$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find World-Readable Secret-Looking Files

You need to find files with sensitive names that are readable by everyone.

Command

find fixtures/perm-audit -type f -perm -0004 \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' | sort

What changed

Nothing changes. The command lists suspicious readable files for review.

Danger

safe

When to use it

Use during production handoff, incident triage, or before publishing an artifact.

When not to use it

Do not treat filename matching as a complete secrets scan; it is a fast first pass.

Undo or recovery

No undo needed because this command is read-only.

Expected output

World-readable files whose names suggest secrets, keys, tokens, or environment config.

demo script

Disposable terminal steps

  1. find fixtures/perm-audit -type f \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' | sort
  2. find fixtures/perm-audit -type f -perm -0004 \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' | sort
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ find fixtures/perm-audit -type f \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' | sort
-rw------- root:root fixtures/perm-audit/shared/secrets/prod.token
-rw-r----- root:root fixtures/perm-audit/releases/2026-06-25/config/app.env
-rw-r--r-- root:root fixtures/perm-audit/releases/2026-06-25/config/secret.key
::exit-code::0
$ find fixtures/perm-audit -type f -perm -0004 \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' | sort
-rw-r--r-- root:root fixtures/perm-audit/releases/2026-06-25/config/secret.key
::exit-code::0

YouTube Short

Find readable secrets.

Start secret exposure triage with files that look sensitive and are readable by everyone.

LinkedIn hook

The fastest secret audit starts with readable files that look like secrets.

Question: What filename patterns do you include in a fast secret-permission audit?

experiments

A/B tests to run

Metric: completion_rate

A: Readable secrets are the first pass.

B: Find secrets exposed by mode bits.