Why can rm remove read-only files?

If I create a file and then change its permissions to 444 (read-only), how come rm can remove it?

If I do this:

echo test > test.txt
chmod 444 test.txt
rm test.txt

rm will ask if I want to remove the write-protected file test.txt. I would have expected that rm can not remove such a file and that I would have to do a chmod +w test.txt first. If I do rm -f test.txt then rm will remove the file without even asking, even though it’s read-only.

Can anyone clarify? I’m using Ubuntu 12.04/bash.

Asked By: Magnus

||

All rm needs is write+execute permission on the parent directory. The permissions of the file itself are irrelevant.

Here’s a reference which explains the permissions model more clearly than I ever could:

Any attempt to access a file’s data requires read permission. Any
attempt to modify a file’s data requires write permission. Any
attempt to execute a file (a program or a script) requires execute
permission…

Because directories are not used in the same way as regular files, the
permissions work slightly (but only slightly) differently. An attempt
to list the files in a directory requires read permission for the
directory, but not on the files within. An attempt to add a file to a
directory, delete a file from a directory, or to rename a file, all
require write permission for the directory, but (perhaps surprisingly)
not for the files within
. Execute permission doesn’t apply to
directories (a directory can’t also be a program). But that
permission bit is reused for directories for other purposes.

Execute permission is needed on a directory to be able to cd into it
(that is, to make some directory your current working directory).

Execute is needed on a directory to access the "inode" information of
the files within. You need this to search a directory to read the
inodes of the files within. For this reason the execute permission on
a directory is often called search permission instead.

Answered By: ire_and_curses

Ok, according to your comment to ire_and_curses, what you really want to do is make some files immutable. You can do that with the chattr command. For example:

e.g.

$ cd /tmp
$ touch immutable-file
$ sudo chattr +i immutable-file

$ rm -f immutable-file
rm: remove write-protected regular empty file `immutable-file'? y
rm: cannot remove `immutable-file': Operation not permitted

$ mv immutable-file someothername
mv: cannot move `immutable-file' to `someothername': Operation not permitted

$ echo foo > immutable-file 
-bash: immutable-file: Permission denied

You can’t do anything to an immutable file – you can’t delete it, edit it, overwrite it, rename it, chmod or chown it, or anything else. The only thing you can do with it is read it (if unix permissions allow) and (as root) chattr -i to remove the immutable bit.

Not all filesystems support all attributes. AFAIK, immutable is supported by all common linux filesystems (incl ext2/3/4 and xfs. zfsonlinux doesn’t support attributes at all at the moment)

Answered By: cas

One answer to this question claims that you can delete a file from directory only if it has just write permission is totally wrong! just try it! Give a directory just write permission and try to delete, you can’t!
To delete a file inside a directory you need both write and execute permission on directory

Now back to the question: to delete a file using rm you are just removing its inode information from the directory i.e. you are not shredding it from disk. If inode information of file is not in directory you cannot access (also because you cannot see it since it is not listed by its parent directory) i.e. it is deleted for you.
Thus to delete a file from a directory all you is permission on directory; permissions on that file are irrelevant

Answered By: Edward Torvalds
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.