The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Casually removing root files

Youre walking at $HOME, minding your own business.

$ whoami
> user

$ pwd
> /home/user

But something is bothering your feet. Its like if a little rock has fallen into your shoe. You take it off, to see whats going on.

$ ls -lah ./left-shoe
---------- 1 root root 4 May 30 13:20 little-rock

Thats odd. Its there, but it doesnt seem to be yours. Its left there by root, the Rock Tamer, and only he can decide its fate.

# bash -c "echo 'You stay here' > /home/user/left-shoe/little-rock"
# chmod 0000 /home/user/left-shoe/little-rock

You reach into your pocket for your phone, to speed dial him with sudo. Suddenly, you feel powerful (from watching Gladiator last night), and decide to put back the phone, and try your luck.

$ rm -f ./left-shoe/little-rock
$ ls -lah ./left-shoe/little-rock
ls: cannot access little-rock: No such file or directory

You look down at your shaking hands, trying to figure out if this is the real world. It is. You did it. Without the Rock Tamer. But how?

The little rock in your shoe had absolutely no idea whats coming. As seen from its incarnation, nobody had any permissions on it (--- --- ---). No reads, no writes, no throwing by anyone (owner, group, others).

The catch

What happened is, is that the Rock Tamer forgot that you are even more powerful than him, when youre at $HOME. Lets see why.

To be able to do anything with a file, the first step is to look it up in its directory. Listing a directorys contents is controlled by the execute flag. If a user has execute permissions on a directory, he can see whats inside it. Also, the execute flag on the directory gives access to its files inodes, which is crucial in this context, as the removal process unlinks the file.

Next, the removing part. Renaming or removing a file doesnt involve the write() system call. Practically, we dont need any permissions to remove the file, nor do we care about its owner. The only requirement is to have write permissions on the parent directory (and the execute flag on the parent directory).

The $HOME directory naturally fulfills both of these requirements from the users perspective.

The contra-catch

If the Rock Tamer, really didnt want anyone to mess around with his rocks, he wouldve done:

# chattr +i /home/user/left-shoe/little-rock

This operation makes the file immutable, which among other things, prevents its removal. Excerpt from the man page:

A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Moonwalks away.

Continue reading on ervinb.github.io