:domain (LISTEN)

You can also specify the network connection type. For example, to list all the opened TCP ports, you can use:

To find which process is using a specific port, you can provide the port number:

Bonus Tip: Using the negation operator with lsof

You can use the negation operator to exclude a user or process while using lsof command.

For example, if you want to list all the files opened by a user other than root, use it in this manner:

lsof command becomes even more useful when you use it with the grep command.

I hope you learned something new from this article. If you have questions or suggestions, please leave a comment below.

Источник

How find out which process is using a file in Linux?

You can use the fuser command, which is part of the psmisc package, like:

You will receive a list of processes using the file.

You can use different flags with it, in order to receive a more detailed output.

You can find more info in the fuser’s Wikipedia article, or in the man pages.

@khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I’m using AIX right now, and the fuser available in this system does not have the -i option either.

For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me.

@jim’s answer is correct — fuser is what you want.

Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)

For example, with a tail -F /etc/passwd running in one window:

ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd 

Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.

Источник

How to Check Open Files in Linux

You may have come across the saying, “Everything is a file in Linux.” Although this is not entirely true, it does hold a set of truths to it.

In Linux and Unix-like systems, everything is like a file. That means the resources in the Unix system get assigned a file descriptor, including storage devices, network sockets, processes, etc.

A file descriptor is a unique number that identifies a file and other input/output devices. It describes resources and how the kernel accesses them. Think of it as a gateway to the Kernel abstraction hardware resources.

Unfortunately, the concept of file descriptors is beyond the scope of this tutorial; consider the link provided below to get started on learning more:

That means that Unix and Unix-like systems such as Linux use such files heavily. As a Linux power user, seeing the open files and the process and users using them is incredibly useful.

This tutorial will focus on ways to view the files open and which process or user is responsible.

Pre-Requisites

Before we begin, ensure that you have:

If you have these, let us get started:

LSOF Utility

Created by Victor A Abell, List open files, or lsof for short, is a command-line utility that allows us to view the open files and the processes or users who opened them.

The lsof utility is available in major Linux distributions; however, you may find it not installed and thus may need to install manually.

How to Install lsof on Debian/Ubuntu

To install it on Debian, use the command:

sudo apt-get install lsof -y

How to Install on REHL/CentOS

To install on REHL and CentOS, use the command:

How to Install on Arch

On Arch, call the package manager using the command:

How to Install on Fedora

On Fedora, use the command:

Once you have the lsof utility installed and updated, we can begin using it.

Basic lsof Usage

To use the lsof tool, enter the command:

Once you execute the above command, lsof will dump a lot of information as shown below:

The above output shows all the files opened by the processes. The output has various columns, each representing specific information about the file.

• The COMMAND column – shows the name of the process that is using the file.
• PID – shows the Process Identifier of the process using the file.
• The TID – Shows the task ID (threads) of the process.
• TASKCMD – Represent the name of the task command.
• USER – The owner of the process.
• FD – Shows the file descriptor number. This is how processes use the file; the options available in this column output include:
• cwd – current working directory.
• mem – memory-mapped file
• pd – parent directory
• jld – jail directory
• ltx – shared library text
• rtd – root directory.
• txt – program code and data
• tr – kernel trace file.
• err – File descriptor information error
• mmp – Memory-mapped device.
• TYPE – Shows the type of node associated with the file, such as:
• Unix – for Unix domain socket.
• DIR – represents the directory
• REG – representing the regular file
• CHR – represents the special character file.
• LINK – symbolic link file
• BLK – Block special file
• INET – Internet domain socket
• FIFO – a named pipe (First In First Out file)
• PIPE – for pipes

• DEVICES – Shows the device numbers separated by commas in the order of special character file, block special, regular, directory, and NFS file.
• SIZE/OFF – shows the size of the file pr file offset in bytes.
• NODE – shows the node number of the local file, type for internet protocol type, etc.
• NAME – shows the name of the mount point and fs on which the file is located.

Note: Please Refer to the lsof Manual for detailed information on the columns.

How to Show Processes that Opened a File

Lsof provides us with options that help us filter the output to show only the processes that opened a specific file.

For example, to see the file that opened the file /bin/bash, use the command as:

This will give you an output as shown below:

COMMAND PID USER FD TYPE DEVICE SIZE / OFF NODE NAME

ksmtuned 1025 root txt REG 253 , 0 1150704 428303 / usr / bin / bash

bash 2968 centos txt REG 253 , 0 1150704 428303 / usr / bin / bash

bash 3075 centos txt REG 253 , 0 1150704 428303 / usr / bin / bash

How Show files Opened by a Specific User

We can also filter the output to show the files opened by a specific user. We do this by using the -u flag followed by the username as:

This will give you an output as shown below:

How to Show Files Opened by a Specific Process

Suppose we want to view all the files opened by a specific process? For this, we can use the PID of the process to filter the output.

For example, the below command shows the files opened by bash.

This will give you only the files opened by systemd as shown:

How to Show Files Opened in a Directory

To get the files opened in a specific directory, we can pass the +D option followed by the directory path.

For example, list open files in the /etc directory.

Below is the output for this:

How to Show Network Connection

Since everything in Linux is a file, we can get the network files such as TCP files or connections.

This will give you the TCP connections in the system.

You can also filter by the specific port using the command shown below:

This will give you the output as shown below:

How to Continuously Show Files

Lsof provides us with a mode to loop the output every few seconds. This allows you to monitor the files opened by a process or user continuously.

This option, however, requires you to terminate the process manually.

For example, the command below continuously monitors the files opened on port 22:

As you can see, in the third loop, lsof catches the established connection to the server on SSH.

Conclusion

Lsof is an incredibly useful utility. It allows you to monitor for critical files as well as monitor users and processes opening files. This can be incredibly useful when troubleshooting or looking for malicious attempts to the system.

As shown in this tutorial, using various examples and methods, you can combine the functionality provided by the lsof tool for custom monitoring.

Thank you for reading and sharing! I hope you learned something new!

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list

Источник