How to search for all SUID/SGID files

find

All the howtos that I find on the web states:

Find all SUID files:
find / -perm -4000 -print
Find all SGID files:
find / -perm -2000 -print

But that is not true. See:

$ ls -lah test
-r-sr-xr-x  1 user  user     0B Jan 24 22:47 test
$ 
$ 
$ stat -x test | grep Mode
  Mode: (4555/-r-sr-xr-x)         Uid: ( 1000/    user)  Gid: ( 1000/    user)
$ 
$ 
$ find test -perm 4000
$ find test -perm 2000
$

Question: So what is the truth? How can I really list all the SUID/SGID files?

Best Answer

If you want to test for any of the bits, use /. I.e. for your use case:

find "$DIRECTORY" -perm /4000

and:

find "$DIRECTORY" -perm /2000

or combined:

find "$DIRECTORY" -perm /6000

You may use both folders and files as argument for GNU find.

Another, IMO better readable, approach is using the mnemonic shortcuts. I.e.:

find "$DIRECTORY" -perm /u=s,g=s

Caveat emptor

Keep in mind that the variants of find vary. They may also behave differently. Always read the friendly manual (RTFM).

Related Solutions

Find – How to Search for Files with Immutable Attribute Set

It can be partially accomplished by piping the lsattr command through the grep command.

lsattr -R | grep +i

However, I believe when you mention the entire ext3 file system the search might involve /proc , /dev and some other directories which might report some errors that you just want to ignore. You can probably run the command as,

lsattr -R 2>/dev/null | grep -- "-i-"

You might want to make the grep a bit more strict by using grep's PCRE facility to more explicitly match the "-i-".

lsattr -R 2>/dev/null | grep -P "(?<=-)i(?=-)"

This will then work for situations such as this:

$ lsattr -R 2>/dev/null afile | grep -P "(?<=-)i(?=-)"
----i--------e-- afile

But is imperfect. If there are additional attributes enabled around the immutable flag, then we'll not match them, and this will be fooled by files whose names happen to match the above pattern as well, such as this:

$ lsattr -R 2>/dev/null afile* | grep -P "(?<=-)i(?=-)"
----i--------e-- afile
-------------e-- afile-i-am

We can tighten up the pattern a bit more like this:

$ lsattr -a -R 2>/dev/null afile* | grep -P "(?<=-)i(?=-).* "
----i--------e-- afile

But it's still a bit too fragile and would require additional tweaking depending on the files within your filesystem. Not to mention as @StephaneChazeles has mentioned in comments that this can be gamed fairly easily by the inclusion of newlines with a files name to bypass the above pattern to grep.

References

https://groups.google.com/forum/#!topic/alt.os.linux/LkatROg2SlM

How to find files with permissions greater than xxx but ignore files with SUID and SGID

The solution that works with any POSIX compatible find is the following:

find DIR -type f -perm -0755 ! -perm 0755 ! -perm -04000 ! -perm -02000 -print

As previously noted, with GNU find you can collapse the setuid and setgid tests into ! -perm /06000.