Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Unix find tutorial

Prev | Contents | Next

Part 7: Finding World Writable, Abandoned and other Abnormal Files

Often system administrators need to detect "abnormal" files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates).  WE already discusses a very important case of SUID/SGUID files. Now let's concentrate of other possibilities. Here is several simplified (usually you need to avoid traversing special filesystem and NFS mounts) but potentially useful examples:

• To find all world writable directories:

  find / -perm -0002 -type d -print

• To find all world writable files:

  find / -perm -0002 -type f -print

• Find both files and directories (exclude symbolic links which produce false positives)

  find / -perm -2 ! -type l -ls

• Find files with messed UID or GID (possible as the result untarting files on a server with different structure of user accounts): 

  find / -nouser -o -nogroup -print

• Find broken symbolic links

  $ find / -type l -print | perl -nle '-e || print';

  Note: This command starts at the topmost directory (/) and lists all links (-type l -print) that the perl interpreter determines broken links (-nle '-e || print').  You can further pipe the output through xargs and use the rm -f {} if you want to delete such symbolic links.
   

• Clean out core dumps and temporary files

  find . \( -name a.out -o -name '*.o' -o -name 'core' \) -exec rm {} \;

Those examples are pretty simplistic as in "real life" you need to be able to block traversing of NFS and other non-native filesystems and avoid getting to special memory-mapped filesystems like proc.  Earlier versions of GNU find were allergic to proc filesystem. Here is one useful approach  described in from Wayne Pollock's  Unix-Linux find Command Tutorial

As a system administrator you can use find to locate suspicious files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates).  Here's a final more complex example (which I save as a shell script):

find / -noleaf -wholename '/proc' -prune \
     -o -wholename '/sys' -prune \
     -o -wholename '/dev' -prune \
     -o -wholename '/windows-C-Drive' -prune \
     -o -perm -2 ! -type l  ! -type s \
     ! \( -type d -perm -1000 \) -print

This says to search the whole system, skipping the directories /proc, /sys, /dev, and /windows-C-Drive (presumably a Windows partition on a dual-booted computer).  The Gnu -noleaf option tells find not to assume all remaining mounted filesystems are Unix file systems (you might have a mounted CD for instance).  The -o is the Boolean OR operator, and ! is the Boolean NOT operator (applies to the following criteria).

Another and potentially simpler and faster approach is to use -fstype type  predicate. It is true if the filesystem to which the file belongs is of type type. For example on Solaris mounted local filesystems have type ufs  (Solaris 10 added zfs). For AIX local filesystem is jfs or jfs2 (journalled file system). 

But sometimes the same server uses several types of local filesystems (for example ext3 and reisner). In this case you can use predicate OR and create expression that covers each used filesystem or use generic predicate local and in certain circumstances predicate  mount.

Prev | Contents | Next