|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
Often system administrators need to detect "abnormal" files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates). WE already discusses a very important case of SUID/SGUID files. Now let's concentrate of other possibilities. Here is several simplified (usually you need to avoid traversing special filesystem and NFS mounts) but potentially useful examples:
find / -perm -0002 -type d -print
find / -perm -0002 -type f -print
find / -perm -2 ! -type l -ls
find / -nouser -o -nogroup -print
$ find / -type l -print | perl -nle '-e || print';
Note: This command starts at the topmost directory (/) and lists all links (-type
l -print) that the
perl interpreter determines
broken links
(-nle '-e || print'). You can further pipe the output
through xargs and use the
rm -f {} if you want to delete
such symbolic links.
$ find . -empty -exec ls {} \;
After finding empty files, you might choose to delete them by replacing thelscommand with thermcommand. But it's better to verify the list before jumping the gun...
find . \( -name a.out -o -name '*.o' -o -name 'core' \) -exec rm {} \;
Those examples are pretty simplistic as in "real life" you need to be able to block traversing of NFS and other non-native filesystems and avoid getting to special memory-mapped filesystems like proc. Earlier versions of GNU find were allergic to proc filesystem. Here is one useful approach described in from Wayne Pollock's Unix-Linux find Command Tutorial
As a system administrator you can use
findto locate suspicious files (e.g., world writable files, files with no valid owner and/or group, SetUID files, files with unusual permissions, sizes, names, or dates). Here's a final more complex example (which I save as a shell script):find / -noleaf -wholename '/proc' -prune \ -o -wholename '/sys' -prune \ -o -wholename '/dev' -prune \ -o -wholename '/windows-C-Drive' -prune \ -o -perm -2 ! -type l ! -type s \ ! \( -type d -perm -1000 \) -printThis says to search the whole system, skipping the directories
/proc,/sys,/dev, and/windows-C-Drive(presumably a Windows partition on a dual-booted computer). The Gnu-noleafoption tellsfindnot to assume all remaining mounted filesystems are Unix file systems (you might have a mounted CD for instance). Theis the Boolean OR operator, and-ois the Boolean NOT operator (applies to the following criteria).!
Another and potentially simpler and faster approach is to use -fstype type predicate. It is true if the filesystem to which the file belongs is of type type. For example on Solaris mounted local filesystems have type ufs (Solaris 10 added zfs). For AIX local filesystem is jfs or jfs2 (journalled file system).
But sometimes the same server uses several types of local filesystems (for example ext3 and reisner). In this case you can use predicate OR and create expression that covers each used filesystem or use generic predicate local and in certain circumstances predicate mount.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified: November 21, 2008