Jump to content

How to search for files whose suid bit is set?


Go to solution Solved by requinix,

Recommended Posts

I'm asking this question because I'm seeing multiple variants of this command.

1)

find / -perm /u=s file_name

or

find / -perm -u=s file_name

 

2)

find / -perm 4666

or

find / -perm 4000

or

find / -perm /4000

Source of my confusion:

https://unix.stackexchange.com/questions/180867/how-to-search-for-all-suid-sgid-files

 

Quote

 

-perm mode
              File's  permission  bits are exactly mode (octal or symbolic).  Since an exact match is required, if you want to use this form for symbolic modes, you may have to
              specify a rather complex mode string.  For example `-perm g=w' will only match files which have mode 0020 (that is, ones for which group write permission  is  the
              only permission set).  It is more likely that you will want to use the `/' or `-' forms, for example `-perm -g=w', which matches any file with group write permis‐
              sion.  See the EXAMPLES section for some illustrative examples.

       -perm -mode
              All of the permission bits mode are set for the file.  Symbolic modes are accepted in this form, and this is usually the way in which you would want to use  them.
              You must specify `u', `g' or `o' if you use a symbolic mode.  See the EXAMPLES section for some illustrative examples.

       -perm /mode
              Any  of  the  permission  bits mode are set for the file.  Symbolic modes are accepted in this form.  You must specify `u', `g' or `o' if you use a symbolic mode.
              See the EXAMPLES section for some illustrative examples.  If no permission bits in mode are set, this test matches any file (the idea here  is  to  be  consistent
              with the behaviour of -perm -000).

       -perm +mode
              This is no longer supported (and has been deprecated since 2005).  Use -perm /mode instead.

 

Quoting from the man pages.

You make it sound like your question is "how do I find files with the setuid bit set" but you posted the answer yourself in one of those examples, so I don't think this is the question you actually want to ask.
Maybe you mean to say "what's the difference between these commands?" in which case I would point you to the documentation to see what -mode and /mode mean.

I think you have a more specific question to ask. One that directly answers something you aren't understanding. And it's probably not the first question you started with.

/u=s checks if any of the permission bits are set.
-u=s checks if all of the permission bits are set.

A mode of 4666 means setuid + owner read/write + group read/write + other read/write.
A mode of 4000 means setuid only.
I'd link you a page that tells what the numbers mean but apparently nobody likes to document them directly - only constants. So it's easier to just believe me.

On 6/16/2023 at 5:05 AM, polaryeti said:

I want to know the exact difference between these commands with examples. I've read the man pages.

This begs the question of how well you understand binary/octal/hex and bitmasks.  These are all fairly valuable computers science fundamentals, as they are certainly useful to understand not just for unix file and directory permissions, but for things like networking and in particular subnet masks.  This also overlaps with boolean operators and bitwise operators, as well as floating point representation.  It's also good to understand the way data is represented internally thorough defined datatypes used by persistence engines and relational databases.

One command that is not commonly discussed is the stat command.  Try using it on files and directories to get a summary of information and meta information about a file or directory.

>stat ssl
  File: ‘ssl’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: ca01h/51713d	Inode: 920958      Links: 2
Access: (0775/drwxrwxr-x)  Uid: (  500/ec2-user)   Gid: (  500/ec2-user)
Access: 2023-05-20 20:23:29.770828847 +0000
Modify: 2023-05-20 20:50:30.995642112 +0000
Change: 2023-05-20 20:50:30.995642112 +0000
 Birth: -

If you are already confident in your knowledge of these fundamentals, the obvious answer, provided by requinix is that these commands use octal values for historic reasons, but are typically not as user friendly as the alternative versions that employ constants.

For example, even though I fully understand the octal values, and the position of those values in these bitmasks, it's just easier to think about the matrix of user/group/other and Special,eXecute,Read,Write. 

Thus it's much easier in my opinion, to just think about what you want to set or search for with something like s=u (special bit = user, aka suid) than what the positional octal value of a bitmask are, even though you should be able to derive them yourself, as requinix showed.  

On 6/16/2023 at 3:30 PM, requinix said:

/u=s checks if any of the permission bits are set.
-u=s checks if all of the permission bits are set.

A mode of 4666 means setuid + owner read/write + group read/write + other read/write.
A mode of 4000 means setuid only.
I'd link you a page that tells what the numbers mean but apparently nobody likes to document them directly - only constants. So it's easier to just believe me.

"any" means that if one or more of the bits are set then it counts as a match.
"all" means that every bit you set has to be there for it to match.

Since you only care about one particular bit, both of those will have the same effect.

26 minutes ago, requinix said:

"any" means that if one or more of the bits are set then it counts as a match.
"all" means that every bit you set has to be there for it to match.

Since you only care about one particular bit, both of those will have the same effect.

Which both command?

  • Solution

Try it and find out.

Seriously. That would have been the easiest option this whole time. All you had to do is manually find a setuid executable, such as sudo, and run different find commands to see what happens.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.