How to Use “find” With File Metadata
- author:: Nathan Acks
- date:: 2022-08-05
Some useful find flags related to file metadata.
-user and -group
Matches files owned by a particular user or group (both numeric and symbolic-readable names are allowed).
-size
Matches files of size n.
Prefix n with + or - to match files strictly greater than or less than n in size. To specify useful sizes, use a suffix.
- c - Bytes
- k - Kilobytes
- M - Megabytes
- G - Gigabytes
For example, use -size +4G
to find files over 4 GB (i.e., those that can’t be written to a FAT32 file system).
-perm
Matches files with a given permission. Both numeric and symbolic permissions are allowed.
Use the / or - prefix to match files with any of the specified permissions or at least the specified permissions. For example, -perm -644
will match any file where the current user has at least read + write access and any other user has at least read access (so, “-“ requires the specified permissions, but is agnostic as to the presence/absence of additional permissions). Likewise, -perm /666
will match files where the current user has read + write access and/or the current group has read + write access and/or everyone has read + write access (so, “/” requires that at least one of the specified permissions groups matches exactly, but is agnostic to the state of any other group outside of that match).
Find SUID Files
find / -type f -perm -04000 -ls 2>/dev/null
Or:
find / -type f -perm -u=s -ls 2>/dev/null
Find SUID and SGID Executables
find / -type f \
-a \( -perm -u+s -o -perm -g+s \) \
-exec ls -l {} \; 2> /dev/null
Find World Writable/Executable Folders
find / -type d -a \( -perm -o+w -perm -o+x \) 2>/dev/null
-Xmin and -Xtime
Matches files accessed (a), had their contents modified (m), or had their inode changed (c) n minutes (-Xmin) or days (-Xtime) ago.
All mtime changes are ctime changes, but the reverse is not necessarily true.
Prefix n with + or - to match files strictly before or after the specified time in the past.
For example:
# Matches files accessed *more* than 30 minutes ago
#
find . -type f -amin +30
# Matches files modified *less* than 7 days ago
#
find . -type f -mtime -7
# Matches files modified *today*
#
find . -type f -mtime 0