Bash – lsof for files opened by other users

Since I had the similar question recently I wanted to share my findings here too. Also it is assumed that the user is root and as mentioned in the other answers.

List open files within a specific directory

lsof +D /var/log/

will show files opened from all users.

Specifying the user

lsof -u ${USER} +D /var/log/

will show all files from the user OR within the specific directory (... AND independet from the user).

This is because of and as stated in man lsof:

Since they represent exclusions, they are applied without ORing or ANDing and take effect before any other selection criteria are applied.

The -a option may be used to AND the selections. For example, specifying -a, -U, and -ufoo produces a listing of only UNIX socket files that belong to processes owned by user ``foo''.

To list open files from the user AND within a specific directory only

lsof -u ${USER} -a +D /var/log/ 

It is then possible to list open files which are NOT the user AND within a specific directory.

lsof -u ^${USER} -a +D /var/log/ 

This approach is also working good for network connections. I.e if interested in all TCP OR UDP connections which are opened by NOT under root running processes

lsof -u ^root -P -i TCP -i UDP

To address the issue with the non root user, sudo and sudoers it will be necessary to Identify the sudo calling user.

List all open files within a specific directory AND opened from the user

sudo lsof -u $(who | cut -d " " -f 1) -a +D /usr/lib/

otherwise it would show opened files OR within the directory AND indepent from the user.

List all open files within a specific directory NOT opened by the mentioned user

sudo lsof -u ^$(who | cut -d " " -f 1) +D /usr/lib/