Search and Destroy: Removing core dump files with find

Recently, I made a change to PHP on a server. This change adversely affected PHP so that it would terminate with a core dump frequently. Since PHP runs non-persistently through suPHP, there were scattered core files throughout various clients' home directories.

I was alerted to this when one of my resellers called me asking how several of his WordPress sites filled up their disk quota so quickly, even after he raised their quotas.

Upon investigation, I found lots of files like the following:


core.14453
core.1334
core.19962
core.122

I needed to remove these (after fixing the PHP problem).

Here was my search and destroy command:


find /home -regex '.*/core.[0-9]*$' -exec rm -f {} \;

If you know find, the find /home tells find where to start. The -exec rm -f {} \; tells find what to do with each file that matches.

The -regex option allows find to match filenames by regular expression. I cound do something simple like -name core\*, which would indeed match any filename like “core.12345”. However, it also matches “core.php”, which might screw up someone's website.

The pattern starts with .*/ which means “any single character repeated zero or more times, followed by a slash”. This is needed to match any directory paths leading up to the filename. The period following core matches the . in the filename, and technically any other single character. I would have been better off putting a back-slash in front of it to specify a literal period.

[0-9] matches any single digit with the * matching zero or more times. This means “core.1” and “core.12345566644” are both matched. Finally, the $ anchors it to the end, so that it only matches “core.12345” (and potentially “core-12345”), but not “core12345.php”.