Confused over a complex find statement 1

[columb]

I'm writing a script to search for changes in suid programs. What I have so far is

#!/bin/ksh
 
SUID_FILE=/var/log/suid.progs
suid_search()
{
find /   \( -name proc -a -prune \) -o   \(  -name /var/spool/cron/atjobs -a -prune \) -o   -type f -perm -04000 -ls 2>/dev/null
}
 
[[ "$1" = "reset" ]] && { suid_search > $SUID_FILE; exit; }
[[ -f $SUID_FILE ]] || { suid_search > $SUID_FILE; exit; }
 
suid_search > $SUID_FILE.$(date +%y%m%d)
diff $SUID_FILE $SUID_FILE.$(date +%y%m%d) > /tmp/suid.progs.$(date +%y%m%d) ||
mail -s "changed suid programs" me@home.server < /tmp/suid.progs.$(date +%y%m%d)
rm -f $SUID_FILE.$(date +%y%m%d) /tmp/suid.progs.$(date +%y%m%d)

but I'm still getting entries for /var/spool/cron/atjobs found. Any help with the find syntax would be gratefully recieved.

Ceci n'est pas une signature
Columb Healy

 

[mrn]

Try using !

E.g

find / -type f \( ! \( -name \*.a -o -name \*.so -o -name \*.sh \) -a -name \*\.\* \)

Mike

Unix *is* user friendly. It's just selective about who its friends are.

 

[columb]

Thanks Mike but I really want to stop the find searching down a number of directory trees.

I can sort of get it to work with

suid_search()
{
find / \
  \( -name proc -a -prune \) -o \
  \(  -name atjobs -a -prune \) -o \
  -type f -perm -04000 -a -ls 2>/dev/null
}

but that means someone can hide their suid progs in /tmp/atjobs, for example. I may have to end up with a grep -v which will be functional but not pretty!

Ceci n'est pas une signature
Columb Healy

 

[mrn]

How about

find / \( -type d ! -name /proc -prune \) -o \( -type d ! -name /var/spool/cron/atjobs -prune \) -o \( -type f -perm 04000 \) -o \( -type f -perm 2000 \) -ok ls {} \;

Mike

Unix *is* user friendly. It's just selective about who its friends are.

 

[columb]

Thanks Mike


Ceci n'est pas une signature
Columb Healy