ls -F OR ls -al - What does the red highlighting mean?

Question

So I ran a ls -F or ls -al on my /usr/bin directory and some of my files showed up with a red background and white text. What does this mean?

Answer 1

With the GNU implementation of ls, the meaning of the colours depends on the setting of the LS_COLORS environment variable, typically set up with the dircolors command.

A (combination of) numeric code(s) determines which colours get used to indicate a particular file type:

# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white 

A white text on a red background is defined with a combination of 37;41

Use echo "$LS_COLORS" to investigate and find that:
su=37;41
thus SETUID files are white text on a red background (which happens to be the default)

dircolors --print-database gives a more verbose and readable output for the default settings in absence of any customisation:

SETUID 37;41 # file that is setuid (u+s)
STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable

The only other default usage for a red highlight is blue text on a red background for directories with the sticky bit set.

Answer 2

When you run an ls -al or ls -F, files listed with a red background and white text indicate that the setuid bit has been flipped. Meaning that the file/script/program will run as the user that owns it, not the user that ran it. As you can see from the picture, the ping and ping6 have their 4th bit set as s, whereas the others, where the setuid bit has not been flipped, show an x.

Further information can be found at:

https://en.wikipedia.org/wiki/Setuid