Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives and frequently asked questions
Section - How do I find all setuid and setgid files?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Business Photos and Profiles ]

Top Document: and frequently asked questions
Previous Document: SATAN doesn't display right in my web browser; it asks me to save the file.
Next Document: Tcp wrappers (tcpd) thinks all hosts are in Solaris 8 or in some versions of AIX.
See reader questions & answers on this topic! - Help others by sharing your knowledge
find / -local -type f \( -perm -4000 -o -perm -2000 \) -print

or to do an "ls -l" of them:

find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;

You may want to add the "-u" option to ls to see last-accessed times rather
than last-modified times (esp to help gauge how harmful it would be to
unsetuid the file).

Some versions of "find" don't have the "-local" option.  Its purpose is to
avoid searching nfs volumes.  If you don't have any nfs mounts, you can omit
the "-local".  If you do, here are some other possibilities:
    * On some systems you can do something like
	    find / -fstype nfs -prune -o -type f \( -perm -4000 ...
    * Some systems have "-xdev" or "-mount", which prevent find from
      traversing mounts.  But then you have to run it for each local
      filesystem separately.
    * Do the check with nfs filesystems unmounted (e.g. single-user mode).
    * As an alternative to find, "ncheck -s" will tell you all setuid and
      setgid files, plus all device files (which is something of equal
      interest, although usually much less problematic in OS distributions).
      It too must be run separately for each filesystem.

Please note that this is insufficient if you suspect backdoors have been
installed on your system.  The backdoor installation activity could have
included modifying the "find" command.  The purpose of the above is to find
locally-installed or vendor-supplied security bugs waiting to happen, not to
find backdoors.

Also note that on some systems, "-local" doesn't do what you'd think, because
it still traverses the entire remote filesystem, and rejects all nodes in it
as non-local.  In this case you want "! -local -prune -o", i.e. if not local
prune the search, else ... .

User Contributions:

Comment about this article, ask questions, or add new information about this topic: