How to Find Files With setuid Permissions

Use the following procedure to find files with setuid permissions.

Become superuser or assume an equivalent role.

Find files with setuid permissions by using the find command.

# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename

find directory

Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.

-user root

Displays files owned only by root.

-perm -4000

Displays files only with permissions set to 4000.

-exec ls -ldb

Displays the output of the find command in ls -ldb format.

>/tmp/filename

Writes results to this file.

Display the results in /tmp/filename.

# more /tmp/filename

If you need background information about setuid permissions, see setuid Permission.

Example—Finding Files With setuid Permissions

# find / -user root -perm -4000 -exec ls -ldb {} \; > /tmp/ckprm

# cat /tmp/ckprm

-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at

-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab

---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct

-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir

-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin

-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched

---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh

-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df

-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp

-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd

-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su

This output shows that a user named rar has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. As a result, rar can execute /usr/rar/bin/sh and become the privileged user. If you want to save this output for future reference, move the file out of the /tmp directory.