/etc/ncheck -s /dev/usr | cut -f2In this partial example below, complete pathnames for the files start with /usr. /usr is not part of the ncheck output.
In this sample output, the program /usr/people/jbond/bin/sh should be investigated. This program is the only one that is not found in a system directory. It is a command shell residing in a user's home directory. Users should, in general, not possess set-UID binaries.
/dev/usr: /bin/at /bin/uux /bin/crontab /lib/mv_dir /bin/shl /lib/expreserve /bin/sadp /lib/exrecover /bin/timex /lib/accept /bin/cancel /lib/lpadmin /bin/disable /lib/lpmove /bin/enable /lib/lpsched /lib/reject /lib/lpshut /lib/sa/sadc /bin/lp /lib/uucp/uucico /bin/lpstat /lib/uucp/uusched /bin/ct /bin/uucp /bin/cu /bin/uuname /lib/uucp/uuxqt /bin/uustat /usr/people/jbond/bin/sh