Yesterday in my post on numeric userids instead of usernames, I touched briefly the problem of recovering the username if you only know the userid it once had. Today I would like to show you another option which may be available to you when it comes to recovering the usernames of removed users by their userid.

useradd and userdel logs in Ubuntu

Both useradd and userdel commands keep logs in many Unix-like systems. This means that every newly created user gets the whole procedure documented in appropriate logs with lines similar to this (it’s an Ubuntu example, /var/log/auth.log file):

Jan  6 04:24:27 simplyunix useradd[1456]: new group: name=mike, GID=1006
Jan  6 04:24:27 simplyunix useradd[1456]: new user: name=mike, UID=1006, GID=1006, home=/home/mike, shell=/bin/sh

Similarly, deleting a file doesn’t go unnoticed neither:

Jan  6 04:29:21 simplyunix userdel[1516]: delete user `mike'
Jan  6 04:29:21 simplyunix userdel[1516]: delete `mike' from group `admin'
Jan  6 04:29:21 simplyunix userdel[1516]: removed group `mike' owned by `mike'

So, there’s a chance that by simply going through /var/log/auth.log you will find the userid of a local Unix user which was recently removed. But the reason I won’t say “there’s a really good chance” is because most of the logs in /var/log are rotated on a weekly and monthly basis, and this means the information about new users created or deleted may not be there at the time you go looking for it – anyone who was added or deleted more than few months ago will not show up.

useradd and userdel in RedHat Enterprise Linux

Similar to Ubuntu, you can find recent user management activity logged in RHEL system, in /var/log/secure file.

useradd will produce something link this:

Jan  8 00:18:36 rhel5 useradd[2674]: new group: name=newuser, GID=501
Jan  8 00:18:36 rhel5 useradd[2674]: new user: name=newuser, UID=501, GID=501, home=/home/newuser, shell=/bin/bash

… while userdel will document its actions with the following:

Jan  8 00:18:40 rhel5 userdel[2682]: delete user `newuser'
Jan  8 00:18:40 rhel5 userdel[2682]: removed group `newuser' owned by `newuser'

How to check if any users were added on your Unix system

Based on the information above, all you have to do is something like this:

ubuntu$ grep useradd /var/log/* 

This is bound to return you a list of all the recently added users.

How to confirm local users which were recently removed

Similarly, use a command like this to find out if any users were recently removed:

ubuntu$ grep userdel /var/log/* 

Hope this helps! Enjoy!

See also:

• What to do if numerid userids are shown instead of usernames in file ownership
• Creating new users in Unix with useradd
  

If you’re interested in what exactly your Ubuntu system has got installed, there’s a command you can use to list the packages along with their versions and short descriptions.

How packages information is stored in Ubuntu

Essentially being a fork of the Debian Linux, Ubuntu inherited quite a lot of things from it. One of them is the way packages are installed and managed.

dpkg (Debian Package Manager) is a command found in every Ubuntu installation. While managing software packages, it stores all the files it depends upon in a /var/lib/dpkg directory. Most of these files you can look into using basic Unix commands, but there’s really no need because dpkg does it for you.

For example, status of all the installed packages is stored in /var/lib/dpkg/status file.
Here’s how it looks, just to give you an idea:

Package: bash
Essential: yes
Status: install ok installed
Priority: required
Section: shells
Installed-Size: 2012
Maintainer: Ubuntu Core developers <[email protected]>
Architecture: amd64
Version: 3.2-0ubuntu7
Replaces: bash-doc (<= 2.05-1), bash-completion
Depends: base-files (>= 2.1.12), debianutils (>= 2.15)
Pre-Depends: libc6 (>= 2.5-0ubuntu1), libncurses5 (>= 5.4-5)
Suggests: bash-doc
Conflicts: bash-completion
Conffiles:
 /etc/skel/.bashrc 52acca91b52f797661c89b181809b9f3
 /etc/skel/.profile 7d97942254c076a2ea5ea72180266420
 /etc/skel/.bash_logout 22bfb8c1dd94b5f3813a2b25da67463f
 /etc/bash.bashrc 860d464fca66fff1af4993962a253611
 /etc/bash_completion c8bce25ea68fb0312579a421df99955c
 /etc/skel/.bash_profile d1a8c44e7dd1bed2f3e75d1343b6e4e1 obsolete
Description: The GNU Bourne Again SHell
 Bash is an sh-compatible command language interpreter that executes
 commands read from the standard input or from a file.  Bash also
 incorporates useful features from the Korn and C shells (ksh and csh).
 .

As you can see, there’s all the possible information about bash package (the Bourne Again Shell), but you usually don’t need to know this much, so instead we’ll use dpkg command to confirm what packages are installed and which ones are not.

List installed packages with dpkg

The easiest way to confirm the list of packages installed on your Ubuntu OS is to run dpkg -l command. The output is quite long, so I’ll only show you a fragment of it:

ubuntu# dpkg -l | more
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                       Version                                      Description
+++-==========================-============================================-============================================
ii  adduser                    3.100                                        Add and remove users and groups
ii  alsa-base                  1.0.13-3ubuntu1                              ALSA driver configuration files
ii  alsa-utils                 1.0.13-1ubuntu5                              ALSA utilities
ii  apache2                    2.2.3-3.2ubuntu2.1                           Next generation, scalable, extendable web se
rc  apache2-common             2.0.55-4ubuntu4                              next generation, scalable, extendable web se
ii  apache2-doc                2.2.3-3.2ubuntu2.1                           documentation for apache2
ii  apache2-mpm-prefork        2.2.3-3.2ubuntu2.1                           Traditional model for Apache HTTPD 2.1
ii  apache2-utils              2.2.3-3.2ubuntu2.1                           utility programs for webservers
ii  apache2.2-common           2.2.3-3.2ubuntu2.1                           Next generation, scalable, extendable web se
ii  apt                        0.6.46.4ubuntu10                             Advanced front-end for dpkg
ii  apt-utils                  0.6.46.4ubuntu10                             APT utility programs
ii  aptitude                   0.4.4-1ubuntu3                               terminal-based apt frontend
ii  at                         3.1.10ubuntu4                                Delayed job execution and batch processing
ii  autoconf                   2.61-3                                       automatic configure script builder
ii  automake1.4                1.4-p6-12                                    A tool for generating GNU Standards-complian
ii  automake1.9                1.9.6+nogfdl-3ubuntu1                        A tool for generating GNU Standards-complian
ii  autotools-dev              20060920.1                                   Update infrastructure for config.{guess,sub}
ii  awstats                    6.5+dfsg-1ubuntu3                            powerful and featureful web server log analy
ii  base-files                 4ubuntu2                                     Debian base system miscellaneous files

The legend at the very top of the output explains the first 3 charactes of each line in the dpkg output, the symbols there confirm whether each package is expected to be installed, and whether it’s actually installed or partially installed:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=b
||/ Name                       Version                                      Description
+++-==========================-============================================-============================================
ii  adduser                    3.100                                        Add and remove users and groups
A first letter of each option is used, so ii for the adduser package in this example means that the desired state for this package is “Installed” (first i) and the actual status is “Installed” as well. That’s the normal condition for most of your packages.
As you can also see, each line shows you the version of each package you have and provides a brief description of what a package is used for.
That’s it, this should be a good start for your Ubuntu exploration, I’ll post a few more things about dpkg in the future.
Related books
If you want to learn more, here’s a great book:



See also:

Debian @ Wikipedia
Finding out the release version of your Unix
apt-get behind proxy

If you’re logged in at some remote Linux system and need to quickly confirm the amount of available memory, there’s a few commands you will find quite useful.

free – free and used memory stats

free command is the most obvious choice for a first command when it comes to your RAM.

Simply run it without any parameters, and it will show you something like this:

ubuntu# free
             total       used       free     shared    buffers     cached
Mem:       4051792    4024960      26832          0      63768    3131532
-/+ buffers/cache:     829660    3222132
Swap:      4096492      43212    4053280

For this exercise, you’re only interested in the “total” column of the first line. 4051792 confirms that my home PC seems to have around 4Gb of memory available for Ubuntu to use.

Using dmesg to check memory size as recognized by Linux kernel

dmesg command shows you the last status messages reported by your OS kernel, and since every boot procedure includes scanning the hardware and confirming the devices and resources recognized by the kernel, you can see some basic information by using dmesg.

For our purpose, we need to filter out the memory stats:

ubuntu# dmesg | grep Memory
[   18.617904] Memory: 4043492k/5242880k available (2489k kernel code, 150360k reserved, 1318k data, 320k init)

Once again, the overall amount of memory confirms that 4Gb of RAM were still found during the last time my PC booted up.

Using /proc/meminfo to confirm the RAM size

/proc/meminfo is one of the special files managed by Linux kernel. It’s a clear text presentation of the most vital memory stats of your system (this means you can do something like cat /proc/meminfo to see all the parameters)

This is what you need to do to get the total size of your physical memory:

ubuntu# grep MemTotal /proc/meminfo
MemTotal:      4051792 kB

That’s it for today, enjoy!

Finding out the username by user id (uid) in Unix is not as common a task as determining the uid by a username, but if you need to do it – I’ll show you how.

How to find the username using user id (uid)

Simply use the getent command. Most common use for it is to query the passwd source for a username, like this:

ubuntu$ getent passwd greys
greys:x:1000:113:Gleb Reys,,,:/home/greys:/bin/bash

however, if you query for a user id instead (1000 in this case), getent will work just as good:

ubuntu$ getent passwd 1000
greys:x:1000:113:Gleb Reys,,,:/home/greys:/bin/bash

That’s all there is to it! Enjoy!

If you tried installing or upgrading Ubuntu recently, you probably noticed that all the storage devices are now using UUID – Universally Unique IDentifiers. I’m not claiming to know everything there is to know about UUIDs, but have become quite comfortable managing them lately, so hopefully this post will help you achieve the same.

What is a UUID exactly?

UUID is a Universally Unique IDentifier. It’s a identification code given to each storage device you have on your system, aimed to help you uniquely identify each device no matter what.

UUIDs can be used to identify DVD drives, removable media (USB flashsticks) and each partition on any of your hard drives.

This is how a typical UUID looks:

c73a37c8-ef7f-40e4-b9de-8b2f81038441

Why use UUID?

Reason 1: Truly unique identification

UUID is the only way to guarantee you recognize the same drive or partition no matter what. For example, if you introduce to your system another hard drive, this might upset quite a few things, starting with the way your system boots up (or stops booting up upon the new drive introduction). Using UUID helps remedy most of such things.

Reason 2: Device names are not always persistent

Automatically assigned device names in your system are not consistent, they are according to the order of loading the kernel modules up during (most usually) the startup time, and thus the names will look different if you boot with one of your USB flashsticks attached and then reboot after you plug it out.

Generally, I’ve also found UUIDs really useful for mounting my removable media – I have a USB reader, one of the 24-in-1 kinds – it supports various types of cards and I use UUID to always mount the same card at the same location.

Reason 3: Most critical functionality of your Ubuntu system already depends on UUIDs

GRUB – your boot loader – relies on UUIDs as well. If you look into /boot/grub/menu.lst file, you’ll find something similar to this:

title Ubuntu hardy (development branch), kernel 2.6.24-16-generic
root (hd2,0)
kernel /boot/vmlinuz-2.6.24-16-generic root=UUID=c73a37c8-ef7f-40e4-b9de-8b2f81038441 ro quiet splash
initrd /boot/initrd.img-2.6.24-16-generic
quiet

List UUIDs for all your devices

If you are using one of the recent releases of Ubuntu (UUIDs have been there since Edgy), you can use the blkid command to get a list of all the drives and partitions along with their UUIDs:

ubuntu# blkid
/dev/sda1: UUID="2220CF8220CF5B83" TYPE="ntfs"
/dev/sda2: UUID="48E81F29E81F14B2" LABEL="DRIVE-D" TYPE="ntfs"
/dev/sdb1: UUID="c73a37c8-ef7f-40e4-b9de-8b2f81038441" SEC_TYPE="ext2" TYPE="ext3"
/dev/sdb5: TYPE="swap" UUID="abe7529e-dcd5-4afc-b714-05569dbcd30b"
/dev/sdb6: UUID="f34c8c7c-a020-4a14-8c97-257180240250" SEC_TYPE="ext2" TYPE="ext3"
/dev/sdb7: UUID="8fa274ca-5b22-411f-b5da-7469c1f276da" SEC_TYPE="ext2" TYPE="ext3"
/dev/sdc1: UUID="1e36f323-c4e5-4f55-ba0a-838643550bf9" TYPE="ext3" SEC_TYPE="ext2"
/dev/sdc2: UUID="83aa92e4-4df4-4aab-80f3-9bbb447e0459" TYPE="ext3" SEC_TYPE="ext2"

As you can see, I’ve still got a few NTFS partitions as I’m slowly migrating my data from Windows after my switch to Ubuntu desktop a couple months ago.

Get UUID for a particular device

If you know a device name and just want to confirm the UUID for it to later use it in /etc/fstab, here’s how you can do it using vol_id command:

ubuntu# vol_id -u /dev/sdb1
c73a37c8-ef7f-40e4-b9de-8b2f81038441

That’s all I can think of so far. I know a few more things about UUID which I’ll share in a separate post, but it’s a start.

Have you got any more great ideas and tips for UUID? Let me know and I’ll be sure to share them with others in the future posts.

Related books

If you want to learn more, here’s a great book:

See also:

• How to mount an ISO image
• Find large files and directories in Unix
• Using UUIDs – Ubuntu Help wiki
• How to find the default block size in Unix

Showing your processes in a hierarchical list is very useful for confirming the relationship between every process running on your system. Today I’d like to show you how you can get tree-like processes lists using various commands.

Showing processes tree with ptree

In Solaris, there’s quite a few commands which make the life of any system administrator much easier, they’re the process commands (p-commands). One of them which I particularly like is the ptree command which shows you a list of processes.

As you run the command, you get a hierarchical list of all the processes running on your Solaris system, along with process IDs (PIDs). To me, this is a very useful command, because it shows you how exactly each process relates to others in your system.

Here’s a fragment of the ptree output:

bash-3.00$ ptree
7     /lib/svc/bin/svc.startd
  250   /usr/lib/saf/sac -t 300
    268   /usr/lib/saf/ttymon
  260   -sh
    5026  -csh
9     /lib/svc/bin/svc.configd
107   /usr/lib/sysevent/syseventd
136   /usr/lib/picl/picld
140   /usr/lib/crypto/kcfd
159   /usr/sbin/nscd
227   /usr/sbin/rpcbind
234   /usr/lib/nfs/statd
235   /usr/sbin/keyserv
236   /usr/lib/netsvc/yp/ypserv -d
  237   rpc.nisd_resolv -F -C 8 -p 1073741824 -t udp
241   /usr/lib/nfs/lockd
247   /usr/lib/netsvc/yp/ypbind
263   /usr/lib/utmpd
286   /usr/sadm/lib/smc/bin/smcboot
  287   /usr/sadm/lib/smc/bin/smcboot
  288   /usr/sadm/lib/smc/bin/smcboot

Processes tree with pstree

In most Linux distributions, you can find a pstree command, very similar to ptree.

That’s how you may use it (-p is an option to show PIDs and -l uses long output format):

ubuntu$ pstree -pl
init(1)─┬─NetworkManager(5427)
        ├─NetworkManagerD(5441)
        ├─acpid(5210)
        ├─apache2(6966)─┬─apache2(2890)
        │               ├─apache2(2893)
        │               ├─apache2(7163)
        │               ├─apache2(7165)
        │               ├─apache2(7166)
        │               ├─apache2(7167)
        │               └─apache2(7168)
        ├─atd(6369)
        ├─avahi-daemon(5658)───avahi-daemon(5659)
        ├─bonobo-activati(7816)───{bonobo-activati}(7817)
...

Showing processes tree with ps –forest

ps command found in Linux has a –forest option, which shows you a tree structure of processes.

The best in my experience is to use it like this:

ubuntu$ ps -aef --forest
UID        PID  PPID  C STIME TTY          TIME CMD
...
107       5473     1  0 10037  4600   0 Apr28 ?        00:00:02 /usr/sbin/hald
root      5538  5473  0  5511  1288   0 Apr28 ?        00:00:00  \_ hald-runner
root      5551  5538  0  6038  1284   0 Apr28 ?        00:00:01      \_ hald-addon-input: Listening on /dev/input
107       5566  5538  0  4167   992   1 Apr28 ?        00:00:00      \_ hald-addon-acpi: listening on acpid socke
root      5600  5538  0  6038  1272   1 Apr28 ?        00:00:15      \_ hald-addon-storage: polling /dev/scd0 (ev
root      5476     1  0 10272  2532   0 Apr28 ?        00:00:00 /usr/sbin/console-kit-daemon
root      5627     1  0 12728  1176   1 Apr28 ?        00:00:00 /usr/sbin/sshd
root      9151  5627  0 17536  3032   0 10:53 ?        00:00:00  \_ sshd: greys [priv]
greys     9162  9151  0 17538  1892   1 10:54 ?        00:00:00      \_ sshd: greys@pts/3
greys     9168  9162  0  5231  3820   1 10:54 pts/3    00:00:00          \_ -bash
greys     9584  9168  0  3802  1124   0 11:27 pts/3    00:00:00              \_ ps -aeF --forest

This output is for demonstration purpose only, and so I’ve taken the first lines of the output out because they weren’t serving the purpose of this example very well.

For thins fragment of the output you can see how you get all the vital information about each process. I really like this way of running the ps command.

That’s it for today! Do you know any other neat way of looking at processes tree? Let me know!

Very quick tip for you today, I just see that many of visitors of this block are curious how they can find a directory in Unix – and so here’s a command to help you do just that.

Finding directories in Unix

There’s nothing better than to employ the find command. As you might remember, among many things, this wonderful tool allows you to search files by their type. Since nearly everything in Unix is a file, this means you can find directories.

Let’s take an example: if you wand to find out everything about your MySQL installation, you can have a search across your filesystems to find all the directories called mysql:

Here is how you would find a directory called mysql under /etc directory:

ubuntu# find / -name mysql -type d
/var/log/mysql
/var/lib/mysql
/var/lib/mysql/mysql
/etc/mysql
/usr/lib/perl5/DBD/mysql
/usr/lib/perl5/auto/DBD/mysql
/usr/share/mysql

As you can see, there are quite a few directories which belong to MySQL, and you can see from the list that MySQL configuration is most likely to be in /etc/mysql directory.

Narrowing down directory search in Unix

If you search across all your filesystems, it may take too much time. That’s why it makes sense to narrow your search using common sense.

For example, if you’re looking for a configuration file of some standard package of software, most likely it will be under /etc directory, so you can specify it and greatly reduce the searching time.

In this example, we’re narrowing directory search to only those directories that are part of /etc:

ubuntu# find /etc -name mysql -type d
/etc/mysql

See also:

• Unix Commands: find
• How To Find the Largest Files in Your Unix
• Finding Large Files and Directories

Many software products, especially the commercial ones, are distributed as 32-bit packages. This means that they won’t be installed on your 64-bit system unless you clearly specify that you want to override the architecture dependency.

If you’re using Ubuntu or any other Debian based distribution, this post will teach you how to install 32-bit deb packages on your 64-bit OS.

Is it possible to run 32-bit applications on 64-bit OS?

In Unix world, yes: it is quite possible to run 32-bit binaries on 64-bit OS. There should generally be no problem, but there are, as always, a few caveats:

• your 64-bit system may need some 32-bit libraries installed just to make some old 32-bit software work (use getlibs in Ubuntu)
• even if 32-bit application runs on your 64-bit system, it will still have the 32-bit limitations
• some (especially commercial) software has hard-coded architecture checks which will prevent them from working in 64-bit mode. Although it’s a rather rare case, it still may happen and it probably means the developers had a really good reason for putting such limitations in

Why 32-bit packages don’t install on 64-bit by default

One of the main reasons is that if a certain software is provided in 32-bit configuration, it’s very likely to be available in 64-bit one as well. In Unix especially so, since a properly coded application can very easily be compiled for both architectures, especially if you have a 32-bit application and it’s only a matter of recompiling it in 64-bit.

It’s always best to have 64-bit version of the software, as it will run better and enjoy most optimal performance by running in the native mode and using 64-bit libraries of your OS.

The default behaviour is to let you know that you’re trying to install an architecturally incompatible piece of software, which should motivate you to double-check the availability of a 64-bit version. For example, this is what I get when installing a Skype for Linux on my Ubuntu 7.10 64-bit desktop:

ubuntu# dpkg -i ./skype-debian_2.0.0.63-1_i386.deb 
dpkg: error processing ./skype-debian_2.0.0.63-1_i386.deb (--install):
 package architecture (i386) does not match system (amd64)
Errors were encountered while processing:
 ./skype-debian_2.0.0.63-1_i386.deb

How To Install 32-bit Debian Packages on 64-bit System

Since I know there isn’t a 64-bit distribution of Skype, I would still like to install the package as it should work just fine. And the way to do this is to specify a –force-architecture option in dpkg command line:

ubuntu# dpkg -i --force-architecture ./skype-debian_2.0.0.63-1_i386.deb 
dpkg - warning, overriding problem because --force enabled:
 package architecture (i386) does not match system (amd64)
Selecting previously deselected package skype.
(Reading database ... 124455 files and directories currently installed.)
Unpacking skype (from .../skype-debian_2.0.0.63-1_i386.deb) ...
Setting up skype (2.0.0.63-1) ...

As you can see, we’re getting a warning, but the install went through just fine.

Warning: there’s a few further steps to get Skype working in 64-bit Ubuntu, so don’t take the above as a Skype how-to, these steps are out of the scope of this post though.

I see that my Finding Large Files and Directories post is quite popular, yet there are a few more ways to simplify your search for the largest disk space consumers in your Unix system.

Make find command show file sizes

If you remember, the default way a find command reports results includes only the fully qualified (that means including the full path) filenames.

Now, if you look at a task of identifying the largest files, it’s great if you can get a list of all the files bigger than some figure your specify, but what would be even better is to include the exact size of each file right into the output of the find command.

Here’s how you do it: it’s possible to specify which information about each file you’d like to see. Check out the find command man page for all the possibilities, but in today’s example I’m using two parameters: %s means the size of a file in bytes and %f means the filename itself.

Let’s say I want to get a list of all the files under /usr directory which are larger than 15Mb each, and show the exact size of each file. Here’s how it can be done:

ubuntu$ find /usr -size +15M -printf "%s - %p\n"
39859372 - /usr/lib/vmware/webAccess/java/jre1.5.0_07/lib/rt.jar
35487120 - /usr/lib/vmware/bin/vmware-hostd
16351166 - /usr/lib/vmware/bin/vmplayer
38353296 - /usr/lib/vmware/hostd/libtypes.so
54366585 - /usr/lib/vmware/hostd/docroot/client/VMware-viclient.exe
92143616 - /usr/lib/vmware/isoimages/linux.iso
23494656 - /usr/lib/vmware/isoimages/windows.iso
47070920 - /usr/lib/libgcj.so.81.0.0
20890468 - /usr/share/fonts/truetype/arphic/uming.ttf
17733780 - /usr/share/icons/crystalsvg/icon-theme.cache
18597793 - /usr/share/myspell/dicts/th_en_US_v2.dat
45345879 - /usr/src/linux-source-2.6.22.tar.bz2

Just to help you refresh your mind, here’s the explanation of all the parameters in the command line:

• /usr is the directory where we’d like to find the files of interest
• -size +15M narrows our interest to only the files larger than 15Mb
• -printf “%s – %p\n” is the magic which shows the nice list of files along with their sizes.

Sort the list of files by filesize

Next really useful thing we could do is to sort this list, just so that we could see a nice ordered representation of how big each file is. It’s very easily done by piping the output of the find command to a sort command:

ubuntu$ find /usr -size +15M -printf "%s - %p\n" | sort -n
16351166 - /usr/lib/vmware/bin/vmplayer
17733780 - /usr/share/icons/crystalsvg/icon-theme.cache
18597793 - /usr/share/myspell/dicts/th_en_US_v2.dat
20890468 - /usr/share/fonts/truetype/arphic/uming.ttf
23494656 - /usr/lib/vmware/isoimages/windows.iso
35487120 - /usr/lib/vmware/bin/vmware-hostd
38353296 - /usr/lib/vmware/hostd/libtypes.so
39859372 - /usr/lib/vmware/webAccess/java/jre1.5.0_07/lib/rt.jar
45345879 - /usr/src/linux-source-2.6.22.tar.bz2
47070920 - /usr/lib/libgcj.so.81.0.0
54366585 - /usr/lib/vmware/hostd/docroot/client/VMware-viclient.exe
92143616 - /usr/lib/vmware/isoimages/linux.iso

As you can see, the smallest files (just above 15Mb) are at the top of the list, and the largest ones are at the bottom.

Limit the number of files returned by find

The last trick I’ll show you today is going to make your task even easier: why look at the pages of find commnand output, if you’re after only the largest files? After all, your list can be much longer than the one shown above. To solve this little problem we’ll pipe the output of all the commands to yet another unix command, tail.

tail command allows you to show only a specified number of lines of any standard input or Unix text file you point it to. By default, it strips the number of lines to 10, which can be enough for your purposes.

Here’s how you can get a least of the 10 largest files under /usr:

ubuntu$ find /usr -size +15M -printf "%s - %p\n" | sort -n | tail
18597793 - /usr/share/myspell/dicts/th_en_US_v2.dat
20890468 - /usr/share/fonts/truetype/arphic/uming.ttf
23494656 - /usr/lib/vmware/isoimages/windows.iso
35487120 - /usr/lib/vmware/bin/vmware-hostd
38353296 - /usr/lib/vmware/hostd/libtypes.so
39859372 - /usr/lib/vmware/webAccess/java/jre1.5.0_07/lib/rt.jar
45345879 - /usr/src/linux-source-2.6.22.tar.bz2
47070920 - /usr/lib/libgcj.so.81.0.0
54366585 - /usr/lib/vmware/hostd/docroot/client/VMware-viclient.exe
92143616 - /usr/lib/vmware/isoimages/linux.iso

Show the largest 10 files in your Unix system

Now that you know all the most useful tricks, you can easily identify and show the list of the 10 largest files in your whole system. Bear in mind, that you should probably run this command with root privileges, as files in your system belong to various users, and a single standard user account will most likely have insufficient privileges to even list such files.

If you’re trying to locate your largest files in Ubuntu, use the sudo command (assuming you have the sudo privileges to become root):

ubuntu$ sudo find / -size +15M -printf "%s - %p\n" | sort -n | tail

alternatively, just become root by doing something like this (you obviously should know the root password to do that):

$ su - root 

and then run the find command itself. Here’s how the output looks on my Ubuntu desktop:

ubuntu$ find / -size +15M -printf "%s - %p\n" | sort -n | tail
39859372 - /usr/lib/vmware/webAccess/java/jre1.5.0_07/lib/rt.jar
45345879 - /usr/src/linux-source-2.6.22.tar.bz2
45356784 - /var/cache/apt/archives/linux-source-2.6.22_2.6.22-14.52_all.deb
45424028 - /var/cache/apt/archives/kde-icons-oxygen_4%3a4.0.2-0ubuntu1~gutsy1~ppa1_all.deb
47070920 - /usr/lib/libgcj.so.81.0.0
54366585 - /export/dist/vmware/server2b2/vmware-server-distrib/lib/hostd/docroot/client/VMware-viclient.exe
54366585 - /usr/lib/vmware/hostd/docroot/client/VMware-viclient.exe
92143616 - /export/dist/vmware/server2b2/vmware-server-distrib/lib/isoimages/linux.iso
92143616 - /usr/lib/vmware/isoimages/linux.iso
340199772 - /export/dist/vmware/server2b2/VMware-server-e.x.p-63231.x86_64.tar.gz

That’s it for today, hope this helps! Please bookmark this post if you liked it, and leave comments if there are any questions!

You probably know that modern Linux distributions have many things in common. Well, one of the reasons for this is LSB – Linux Standard Base. LSB is a joint project by a number of Linux vendors to standardize the OS environment.

From Linux Standard Base article on Wikipedia:

The goal of the LSB is to develop and promote a set of standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux.

One of the immediate benefits of LSB compliancy is ability to confirm the exact information about your Linux release using the lsb_release command. By exact information I mean the release version, vendor name and most interestingly the codename of your current Linux release.

Red Hat Enterprise Linux LSB information

Here’s how a Red Hat Enterprise Linux 4 update 4 description will look:

bash-3.00$ lsb_release -a
LSB Version:    :core-3.0-amd64:core-3.0-ia32:core-3.0-noarch:graphics-3.0-amd64:graphics-3.0-ia32:graphics-3.0-noarch Distributor ID: RedHatEnterpriseWS
Description:    Red Hat Enterprise Linux WS release 4 (Nahant Update 4)
Release:        4
Codename:       NahantUpdate4

And here is RHEL5 LSB information:

bash-3.1$ lsb_release -a
LSB Version:    :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: RedHatEnterpriseClient
Description:    Red Hat Enterprise Linux Client release 5 (Tikanga)
Release:        5
Codename:       Tikanga

SUSE Linux Enterprise Desktop (SLED10) LSB

For SUSE Linux Enterprise Desktop, LSB release information will look like this:

sled10~> lsb_release -a
LSB Version:    core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64:desktop-3.1-amd64:desktop-3.1-noarch:graphics-2.0-amd64:graphics-2.0-noarch:graphics-3.1-amd64:graphics-3.1-noarch
Distributor ID: SUSE LINUX
Description:    SUSE Linux Enterprise Desktop 10 (x86_64)
Release:        10
Codename:       n/a

Ubuntu LSB release information

In Ubuntu, I find the lsb_release information to be most informational – it’s concise but tells you everything you need:

ubuntu$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 7.04
Release:        7.04
Codename:       feisty

See also:

• How to Find Out the Release Version of Your Unix
• Bash: Find The Version of Your Shell