Detailed explanation of Linux lsof command usage

lsof (list open files) is a tool to view files opened by a process.

In Linux, everything is a file. Files provide access not only to regular data, but also to network connections and hardware. Therefore, the lsof command can not only view the files and directories opened by the process, but also view the socket-related information such as the ports listened by the process. This article will introduce the basic usage of the lsof command. The demonstration environment in this article is Ubuntu 18.04.

Common options

-a indicates that the other options are in an AND relationship
-c <process name> Output files opened by the specified process
-d <file descriptor> lists the processes occupying the file number
+d <directory> Output directory and opened files and directories under the directory (not recursive)
+D <directory> recursively outputs the files and directories opened in the directory
-i <condition> Output network-related files that meet the conditions
-n Do not resolve hostnames
-p <process number> Output the files opened by the process with the specified PID
-P Do not resolve port numbers
-t only output PID
-u Output files opened by the specified user
-U Output the opened UNIX domain socket file
-h Display help information
-v Display version information

Basic Output

If you execute the lsof command without any options, it will output all the files opened by all active processes in the system. As a result, we are overwhelmed by the output information, which does not make any sense. Let's first let the lsof command output the files opened by the current Bash process, and then intercept a part of the results to introduce what information is included in the output:

COMMAND: The name of the program
PID: Process Identifier
USER: process owner
FD: file descriptor, the application identifies the file through the file descriptor
TYPE: file type, such as DIR, REG, etc.
DEVICE: comma-separated device numbers
SIZE: file size (bytes)
NODE: index node (the identifier of the file on the disk)
NAME: The exact name of the file to open

The following is a brief introduction to the common contents in the FD column and the TYPE column.
Common contents in the FD column include cwd, rtd, txt, mem, and some numbers, etc. Where cwd represents the current working directory; rtd represents the root directory; txt represents the executable file of the program; mem represents the memory mapped file:

Some FDs are represented by numbers, such as standard input and output files:

The letter after the number indicates the read/write mode of the process for the file. For example, u in the figure above means that the file is opened and is in read/write mode. In addition to u, there is also r for read-only mode, w for write-only mode, and W for write-only mode. You can also use W to indicate that the process has a write lock on the file. The following figure is a list of files opened by the docker daemon process, showing different modes of FD:

The common REG and DIR in the TYPE column represent ordinary files and directories respectively. CHR and BLK represent character and block devices, respectively, and unix, fifo, and IPv4/IPv6 represent UNIX domain sockets, first-in-first-out (FIFO) queues, and IPv4/IPv6 sockets, respectively.

Below we introduce some common uses of the lsof command.

Check which processes have a file open

Simply specify the file name as the argument to lsof to see which processes have opened the file. The following command queries the processes that have opened the /bin/bash file:

$ sudo lsof /bin/bash 

In addition to ordinary files, it can also be device files (the output of the following command is very long, and the figure is only a small part of it):

$ sudo lsof /dev/sda1 

Check which processes have opened a directory and the files under it

There are two cases here. The +d option does not perform recursive queries, but only searches for processes that have opened the specified directory and the files and directories under the specified directory, for example:

$ sudo lsof +d /var/log 

The +D option will recurse into the specified directory:

$ sudo lsof +D /var/log 

When you unmount a file system, if any process has files or directories open in the file system, the unmount operation will fail. Therefore, it is best to check the mount point of the file system through lsof +D before unmounting the file system, kill the related processes and then perform the unmount operation.

View all files opened by a process

By using the -p option and specifying the PID of a process, you can output all files opened by that process. For example, if we want to view the files opened by the cron program, we can first use the ps -C cron command to find out the PID of the process:

Then pass the PID to the -p option of the lsof command:

$ sudo lsof -p 1152 

Combining multiple options

If you specify multiple options for the lsof command, the default relationship between these options is OR. That is to say, the results that meet any option will be output. You can add an additional -a option, which makes the relationship between other options become AND, such as the following command:

$ sudo lsof -a -p $$ -d0,1,2 

The -p option specifies the PID of the current process, and the -d option is used to specify the file descriptors opened by the process (multiple file descriptors can be separated by commas). After adding the -a option, the output is the files with file descriptors 0, 1, and 2 opened by the current process.
Note: There are many conditions for using the -a option. Please refer to the lsof man page for details.

View files opened by a program with a specified name

The -c option can be used to match the name of the program (executable file) running the process. For example, we want to find a list of files opened by programs starting with the letter cr:

$ sudo lsof -c cr 

You can also specify multiple -c options at the same time, and the relationship between them is OR.
If you want to negate the condition of the -c option, just add the ^ symbol before the string, for example:

$ sudo lsof -c ^cr

The -c option also supports regular expressions. For example, the following command can filter out files opened by programs starting with cra and cro:

$ sudo lsof -c /cr[ao]/

View opened network-related files

The -i option is used to view opened network-related files. The format of its parameters is as follows:
[46][protocol][@hostname|hostaddr][:service|port]
46 indicates the version of the IP protocol
protocol represents the name of the network protocol, such as TCP or UDP
hostname or hostaddr indicates the host address
service refers to the name in /etc/services, such as smtp or a list of multiple services
port indicates the port number. You can specify one or more

The -i option will output both IPv4 and IPv6 opened files by default:

$ sudo lsof -i 

List only files opened by IPv4 or IPv6

$ sudo lsof -i 4
$ sudo lsof -i 6 

List files related to port 22

$ sudo lsof -i:22 

Lists open TCP ports in a specified range

$ sudo -i TCP:1-1024 

View the opened UNIX domain socket file

The -U option outputs the opened UNIX domain socket file. Here we combine the -c option to view the UNIX domain socket file opened by the ssh service:

$ sudo lsof -a -c sshd -U

View all files opened by a user

The -u option can specify a user name or user ID, and like the -c option, multiple user names or user IDs can be separated by commas, and the condition can be negated by the ^ symbol.
View all files opened by a user

$ sudo lsof -u syslog

View network-related files opened by user nick

$ sudo lsof -a -i -u nick 

Exclude a user

$ sudo lsof -i -u ^nick 

Note: When there are exclude conditions, it is not necessary to specify the -a option.

Kill all processes that have a file opened by a certain user

$ kill -9 $(lsof -t -u nick)

The -t option in the command tells the lsof command to output only the PID of the process:

Count the total number of files opened by the system

$ sudo lsof -P -n | wc -l 

The -P option in the command means not to resolve the port number, and the -n option means not to resolve the host name. The main purpose of these two options is to improve the execution speed of the lsof command. The wc -l command is used to count the number of lines output by the lsof command.

Recover deleted files

If we accidentally delete a file and know that the file is opened by a process, we can restore the file through the lsof command. The specific principles are:
When a process opens a file, it remains on disk as long as the process keeps the file open, even if the file is deleted. The process is unaware that the file has been deleted and it can still read and write to it using the file descriptor that was provided to it when the file was opened. This file is not visible to anyone except the process because its corresponding directory inode has been deleted.

The file descriptors opened by the process are stored in the /proc/PID/fd directory. The /proc directory is mounted in an area mapped in memory, so these files and directories do not exist on the disk. Therefore, when we read and write these files, we are actually getting the relevant information from the memory. The lsof program uses this and other information about the kernel's internal state to produce its output. So lsof can display information such as the process's file descriptor and related file names. That is to say, we can find relevant information about the file by accessing the file descriptor of the process.

The following demo shows how to use the lsof command to restore the accidentally deleted /var/log/syslog file.

First delete the log file /var/log/syslog. Remember to back up this file in advance, just in case:

$ sudo rm /var/log/syslog 

From the above information, we can see that the process with PID 1141 has the file open, the file descriptor is 7, and it shows that the file has been deleted. Next, we view the contents of the file through the file descriptor of process 1141:

$ sudo tail -n 5 /proc/1141/fd/7 

The above figure shows that the contents of the file /var/log/syslog are still there and can be accessed through the file descriptor. Next, recreate the /var/log/syslog file by IO redirection:

$ sudo sh -c 'cat /proc/1141/fd/7 > /var/log/syslog'

Then fix the file's permissions and restart the rsyslog service:

$ sudo chown syslog:adm /var/log/syslog
$ sudo systemctl restart rsyslog.service

This completes the recovery of the /var/log/syslog file. Many applications, especially log files and database files, can be recovered in this way.

help

The -h option will output help information for the lsof command:

I guess this kind of help information can only force you to read the man page!

Summarize

lsof is not a simple command, as you can tell from the length of its man page. Starting with the small demo introduced in this article may allow you to forget the lengthy documentation, start using it step by step, and eventually master this command.

refer to:
lsof man page
Detailed explanation of Linux lsof command
10 lsof Command Examples in Linux
Linux lsof Command Tutorial for Beginners (10 Examples)
15 Linux lsof Command Examples (Identify Open Files)

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.