When troubleshooting shared systems, we often need to check which files are currently opened in specific directories - especially files accessed by other users. While lsof +D /path works for the current user's files, it doesn't reveal the full picture on multi-user systems.
To view files opened by other users, you'll need either:
- Root access (preferred for comprehensive results)
- Or be in the
sudoersgroup with appropriate permissions
Here are the most useful command patterns:
# Basic version showing all open files in directory
sudo lsof +D /path/to/directory
# Show only regular files (exclude pipes, sockets, etc.)
sudo lsof +D /path/to/directory -F | grep '^f.*REG'
# Continuous monitoring (refresh every 2 seconds)
watch -n 2 "sudo lsof +D /path/to/directory"
# Filter by specific user
sudo lsof +D /path/to/directory -u username
Imagine debugging why /var/www appears locked:
sudo lsof +D /var/www
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 12345 root 12r REG 8,15 4096 1234567 /var/www/index.html
nginx 12346 www-data 10u REG 8,15 0 1234568 /var/www/uploads/temp
php-fpm 23456 john 5w REG 8,15 1024 1234569 /var/www/logs/error.log
This reveals three different users accessing files: root (config), www-data (uploads), and john (logs).
For large directories, these optimizations help:
# Faster alternative to +D (less accurate with symlinks)
sudo lsof /path/to/directory/*
# Limit depth (BSD systems)
sudo lsof +d /path/to/directory
When lsof isn't available or practical:
fuser -v /path/*(shows processes using files)sudo ls -l /proc/*/fd/ | grep /path(manual proc inspection)- Inotify tools for real-time monitoring
Remember that file access visibility depends on:
- Directory permissions (x bit needed for +D to work)
- Process permissions (can't see processes you don't own without sudo)
- Mount options (some network filesystems may not report accurate info)
When administering multi-user Linux systems, administrators often need to monitor file access patterns across different users. The native lsof +D /path command has a significant limitation: it only displays files opened by the current user. This creates visibility gaps when troubleshooting permission issues or investigating resource contention.
By default, lsof operates with the permissions of the executing user. Regular users can't see files opened by others due to Linux's permission model. Even with sudo, the default behavior remains user-centric.
The most effective approach combines sudo with targeted filtering:
sudo lsof +D /path/to/directory
For more granular control, combine with grep:
sudo lsof +D /var/log | grep -v "^root"
To specifically identify files opened by particular users:
sudo lsof -u username +D /target/path
Example checking for Apache processes:
sudo lsof -u www-data +D /var/www/html
For persistent monitoring, consider these approaches:
# Watch mode for real-time tracking watch -n 5 "sudo lsof +D /shared/folder" # Logging output to file sudo sh -c 'lsof +D /app/data >> /var/log/file_access.log'
On systems with many open files, these alternatives may be more efficient:
# Faster directory scanning sudo lsof | grep '/specific/path' # Checking a single file's access sudo lsof /path/to/specific/file
When encountering permission issues:
# Check for files opened but deleted sudo lsof +L1 /mount/point # Identify unlinked files sudo lsof +aL1 /dev/sda1