Let's face it: The Linux filesystem can be complex. Add in mounted remote filesystems, removable media, and any server-specific directories you have created, and you or your users may find it difficult to remember exactly where a given file is stored. That's where the find
command comes in. It allows you to search for files or directories based on various criteria. I'll do a basic review of find
below, but this article's focus is a bit different: Find resources by permissions.
Why do I need to find by permissions?
- Security audit
- Troubleshoot user access complaints
- Troubleshoot application access issues
Quick example of find by name
There are other articles on Enable Sysadmin that cover the find
command effectively. I will quickly summarize the command here, however.
Syntax:
find (where to search) (what to search for)
Example:
# find /etc -name rsyslog
# find /home/user01 -type d
However, this article focuses on using the -perm
option, which searches based on permissions settings.
Absolute mode versus symbolic mode
Recall that permissions are set by using the chmod
command. The chmod
command recognizes both absolute mode and symbolic mode. See my recent article How to manage Linux permissions for users, groups, and others for a review of managing resource access, including the two modes. The find
command also recognizes either mode, so you're able to use whichever comes most naturally to you. For me, that's absolute mode. You need to recall a few things about absolute mode and symbolic mode to effectively use the find -perms
command.
Absolute mode
Absolute mode uses octal values to represent permissions. The values are listed in order as the permission to be assigned to the user, group, and all others.
For example:
# chmod 764 file1
Sets the user with 7 (rwx), group with 6 (rw), and others with 4 (r) for file1
.
Symbolic mode
Symbolic mode uses symbols to represent access levels, and it uses mathematical operators to give (+) or remove (-) permissions.
For example:
# chmod o+rw file1
Gives the others identity read and write to file1
.
Find resource permissions by using absolute mode
The most fundamental permissions search uses no additional parameters. The statement reads as "find a resource with these permissions."
For example:
# find /etc -perm 777
The command is: Search the /etc
directory for resources with the 777 access level (rwx for all identities).
The above example only finds resources with exactly the specified permission—no more and no less. What if you need a little more flexibility? There are two additional parameters that can be very useful. The first is the -
character (dash), and the second is the /
character (slash). Let's look at both.
Find by -
The use of the -
option means "at least this permission level is set, and any higher permissions."
Example:
# find . -perm -644
This example displays all resources in the current directory with at least 644 permissions.
Find by /
The use of the /
option means "any of the permissions listed are set."
Example:
# find . -perm /644
This example displays resources with 644 or greater permissions.
Find resource permissions by using symbolic mode
Symbolic mode uses the ugo symbols (user, group, others), rwx symbols (read, write, execute), and mathematical operators (such as + or -) to define permissions.
Find by -
The -
option operates the same in symbolic mode as it did above in absolute mode. It displays resources with "at least this access level."
Example:
# find -perm -u+w,g+w
Find by /
The /
also functions the same in symbolic mode. It displays resources with "any permissions listed."
Example:
# find -perm /u+w,g+w
Linux standard permissions are very common, and now you know how to search for resources with a given level of access configured. However, Linux also takes advantage of special permissions. The find
command can display these permissions, as well.
Find resources with special permissions configured
Linux special permissions set additional access controls on resources. There are three special permissions: Set User ID (SUID), Set Group ID, (SGID), and the Sticky Bit. The details of each are outside the scope of this article, but let me quickly summarize:
Special permission | Description |
SUID | A file is executed by a user with the identity of the owner, even if that user is not the owner |
SGID | The contents of a directory automatically inherit the group association of the parent folder (great for directories shared by project teams) |
Sticky Bit | The file loads into memory automatically and cannot be deleted or altered by anyone other than the owner |
Take a look at this article for more information on the special permissions.
Special permissions are configured using a fourth bit (leftmost):
- SUID = 4
- SGID = 2
- Sticky Bit = 1
Tip: The output of the ls -l
command will display an s in the executable field for the user if SUID is configured, an s in the executable field for the group if SGID is configured, and a T or t if the Sticky Bit is set (depending on whether execute is also set).
The following content covers searching for files with specific special permissions configured.
Find files with SUID configured
To find files where the SUID access level is defined, use the -perm
option but include the fourth digit. SUID has an octal value of 4.
For example, to search for resources with the SUID configured:
# find /usr/bin -perm 4755
Find files with SGID configured
You can use the same syntax to display resources with the SGID permission defined by using the SGID octal value of 2.
For example, to search for resources with the SGID configured:
# find /usr/bin -perm 2755
Find files with the Sticky Bit configured
Finally, you can use the octal value of 1 to display resources with the Sticky Bit configured.
Here is a Sticky Bit example:
# find /etc -perm /1444
Note: The -
and /
parameters work the same with special permissions as they do with standard permissions.
[ Other readers enjoyed: Linux sysadmin basics: User account management ]
Bonus examples
Here are a few additional commands that might be useful for displaying permissions. As I wrote the article, I kept thinking, Wait, what about this? and then adding bonus examples. So here are several additional commands for permissions auditing.
Bonus 1: Use -not to negate results
You can use the -not
option with find
to specify anything that does not match the given criteria.
The first example shows a normal find
attempt, and the second displays find
with -not
.
# find /etc/network -perm 777
The above example displays the resources inside of /etc/network
that do have 777 permissions configured.
# find /etc/network -not -perm 777
This example displays the resources inside of /etc/network
that have any permissions other than 777 configured.
Bonus 2: Set permissions by using find and chmod
One of the benefits of find
is that it includes an execute function. You can combine this with follow-up commands, such as xargs
, rm
, or chmod
.
# find -perm -111 -exec chmod -R 777 {} \;
In this example, the {}
characters represent the results of the find
command, and the \;
characters represent a termination of the chmod
command.
Warning: Be careful to understand exactly what the effect of your combined "find + other commands" execution will be. A typo could easily find
all files in /etc
and then attempt to delete them or configure permissions that lock legitimate users out of their home directories.
Bonus 3: Display permissions by using ls and grep
Sometimes you don't need the advanced functionality of the find
command. Instead, you just need a quick and easy display of specific permissions. In that case, rely on the ls
and grep
commands.
Example:
# ls -l | grep rwxrw-r--
This command displays all directory contents with the specified permissions.
Bonus 4: Display ACL permissions
The find
command does not easily display files with the Access Control List (ACL) permissions applied. In that case, use the getfacl
command instead.
Example:
# getfacl file1
See An introduction to Linux Access Control Lists (ACLs) for more info on Access Control Lists.
Wrap up
The find
command is a handy utility to display directories or files that you need to locate. However, find can also be a great security tool because it shows directories and files with specified permissions. As a sysadmin, you can use that information to ensure that the server's resources are set according to your company's security policies. Don't forget that you can use the >>
redirector to document these permissions. Such a document can be used as a permissions baseline for future audits.
[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]
About the author
Damon Garn owns Cogspinner Coaction, LLC, a technical writing, editing, and IT project company based in Colorado Springs, CO. Damon authored many CompTIA Official Instructor and Student Guides (Linux+, Cloud+, Cloud Essentials+, Server+) and developed a broad library of interactive, scored labs. He regularly contributes to Enable Sysadmin, SearchNetworking, and CompTIA article repositories. Damon has 20 years of experience as a technical trainer covering Linux, Windows Server, and security content. He is a former sysadmin for US Figure Skating. He lives in Colorado Springs with his family and is a writer, musician, and amateur genealogist.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit