Sometimes, for security audit purposes it might be required to find files with specific permissions. find command comes handy to achieve this kind of requirements. The post describes few examples of find command used to find files with specific sets of permissions. Before we dive into the examples, here are few basics on the permission bits
4 - Read Permission (r) 2 - Write Permission (w) 1 - Executable Permission (x)
So if a file has “rwx” it will have 4+2+1=7 or if a file has “rx” it will be 4+1=5
perm parameter of find command
The -perm parameter of the find command can be used to find the files with specific permissions. The 2 ways to specify the permissions with the -perm parameter are :
-perm -mode --- All of the permission bits mode are set for the file. -perm /mode --- Any of the permission bits mode are set for the file.
In perm we are mentioning 4 bits
1st bit is for special permission e.g. SUID(4) SGID(2) or sticky bit(1) 2nd bit is for owner permission 3rd bit is for group permission 4th bit is for others permission
1. Command to find files with (group or other or both) writable permission and SET UID set .
# find / -perm /022 -and -perm -4000 -exec ls -ldb {} ;
^^^^ ^
|||| |-- So the SUID is 4
||||-- Other is writable (2)
|||--Group permission is writable (2)
||-- No owner permission mentioned (0)
|-- As the logic is OR - group or other or both
So the logic is : ( group writable OR other writable ) AND SUID set
2. Command to list files with other writable excluding sticky bit set.
# find / -perm -002 -not -perm -1000 -exec ls -ldb {} ;
^^^^ ^
|||| |-- So the sticky bit is set (1)
||||-- Other is writable (2)
|||--No owner permission mentioned (0)
||-- No owner permission mentioned (0)
|-- Well it does not matter if it is "-" or "/" as there is only one condition mentioned
Now the logic here is : Other writable NOT sticky bit set
Examples
1. Command to list files with other writable and sticky bit set.
# find / -perm -002 -and -perm -1000 -exec ls -ldb {} ;
2. Command to list files with other writable excluding sticky bit set.
# find / -perm -002 -not -perm -1000 -exec ls -ldb {} ;
3. Command to list files with (group + other) writable permission and SET UID set.
# find / -perm -4022 -exec ls -ldb {} ;
4. Command to list files with (group + other) writable and SET GID set.
# find / -perm -2022 -exec ls -ldb {} ;
5. Command to list files with other writable and sticky bit set.
# find / -perm -1002 -exec ls -ldb {} ;
6. Command to list files with other writable excluding sticky bit set.
# find / -perm -002 -not -perm -1000 -exec ls -ldb {} ;