Files being used by a unix process
The fuser command lets me know which processes are using a file or directory. I’m looking for command that does the opposite: lets me know which files are being used by a process.
Update
6 Answers 6
lsof stands for “LiSt Open Files”. This shell command seems deceptively simple: It lists information about files opened by processes on a UNIX box.
Despite its (apparent) modest mission statement, lsof is actually one of the most powerful and useful UNIX commands. Its raw power comes from one of UNIX’s design principle often described as ”in UNIX everything is a file”. What this means is that the lsof concept of an open file not only covers regular files but also the following:
- Directories
- Streams or network files (for example, Internet or UNIX domain sockets and NFS files)
- Native libraries (for example, .soor .dylibdynamic libraries linked to a process)
- Block and character special files (for example, disk volume, external hard drive, console, or mouse)
- Pipes
Wait, I Cannot Find lsof on My System!
lsof is such a popular tool that it has been ported to pretty much all UNIX dialects (Linux, Mac OS X, BSD, Solaris, and so on). If it is unavailable on your box, use your usual package management system to install it. You can find lsof packages for Solaris on Sun Freeware.
While I wouldn’t begrudge anyone learning Dtrace or gaining experience installing software, in Solaris there is a command to see the files a process has open: /usr/bin/pfiles
% tail -f /etc/motd & [1] 6033 % pfiles 6033 6033: tail -f /etc/motd Current rlimit: 256 file descriptors 0: S_IFREG mode:0644 dev:182,65538 ino:163065 uid:0 gid:3 size:54 O_RDONLY|O_LARGEFILE /etc/motd 1: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 2: S_IFCHR mode:0620 dev:299,0 ino:718837882 uid:101 gid:7 rdev:24,3 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/3 - you can use ls command and grep to find out the files used by chrome
$ ls -l /proc/*/fd | grep «chrome»
lrwx—— 1 ba abc 64 Jul 16 22:19 104 -> /home/abc/.config/google-chrome/Default/Cookies
lr-x—— 1 abc abc 64 Jul 16 22:19 113 -> /opt/google/chrome/nacl_irt_x86_64.nexe
lrwx—— 1 abc abc 64 Jul 16 22:19 121 -> /home/abc/.cache/google-chrome/Default/Cache/data_0
lrwx—— 1 abc abc 64 Jul 16 22:19 122 -> /home/abc/.cache/google-chrome/Default/Cache/data_1
lrwx—— 1 abc abc 64 Jul 16 22:19 123 -> /home/abc/.cache/google-chrome/Default/Cache/data_2
lr-x—— 1 abc abc 64 Jul 16 22:19 125 -> /home/abc/.config/google-chrome/Dictionaries/en-US-3-0.bdic
Another command to find out the result using lsof and grep
$ lsof | grep «chrome»
chrome 2204 abc cwd DIR 8,5 4096 1441794 /home/abc
chrome 2204 abc rtd DIR 8,5 4096 2 /
chrome 2204 abc txt REG 8,5 87345336 5111885 /opt/google/chrome/chrome
chrome 2204 abc mem REG 8,5 4202496 1443927 /home/abc/.cache/google-chrome/Default/Media Cache/data_3
chrome 2204 abc mem REG 8,5 1056768 1443926 /home/abc/.cache/google-chrome/Default/Media Cache/data_2
chrome 2204 abc mem REG 8,5 270336 1443925 /home/abc/.cache/google-chrome/Default/Media Cache/data_1
chrome 2204 abc mem REG 8,5 45056 1443924 /home/abc/.cache/google-chrome/Default/Media Cache/data_0
This is a classic application for dtrace.
I can’t remember the syntax exactly, but you can have a trace fire every time a file is opened by any process on the system. It can be done on a running system without anywhere near as much overhead as I expected it would have. If you’re running solaris as an administrator, dtrace is your best friend. Even if you’re not a programmer, it is quite simple to learn and a VERY powerful system query tool.
I can not test it: it does not seem installed on my Solaris servers. If you can post an example, that would help.
Under some unix systems, ( IE: Linux ), all files opened by a process have a FD id.
ls -la /proc/2055/fd total 0 dr-x------ 2 kent kent 0 Nov 19 21:44 . dr-xr-xr-x 7 kent kent 0 Nov 19 21:42 .. lr-x------ 1 kent kent 64 Nov 19 21:44 0 -> /dev/null l-wx------ 1 kent kent 64 Nov 19 21:44 1 -> /home/kent/.xsession-errors lrwx------ 1 kent kent 64 Nov 19 21:44 10 -> socket:[3977613] lrwx------ 1 kent kent 64 Nov 19 21:44 11 -> /home/kent/.googleearth/Cache/dbCache.dat lrwx------ 1 kent kent 64 Nov 19 21:44 12 -> /home/kent/.googleearth/Cache/dbCache.dat.index lrwx------ 1 kent kent 64 Nov 19 21:44 13 -> socket:[3978765] lrwx------ 1 kent kent 64 Nov 19 21:44 14 -> socket:[3978763] lrwx------ 1 kent kent 64 Nov 19 21:44 15 -> socket:[3978766] lrwx------ 1 kent kent 64 Nov 19 21:44 17 -> socket:[3978764] l-wx------ 1 kent kent 64 Nov 19 21:44 2 -> /home/kent/.xsession-errors lr-x------ 1 kent kent 64 Nov 19 21:44 3 -> pipe:[3977583] l-wx------ 1 kent kent 64 Nov 19 21:44 4 -> pipe:[3977583] lr-x------ 1 kent kent 64 Nov 19 21:44 5 -> pipe:[3977584] l-wx------ 1 kent kent 64 Nov 19 21:44 6 -> pipe:[3977584] lr-x------ 1 kent kent 64 Nov 19 21:44 7 -> pipe:[3977587] l-wx------ 1 kent kent 64 Nov 19 21:44 8 -> pipe:[3977587] lrwx------ 1 kent kent 64 Nov 19 21:44 9 -> socket:[3977588] Additionally, sometimes you even get «FDINFO» ( I think this is a kernel flag on linux )
cat /proc/2055/fdinfo/11 pos: 232741818 flags: 02 How to use the Linux ‘lsof’ command to list open files
Linux “open files” FAQ: Can you share some examples of how to show open files on a Linux system — i.e., how to use the lsof command?
Linux lsof command background
The Linux lsof command lists information about files that are open by processes running on the system. The lsof command is an acronym for, “list of open files.” In this article I’ll share some lsof command examples.
I assume you’re logged in as root
One other note: In these examples I’ll assume that you’re logged in as the Unix/Linux root user. If not, you’re lsof command output may be significantly limited. If you’re logged in as a non-root user, either su to root, or use sudo to run these commands.
Basic Linux lsof command examples
Typing the lsof command by itself lists all open files belonging to all active processes on the system:
On my current macOS system, which has been running for a long time, this shows a lot of open files, 1,582 to be specific:
$ lsof | wc -l 1582
Note that I didn’t have to be logged in as the root user to see this information on my Mac system.
Adding the head command to lsof shows what some of this output looks like:
$ lsof | head COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME loginwind 32 Al cwd DIR 14,2 1564 2 / loginwind 32 Al txt REG 14,2 1754096 243026930 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow loginwind 32 Al txt REG 14,2 113744 3190067 /System/Library/LoginPlugins/FSDisconnect.loginPlugin/Contents/MacOS/FSDisconnect loginwind 32 Al txt REG 14,2 425504 117920371 /System/Library/LoginPlugins/DisplayServices.loginPlugin/Contents/MacOS/DisplayServices loginwind 32 Al txt REG 14,2 3144 3161654 /System/Library/ColorSync/Profiles/sRGB Profile.icc loginwind 32 Al txt REG 14,2 96704 242998403 /System/Library/PrivateFrameworks/MachineSettings.framework/Versions/A/MachineSettings loginwind 32 Al txt REG 14,2 51288 251253153 /private/var/folders/h5/h59HESVvEmG+3I4Q8lOAxE+++TI/-Caches-/mds/mdsDirectory.db loginwind 32 Al txt REG 14,2 724688 117923285 /System/Library/LoginPlugins/BezelServices.loginPlugin/Contents/MacOS/BezelServices loginwind 32 Al txt REG 14,2 329376 117923166 /System/Library/Extensions/IOHIDFamily.kext/Contents/PlugIns/IOHIDLib.plugin/Contents/MacOS/IOHIDLib
Common lsof options
As mentioned, these details go on for 1,582 lines, so it helps to have some way to weed through that output, whether that involves using the grep command, or some of the lsof options shown below.
This command lists all open files belonging to PID (process ID) 11925 :
$ lsof -p 11925
This command lists all open files belonging to processes owned by the user named «al»:
This command lists files that are open in the directory specified, but it does not descend into sub-directories:
$ lsof +d '/Users/al'
The next command lists files that are open in the directory specified, and also descends into sub-directories. Beware: this can take a very long time to run for large directory structures:
$ lsof +D '/Users/al'
Summary: Linux lsof examples
I hope these Linux lsof command examples have been helpful. As you can see, the lsof command can be used to generate a list of open files on your Unix and Linux system with a variety of different command line options for different circumstances.
For more information on the lsof command, please see the «Related» block on this page, follow this link to lsof command search results on this website, or leave a note in the Comments section below.
How find out which process is using a file in Linux?
You can use the fuser command, which is part of the psmisc package, like:
You will receive a list of processes using the file.
You can use different flags with it, in order to receive a more detailed output.
You can find more info in the fuser’s Wikipedia article, or in the man pages.
@khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I’m using AIX right now, and the fuser available in this system does not have the -i option either.
For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me.
@jim’s answer is correct — fuser is what you want.
Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)
For example, with a tail -F /etc/passwd running in one window:
ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.