linux-setuid-files
Retrieves a list of files owned by root with the SETUID bit set on a Linux system. Because files with SETUID set run with the file owner's privileges, this command is used during security audits to check for unauthorized SETUID files.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
md5=BOOL- Whether to calculate the MD5 hash of each file and assign it to the
md5field. (Default:f)
Output fields
| Field | Type | Description |
|---|---|---|
file_path | string | Absolute path of the file |
file_name | string | File name |
file_type | string | File type. file or directory |
permissions | string | File permission string (e.g., rws------). The SETUID bit is displayed as s. |
file_size | long | File size (bytes) |
file_ctime | timestamp | File creation time |
file_mtime | timestamp | Last modification time |
file_atime | timestamp | Last access time |
md5 | string | MD5 hash of the file. Only output when the md5=t option is specified. |
owner_read | boolean | Whether the owner has read permission |
owner_write | boolean | Whether the owner has write permission |
owner_execute | boolean | Whether the owner has execute permission |
group_read | boolean | Whether the group has read permission |
group_write | boolean | Whether the group has write permission |
group_execute | boolean | Whether the group has execute permission |
others_read | boolean | Whether others have read permission |
others_write | boolean | Whether others have write permission |
others_execute | boolean | Whether others have execute permission |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | Occurs when run without administrator privilege |
Runtime errors
N/A
Description
The linux-setuid-files command runs find / -user root -perm -4000 -print to search for files owned by root with the SETUID bit set. It collects metadata for each found file and assigns the file path, size, timestamps, and permission information to output fields.
The permissions field displays s in the owner execute position to indicate that the SETUID bit is set. For example, a SETUID file with rwxr-xr-x permissions is displayed as rwsr-xr-x.
When the md5=t option is specified, the MD5 hash of each file is calculated. Execution time may be longer when there are many files or the files are large.
Examples
-
Retrieve a list of SETUID files
linux-setuid-filesRetrieves a list of all SETUID files on the system.
-
Retrieve SETUID files including MD5 hash
linux-setuid-files md5=tRetrieves the MD5 hash of each SETUID file along with its metadata. This can be used for file integrity verification.
-
Filter SETUID files in a specific directory
linux-setuid-files | search file_path == "/usr/bin/*"Filters only SETUID files in the
/usr/bindirectory.