0

I know that a root user can read a file even if the access permissions are all set to 0 but i don't understand about the write and execute permissions in specific. Can a superuser write and execute a file having permissions as 000 ?

LocalHost
  • 489
  • 1
    The root user (or, on Linux, any user with CAP_DAC_OVERRIDE capability) can write to any file she likes, but not execute it unless she has execute permissions to it. –  Dec 25 '19 at 21:52
  • What is most important, running as superuser you can modify the permissions. You can set also the more advanced attributes with chattr to prevent writing by mistake also when you run as superuser. – sudodus Dec 25 '19 at 21:59

2 Answers2

2

It can write the same as it can read. Being root trumps these. But with execution it's a different story. If a file is not marked as executable, then it's not considered executable. However, once it's marked executable, it doesn't have to be readable for root to be executed (if it is a script). Unlike it is with the regular users.

  • Regular users don't need read permissions to execute a binary; the executable permissions are enough. –  Dec 25 '19 at 21:56
  • @mosvy I didn't know this. Thanks. I'm inproportionately into scripts. I hope you agree what I wrote applies to scripts? –  Dec 25 '19 at 22:00
  • @mosvy You could in fact post an answer on this difference. Please let me know if you do. –  Dec 25 '19 at 22:01
  • 2
    It's basically like this: nobody (not even root) can execute a file without execute permissions, everybody can execute a binary with execute but no read permission, and the root can also run a she-banged script with execute but no read permissions. See also my answer to another Q&A. –  Dec 25 '19 at 22:07
1

The superuser (or equivalent) can write to the file unless it is the program image of a currently executing process. (It could have been executed and its permissions then set to 000 whilst the process is executing.) This is taking it as a given that the filesystem is read-write mounted, and that you have taken no action with security policies and other mechanisms to restrict the normal behaviour of the superuser, of course.

The superuser (or equivalent) cannot execute the file, as 000 does not grant any execute permission to anyone, a required precondition for the superuser (or equivalent) to have execute access.

Further reading

JdeBP
  • 68,745
  • Minor nitpick: Most modern UNIX-like systems have at least one way to prevent even the superuser from modifying a file without taking some other step first. Immutable files are the most common example (at least Linux and the BSDs have them), but there are others. – Austin Hemmelgarn Dec 27 '19 at 03:01
  • Already covered in the 3rd sentence. – JdeBP Jan 02 '20 at 00:18
  • "execute permission" is a bit of a misnomer. "execute bit" or "execute flag" would really be more appropriate. "permission" is just because it's the name for most of those bits, and for hysterical raisins. OTOH, the "sticky bit" was always the sticky bit, and never the "sticky permission". – Jürgen A. Erhard Feb 18 '22 at 12:32