Permission
Read
Other/World
find / -a -perm -o+r
World-readable
find / -a -perm -4
World-readable
grep -r "r-." /
Alternative method
Extracts usernames from /etc/passwd and finds files owned by each user where "others" have read permission (Need to test):
grep "r-" /etc/passwd | cut -d: -f1 | xargs find . -userCurrent User
find / -a -readable
Current user readable.
find / -a -perm -u+r
Current user readable.
User specific
find / -a -user [username] -readable
Specific user readable.
find / -a -user [username] -perm -4
Specific user readable.
find / -a -user [username] -perm -u+r
Combines owner read permission to show files owned by user with read permissions.
Group
find / -a -perm -g+r
Group readable.
find / -a -group <group_name> -readable
Specific group readable.
Write
Other/World
find / -a -perm -o+w
Writable by "Other"
find / -a -perm -2
Writable by "Other"
grep -r "w-." /
Alternative method
Find world-writable config files:
find /etc -a -type f ( -name ".conf" -o -name ".cfg" -o -name "*.ini" ) -perm -o+w -exec ls -l {} ;Current User
find / -a -writable 2>/dev/null
Current user writable
find / -a -perm -u+r
Current user writable
Current-user writable filtering out running processes:
find / -a -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -uUser Specific
find / -a -user [username] -readable
Specific user writable
find / -a -user [username] -perm -2
Specific user writable
find / -a -user [username] -perm -u+r
Combines owner read permission to show files owned by user with read permissions.
Group
find / -a -perm -g+w
Group Writable.
find / -a -group <group_name> -readable
Specific group Writable.
Execute
Other/World
find / -a -perm -o+x
World-executable
find / -a -perm -1
World-executable
grep -r "x-." /
Alternative method
Finds files owned by each user where "others" have execute permission:
grep "x-" /etc/passwd | cut -d: -f1 | xargs find . -userCurrent User
find / -a -executable
Current user executable
find / -a -perm -u+x
Current user executable
User specific
find / -a -user [username] -executable
Specific user executable
find / -a -user [username] -perm -1
Specific user executable
find / -a -user [username] -perm -u+x
Combines owner read permission to show files owned by user with read permissions
Group
find / -a -perm -g+x
Group executable
find / -a -group <group_name> -executable
Specific group executable
Wide-Open
find / -a -perm 0777
Wide open files
Find files with insecure permissions:
find / -a -type f ( -perm 777 -o -perm 666 ) -exec ls -l {} ;SUID/SGID
Permission Filters
-2000 = Owner has write permissions, SGID is set. File inherits the GID of the process that executes it. -4000 = Only files with SUID bit.
/6000 = SUID, SGID, or Both.
SUID Only
find / -a -perm -4000
SUID set
find / -a -perm /u=s
SUID set
find / -a -perm -4000 -user root
SUID files owned by root
find / -a -perm -4000 -not -user root
SUID files NOT owned by root
grep -r "w-s-" /
SUID set (Alternate method)
Processes usernames from /etc/passwd, searches for world-executable SUID files owned by each user.
Use with Caution!
grep -r "w-s-" / | cut -d: -f1 | xargs find . -userSGID Only
find / -a -perm -2000
Owner has write permissions, SGID is set
find / -a -perm /u=g
SGID set
find / -a -perm -2000 -user root
SGID set and owned by root
find / -a -perm -2000 -not -user root
SGID set and NOT owned by root
grep -r "w-S-" /
SGID set (Alternate method)
SUID AND/OR SGID
find / -a -perm /6000
SUID, SGID, or both set
find / -a -perm /u=s,g=s
Both SUID and SGID set
find / -a -perm /6000 -user root
SUID, SGID, or both set and owned by root
find / -a -perm /6000 -not -user root
SUID, SGID, or both set and NOT owned by root
SUID or SGID then execute ls -l:
find / -a \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;find / -a -a ( -perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2>/dev/nullCapabilties
getcap [filepath]
Check a specific file for capabilities.
getcap -r [filepath]
Recursively check capabilities of files in a directory hierarchy.
find / -a -perm -0002 | getcap -d -
Searches for capabilities (excluding sticky bits) and pipes getcap for details.
Recursively to search for capabilities within open file descriptors, potentially revealing files in use with capabilities. Requires root privileges:
grep -r /etc/security/capabilities /proc/self/fd/*.This searches for specific capabilities by name within open file descriptors of a specific process ID (PID). Requires root privileges:
grep -r "\<[CAP_>\w+]*\>" /proc/[pid]/fd/*Last updated
Was this helpful?