Cybersecurity Triage

Find SUID, SGID, and Sticky Bits in an App Tree

You need a compact inventory of files and directories with SUID, SGID, or sticky bits set.

Command

find fixtures/perm-audit -perm /7000 -printf '%M %m %u:%g %p\n' | sort

What changed

Nothing changes. The command inventories special permission bits.

Danger

safe

When to use it

Use during hardening reviews, after vendor installs, or before approving a deployment image.

When not to use it

Do not remove special bits until you know whether the program depends on them.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A sorted list of paths with any SUID, SGID, or sticky bit set.

demo script

Disposable terminal steps

find fixtures/perm-audit -perm /7000 -printf '%M %m %u:%g %p\n' | sort
stat -c '%A %a %U:%G %n' fixtures/perm-audit/releases/2026-06-25/bin/*

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ find fixtures/perm-audit -perm /7000 -printf '%M %m %u:%g %p\n' | sort
-rwsr-xr-x 4755 root:root fixtures/perm-audit/releases/2026-06-25/bin/escalate-helper
-rwxr-sr-x 2755 root:root fixtures/perm-audit/releases/2026-06-25/bin/report-sync
::exit-code::0
$ stat -c '%A %a %U:%G %n' fixtures/perm-audit/releases/2026-06-25/bin/*
-rwsr-xr-x 4755 root:root fixtures/perm-audit/releases/2026-06-25/bin/escalate-helper
-rwxr-xr-x 755 root:root fixtures/perm-audit/releases/2026-06-25/bin/healthcheck
-rwxr-sr-x 2755 root:root fixtures/perm-audit/releases/2026-06-25/bin/report-sync
::exit-code::0

YouTube Short

Audit special bits.

SUID and SGID are not normal execute bits. List every special bit in the app tree before deciding what belongs there.

experiments

A/B tests to run

Metric: completion_rate

A: Special bits should be intentional.

B: Find hidden SUID and SGID files.