How to search for files that have setuid bit set regardless of other permissions?



balenshah said:
Code: 
sudo find / -perm -4000 > suid.txt

Is this the correct syntax?
Click to expand...
The chmod 4000 amounts to zero permissions which would be read on the output of the command: ls -al, as:
---s --- ---
Since there's no effective read or write or execute permissions for the file, little could be done with such a file, so setuid could be thought of as relatively pointless for it. Such a file is unlikely to be on a filesystem so the find command wouldn't find anything. Since setuid files are usually executables with 755 permissions, that permission in the find command would pick up a few, especially in /usr/bin and /usr/sbin directories.

So one answer to your query is: it's not a useful command, though syntactically the find command wouldn't baulk at reading it.


Here is some more info on the permissions of 4000.

Create an executable file named helo with permissions 755 with the following contents:
Code: 
[flip@flop ~]$ cat helo
echo hello
echo "how are you?"
echo "good day"

[flip@flop ~]$ ls -al helo
-rwxr-xr-x 1 flip flip   55 Jun 23 18:19 helo

Run the executable file:
Code: 
[flip@flop ~]$ ./helo

hello
how are you?
good day

Now give the file permissions of 4000:
Code: 
[flip@flop ~]$ chmod 4000 helo

[flip@flop ~]$ ls -al helo
---S------ 1 flip flip   55 Jun 23 19:19 helo

Run the file:
Code: 
[flip@flop ~]$ ./helo
bash: ./helo: Permission denied

Try and see the file contents:
Code: 
[flip@flop ~]$ cat helo
cat: helo: Permission denied

The file is virtually useless. To see it and have it executable the user needs to change its permissions to enable those things:
Code: 
[flip@flop ~]$ chmod 755 helo


[flip@flop ~]$ ls -al helo
-rwxr-xr-x 1 flip flip   55 Jun 23 20:19 helo

Now it can be run and its contents seen as shown initially above.
 
Last edited:
So what's the command to find files with setuid bit set irrespective of any other permissions?
 
Here is an example that finds the setuid files just in the /usr/bin directory (to avoid reading the whole filesystem):

Code: 
[flip@flop ~]$ find /usr/bin -perm /4000
./passwd
./sudo
./newgrp
./gpasswd
./umount
./pkexec
./chsh
./fusermount3
./ntfs-3g
./mount
./su
./chfn
 
You must log in or register to reply here.

Members online

Total: 872 (members: 3, guests: 869)

Latest posts

Top