Find all files with root SUID or SGID executables

sudo find / -type f \( -perm /4000 -a -user root \) -ls -o \( -perm /2000 -a -group root \) -ls
Discovering all executables on your system that can be run as another user, especially root, is critical for system security. The above command will find those files with have SUID or SGID bits set and are owned by the root user or group.

By: atoponce
2009-03-02 18:48:17

What Others Think

It doesn't run on a Red Hat Linux release 7.3 (Valhalla) with the error: find: invalid mode `/4000'
yapt · 620 weeks and 1 day ago
RHL 7.3... released May of 2002... 7 years ago. I think it's time to update your system, don't you? However, if you read the man page on find, you'll see that /mode is the preferred way over +mode, but both are identical, even if +mode is deprecated.
atoponce · 620 weeks and 1 day ago
Some companies can't or don't want to upgrade the distro that their software is based on.
leper421 · 620 weeks and 1 day ago
Of course. That's why the cracker community flourishes as well as it does. They expect people to not keep updated on patching or upgrading their systems. The more systems that sit unpatched, the more reason for your suffering.
atoponce · 620 weeks and 1 day ago
I'm not defending the practice ;) I just happen to work for a company whose product is based on a 7-8 old linux distro release. Although, we've updated and repackaged so many of the packages and rewritten many config scripts that, at this point, it is pretty much our own distro.
leper421 · 618 weeks and 5 days ago
@atoponce: not every machine is connected to the evil internet, so often there is no need to upgrade the boxens every week...
lme · 616 weeks and 5 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: