How can I find only the executable files under a certain directory in Linux?

170

HaiYuan Zhang

Posted 2009-09-10T11:56:56.407

Reputation: 3 239

What about using the standard file command?

– Breakthrough – 2014-12-08T14:22:17.610

5For anyone wanting to do this on a Mac (tested on OS X 10.9.5):

`ls -l | egrep '^[^d]..x..x..x.*$'`

The above will list all executables (for all/user and group) in the current directory.

Note: The -executable option does not work on a Mac hence the above workaround. – techfoobar – 2014-12-08T14:28:02.357

Also relevant: Unix find: search for executable files

– Slothworks – 2015-08-14T06:10:22.900

1@techfoobar: The question is ambiguous: Does it mean files that contain executable code, or does it mean files that have executable permission? But even if we assume that executable permission is what is wanted (as the majority of the responses seem to), the question doesn't say world-executable. Your solution will find files (and also fifos, sockets, symlinks, etc.) that have world execute permission, but not 750 (-rwxr-x---), which is still executable to some users. – G-Man Says 'Reinstate Monica' – 2016-02-20T03:06:25.387

Here is a kind of BASH script, it is not-bad is what I can say :)
http://stackoverflow.com/a/20209457/2067125

– AjayKumarBasuthkar – 2014-03-26T07:49:08.087

Answers

170

Checking for executable files can be done with -perm (not recommended) or -executable (recommended, as it takes ACL into account). To use the -executable option:

find <dir> -executable

if you want to find only executable files and not searchable directories, combine with -type f:

find <dir> -executable -type f

knittl

Posted 2009-09-10T11:56:56.407

Reputation: 3 452

7If you have an old version of find (probably before 4.3.8) which lacks -executable use find . -perm /u=x,g=x,o=x. – Ludwig Weinzierl – 2010-05-14T19:06:21.537

How about not executable? Seems like a good thing to add here... – Dan Bolser – 2019-05-02T14:54:03.033

1@DanBolser that's as simple as find -not -executable (optionally with -type f, depending on whether you want to only include files in the result) – knittl – 2019-05-02T15:08:57.387

Thanks @knittl, worth editing the answer? – Dan Bolser – 2019-05-03T16:13:45.703

@DanBolser the discussion probably takes longer than actually updating the answer, but I think the answer is complete as it stands now. The OP was specfically about finding files which are executable, not about excluding them. I expect people to read the find man page to some extent and they will find the basic -not operator there.

– knittl – 2019-05-03T16:25:28.340

I can't edit it. I've been using find for years, but -executeable and -not are both new to me (just saying ;-) – Dan Bolser – 2019-05-04T19:08:28.427

This will return files with the execute turned on only. A more thorough analysis would check for a shebang line or whether the file is binary – None – 2009-09-10T12:04:25.407

24a shebang doesn’t mean they’re executable. it tells us only which interpreter to use. and by linux definition “executable files” are files with the executable (x) bit set – knittl – 2009-09-10T12:09:18.953

2What version of find supports that type for -type? man find lists b, c, d, p, f, l, s and D on my system. – innaM – 2009-09-10T15:51:23.067

2Same here, my find doesn't have a -type x either. – davr – 2009-09-10T17:17:39.507

For some reason I always think that "-type x" will work too. I can only imagine it was available on some flavour of Unix I used once. – Dave Webb – 2009-09-21T10:39:28.183

@dave: glad to hear i’m not the only one :) – knittl – 2009-09-23T09:23:30.880

4-executable isn't at all portable and should be avoided – Good Person – 2012-10-26T15:54:09.330

9find: invalid predicate -executable' on RHEL – SSH This – 2013-05-17T20:57:26.310

Use the find's -perm option. This will find files in the current directory that are either executable by their owner, by group members or by others:

find . -perm /u=x,g=x,o=x

Edit:

I just found another option that is present at least in GNU find 4.4.0:

find . -executable

This should work even better because ACLs are also considered.

innaM

Posted 2009-09-10T11:56:56.407

Reputation: 9 208

Seems like -perm /111 may be the most portable version. – Scott – 2016-04-24T04:01:31.467

2This only works on a newer version of find. The one that comes by default with CentOS gives the error find: invalid mode/u=x,g=x,o=x'` – davr – 2009-09-10T17:18:56.090

12Then you should try the "-perm +" version which is now deprecated in GNU find: find . -perm +111" – innaM – 2009-09-10T19:32:39.703

I know the question specifically mentions Linux, but since it's the first result on Google, I just wanted to add the answer I was looking for (for example if you are - like me at the moment - forced by your employer to use a non GNU/Linux system).

Tested on macOS 10.12.5

find . -perm +111 -type f

friederbluemle

Posted 2009-09-10T11:56:56.407

Reputation: 492

1Works in RHEL 5 too. – José Tomás Tocino – 2018-05-23T06:30:43.577

This is the only variant I could get working on OS X 10.14, thx – Justin – 2019-01-16T19:17:01.387

Needed this while using a busybox build of find. -executable did not work. -perm +111 is perfect. – jmcarter9t – 2019-12-17T17:31:33.193

I have another approach, in case what you really want is just to do something with executable files--and not necessarily to actually force find to filter itself:

for i in `find -type f`; do [ -x $i ] && echo "$i is executable"; done

I prefer this because it doesn't rely on -executable which is platform specific; and it doesn't rely on -perm which is a bit arcane, a bit platform specific, and as written above requires the file to be executable for everyone (not just you).

The -type f is important because in *nix directories have to be executable to be traversable, and the more of the query is in the find command, the more memory efficient your command will be.

Anyhow, just offering another approach, since *nix is the land of a billion approaches.

Mark McKenna

Posted 2009-09-10T11:56:56.407

Reputation: 156

(0) Which do you prefer, arcane and correct or intuitive and flawed? I prefer correct. (1) innaM’s answer, featuring find -perm, finds files that have any execute permission bit set. (2) By contrast, this answer finds only files for which the current user has execute permission. Granted, that might be what the OP wants, but it’s unclear. … (Cont’d)

– Scott – 2016-04-24T04:36:04.757

(Cont’d) … (3) For clarity, you might want to change \…`` to $(…) — see this, this, and this. (4) But don’t do for i in $(find …); do …; it fails on filenames that contain space(s). Instead, do find … -exec …. (5) And, when you do work with shell variables, always quote them (in double quotes) unless you have a good reason not to, and you’re sure you know what you’re doing.

– Scott – 2016-04-24T04:36:24.523

@scott OK, I stand corrected :) I read the -perm argument as requiring all three, not one of them. Also, thank you for the input on protecting shell arguments, that's all stuff I wasn't aware of. – Mark McKenna – 2016-04-25T13:50:54.257

@MarkMcKenna you have a typo in there: for i infind . -type f; do [ -x $i ] && echo "$i is executable"; done; you are missing the <dir> part, which I use a dot(.) – Devy – 2016-08-31T20:07:13.390

A file marked executable need not be a executable or loadable file or object.

Here is what I use:

find ./ -type f -name "*" -not -name "*.o" -exec sh -c '
    case "$(head -n 1 "$1")" in
      ?ELF*) exit 0;;
      MZ*) exit 0;;
      #!*/ocamlrun*)exit0;;
    esac
exit 1
' sh {} \; -print

AjayKumarBasuthkar

Posted 2009-09-10T11:56:56.407

Reputation: 151

2What does this do? – DerMike – 2015-01-14T08:04:11.643

@DerMike, It is one of the ways to find executable in current directory, including .so files, even if a file is not marked executable it can discover. – AjayKumarBasuthkar – 2015-01-14T21:59:23.500

Well, I mean, how does it do that? – DerMike – 2015-01-15T10:05:21.443

It reads from the header of the file to discover, every binary file or script file has header. – AjayKumarBasuthkar – 2015-01-15T13:44:36.123

As far as I know, -name "*" has no effect on find — it normally finds all files that are not eliminated by tests. – G-Man Says 'Reinstate Monica' – 2016-02-20T03:11:53.447

@AjayKumarBasuthkar you are aware this is NOT an answer to the question? the question was how to find executable files (=those that can be executed, = those w/ +x). not how to find all ELF, EXE and whatever-ocamlrun-is files. – nonchip – 2016-08-19T12:40:19.583

As a fan of the one liner...

find /usr/bin -executable -type f -print0 | xargs file | grep ASCII

Using 'xargs' to take the output from the find command (using print0 to ensure filenames with spaces are handled correctly). We now have a list of files that are executable and we provide them, one by one, as the parameter for the 'file' command. Then grep for the term ASCII to ignore binaries. Please substitute -executable in find command with what style you prefer (see earlier answers) or what works on your 'NIX OS

I required the above to find files with eval in scripts owned by root, so created the following to help find priv escalation weaknesses where root user runs scripts with unsafe parameters...

echo -n "+ Identifying script files owned by root that execute and have an eval in them..."
find /  -not \( -path /proc -prune \)  -type f -executable -user root -exec grep -l eval {} \; -exec file {} \; | grep ASCII| cut -d ':' -f1 > $outputDir"/root_owned_scripts_with_eval.out" 2>/dev/null &

Richard Braganza

Posted 2009-09-10T11:56:56.407

Reputation: 11

That won't work if the script contains non-ASCII characters. file reports the encoding, so a python script can be reported as a /usr/bin/python script, UTF-8 Unicode text executable. find ... | xargs file -b | grep -v '^ELF' could work better to spot the non-binaries. – xenoid – 2017-07-12T19:34:49.353

I created a function in ~/.bashrc tonight to find executable files not in the system path and not directories:

# Quickly locate executables not in the path
xlocate () {
    locate -0r "$1" | xargs -0 -I{} bash -c '[[ -x "$1" ]] && [[ ! -d "$1" ]] \
        &&  echo "executable: $1"'  _  {}
} # xlocate ()

The advantage is it will search three Linux distros and a Windows installation in under a second where the find command takes 15 minutes.

For example:

$ time xlocate llocate
executable: /bin/ntfsfallocate
executable: /home/rick/restore/mnt/e/bin/llocate
executable: /mnt/clone/bin/ntfsfallocate
executable: /mnt/clone/home/rick/restore/mnt/e/bin/llocate
executable: /mnt/clone/usr/bin/fallocate
executable: /mnt/e/bin/llocate
executable: /mnt/old/bin/ntfsfallocate
executable: /mnt/old/usr/bin/fallocate
executable: /usr/bin/fallocate

real    0m0.504s
user    0m0.487s
sys     0m0.018s

Or for a whole directory and all it's subs:

$ time xlocate /mnt/e/usr/local/bin/ | wc -l
65

real    0m0.741s
user    0m0.705s
sys     0m0.032s

WinEunuuchs2Unix

Posted 2009-09-10T11:56:56.407

Reputation: 147