Cardboard Iguana Security

Search

SearchSearch

find

July 31, 20241 min read

Basics

find file metadata flags

Some useful find flags related to file metadata.

Ownership

Filter files based on ownership in find

The -user and -group flags match files and folders owned by a particular user or group (both numeric and symbolic-readable names are allowed).

Link to original

File size

Filter files based on size in find

The -size flag matches files of size n.

Prefix n with + or - to match files strictly greater than or less than n in size. To specify useful sizes, use a suffix.

  • c — Bytes
  • k — Kilobytes
  • M — Megabytes
  • G — Gigabytes

For example, use -size +4G to find files over 4 GB (i.e., those that can’t be written to a FAT32 file system).

Link to original

Permissions

Filter files based on file permissions in find

The -perm flag matches files and folders with a given permission. Both numeric and symbolic permissions are allowed.

Use the / or - prefix to match files with any of the specified permissions or at least the specified permissions. For example, -perm -644 will match any file where the current user has at least read + write access and any other user has at least read access (so, - requires the specified permissions, but is agnostic as to the presence/absence of additional permissions). Likewise, -perm /666 will match files where the current user has read + write access and/or the current group has read + write access and/or everyone has read + write access (so, / requires that at least one of the specified permissions groups matches exactly, but is agnostic to the state of any other group outside of that match).

Link to original

Timestamps

Filter files based on timestamp in find

The -Xmin and -Xtime flags match files accessed (a), had their contents modified (m), or had their inode changed (c) n minutes (-Xmin) or days (-Xtime) ago.

All mtime changes are ctime changes, but the reverse is not necessarily true.

Prefix n with + or - to match files strictly before or after the specified time in the past.

For example:

# Matches files accessed *more* than 30 minutes ago
#
find . -type f -amin +30
 
# Matches files modified *less* than 7 days ago
#
find . -type f -mtime -7
 
# Matches files modified *today*
#
find . -type f -mtime 0
Link to original

Link to original

Reconnaissance

Find SUID and SGID executables

How to find SUID and SGID executables with find

find / -type f \
       -a \( -perm -u+s -o -perm -g+s \) \
       -exec ls -l {} \; 2> /dev/null
Link to original

Find world writable/executable folders

How to find world-accessible and world-modifiable folders with find

find / -type d -a \( -perm -o+w -perm -o+x \) 2>/dev/null
Link to original

Shell escape

find shell escape

If find can be run with NOPASSWD via sudo, then try:

sudo find . -exec /bin/sh \; -quit
Link to original

Graph View

Backlinks