Permissions and Ownership

For system administrators and security engineers, find is the primary tool for auditing filesystem access controls. You can locate files based on exactly who owns them and what actions are permitted.

1. User and Group Ownership

Finding by User (`-user`)

Find files owned by a specific username or UID.

# Find files owned by the 'nginx' user
find /var/www -user nginx

# Find files by UID (useful if the user account was deleted)
find /home -user 1005

Finding by Group (`-group`)

Find files owned by a specific group name or GID.

find /shared -group developers

Finding Unowned Files (`-nouser` / `-nogroup`)

When an account is deleted, their files remain on disk but their UID/GID no longer maps to a name in /etc/passwd. These "orphaned" files are a security risk and take up wasted space.

# Find files belonging to deleted accounts
find / -nouser -o -nogroup

2. Permission Filtering (`-perm`)

The -perm flag allows you to query the exact access modes (read/write/execute) of a file. It evaluates the numeric (octal) representation of permissions.

There are three ways to use -perm, and understanding the difference is critical.

A. Exact Match (`-perm MODE`)

Matches files that have the exact permissions specified. No more, no less.

# Find files that are exactly 0644 (rw-r--r--)
find /etc -type f -perm 0644

B. "All Of" Match (`-perm -MODE`)

Prefixing the mode with a hyphen (-). Matches files where all the specified permission bits are set. Other bits can also be set; find doesn't care.

# Find files where the owner has execute permission (0100)
find /usr/local/bin -type f -perm -0100

# Find files where everyone (owner, group, other) has read access (0444)
find /var/opt -type f -perm -0444

(If a file is 0755, it will match -0444 because the read bit is set for everyone, even though other bits are also set).

C. "Any Of" Match (`-perm /MODE`)

Prefixing the mode with a slash (/). Matches files where any of the specified permission bits are set.

# Find files where ANYONE (group or other) has write access (0022)
find /opt -type f -perm /0022

3. Advanced Example: The Security Audit

Combine these flags to perform a basic system security audit:

# Find shell scripts that are executable by anyone but owned by root
find /usr/local/scripts -type f -user root -perm -0001 -name "*.sh"

1. User and Group Ownership​

Finding by User (-user)​

Finding by Group (-group)​

Finding Unowned Files (-nouser / -nogroup)​

2. Permission Filtering (-perm)​

A. Exact Match (-perm MODE)​

B. "All Of" Match (-perm -MODE)​

C. "Any Of" Match (-perm /MODE)​

3. Advanced Example: The Security Audit​