28

If a file has permissions 000, who or what can access the file? What can they do to it?

What, exactly, does 000 (---------) permissions on a file mean in practice?

Craig Ringer
  • 307,061
  • 76
  • 688
  • 778
jslearner
  • 21,331
  • 18
  • 37
  • 35

8 Answers8

27

root can do everything, others (with userid != 0) can't do anything. But anyone who has write access to the containing folder is allowed to delete the file. The owner can of course always change the flags and regain access anytime.

greybox:~ septi$ touch foo
greybox:~ septi$ chmod 000 foo
greybox:~ septi$ ls -l foo
----------  1 septi  staff  0 Apr  8 12:28 foo
greybox:~ septi$ cat foo
cat: foo: Permission denied
greybox:~ septi$ sudo ls -l foo
Password:
----------  1 septi  staff  0 Apr  8 12:28 foo
greybox:~ septi$
tamasgal
  • 24,826
  • 18
  • 96
  • 135
  • 1
    Isn't file removal governed by the write permission of the directory the file is in? i.e. couldn't anybody with write permissions to the directory remove the file? – Ilkka Apr 08 '11 at 10:41
  • Yes you're right, basically it depends on the containing folder premissions. – tamasgal Apr 08 '11 at 10:44
  • "But anyone who has write access to the containing folder is allowed to delete the file." This is not true. – Brandon Sep 02 '16 at 19:06
  • 1
    You have to explain to me the difference between "write access to the containing folder" and "write permission of the directory the file is in". Sounds just to same to my ears. – Eric Jan 13 '17 at 16:11
  • 1
    *others (with userid != 0) can't do anything* – **not really true** as the owner of the file can still change its permissions and regain access. – Piotr Dobrogost Oct 24 '17 at 14:56
  • Yep of course, I added that since the "can't do anything" is indeed a bit misleading ;) Thanks. – tamasgal Oct 25 '17 at 21:03
19

File with 000 permission can be read / written by root.

Everybody else cannot read / write / execute the file.

pajton
  • 15,828
  • 8
  • 54
  • 65
6

Root can do anything but execute the file (outside removing the file if the file-system is mounted read-only or the file has some immutable flag set).

Non root users might change the file permission if they own it. They can still access the file if ACLs are set to allow it.

jlliagre
  • 29,783
  • 6
  • 61
  • 72
  • 3
    The only answer so far which mentions that the owner of the file can still change its permissions again, restoring access. One useful application is to prevent a webserver from delivering a file in the "trash" while retaining the ability to restore that access later. – Tom Boutell Mar 03 '15 at 13:15
6

Everyone is accurate above unless it is the following command.

    sudo chmod -R 000 /*

At this point, your computer is dead in the water because no commands can be executed since you have removed all RWX from every file. There is no safeguard when running this command. If you are curious run it inside a Vagrant box.

Adam B
  • 63
  • 1
  • 2
5

If file/dir has permissions 000, then only root can do any changes to that file. Neither the owner nor others can make any changes. Owner can't even access the file/dir or delete the same.

Nirav Zaveri
  • 687
  • 1
  • 9
  • 28
pravsim
  • 67
  • 1
  • 1
  • 1
    This answer is incorrect - the owner of a file can change its permissions even if the mode is set to 000. – Eddie Feb 20 '19 at 21:14
2

Permission can be XYZ in which first X is for Owner, second Y is for Group (a group of other users that you set up), third Z is for World (anyone else browsing around on the file system). They can have any of following permissions level:

0 = no permissions whatsoever; this person cannot read, write, or execute the file
1 = execute only
2 = write only
3 = write and execute (1+2)
4 = read only
5 = read and execute (4+1)
6 = read and write (4+2)
7 = read and write and execute (4+2+1)

So in your example: File with 000 permission can be accessible [read/write] by root. Other than that no one can access[read/write] it.

Harry Joy
  • 58,650
  • 30
  • 162
  • 207
1
  1. As root, change the permissions of a file to 000. This file and its contents can only be accessed by root.
  2. As a user, change the permissions of your own file. The file and its contents cannot be accessed by the user. But the root has full privileges on the file.
Kevin
  • 53,822
  • 15
  • 101
  • 132
Alex
  • 11
  • 1
1

I love you all but ... 

**root**@bob:~# ls -lah /etc/cron.hourly/                                                                                                                       
total 24K  
drwxr-xr-x   2 root root 4.0K Jun 16 05:23 .  
drwxr-xr-x 110 root root  12K Aug 25 21:26 ..  
**----------   1 root root  228 Aug 25 21:47 gcc.sh**  
-rw-r--r--   1 root root  102 Jun 11  2015 .placeholder  
**root**@bob:~# rm -Rf /etc/cron.hourly/gcc.sh  
**rm: cannot remove ‘/etc/cron.hourly/gcc.sh’: Operation not permitted**

so to remove this file (which is a trojan)
I did : 

root@bob:~# lsattr /etc/cron.hourly/gcc.sh  
-----a---------- /etc/cron.hourly/gcc.sh  
root@bob:~# **chattr -a /etc/cron.hourly/gcc.sh**  
root@bob:~# lsattr /etc/cron.hourly/gcc.sh  
---------------- /etc/cron.hourly/gcc.sh

then 

rm -Rf /etc/cron.hourly/gcc.sh

was working

JOduMonT
  • 171
  • 6
  • That's true. The "append" bit prevents (among other things) the file from being erased, regardless of the directory permissions. – apraetor Oct 10 '19 at 17:10
  • 1
    Oh man! Was stuck on this issue for hours! Of all the blog posts, forum threads, only your steps worked to remove the file. I would give a 100 upvotes if I could! Thank you! – Shyam Feb 15 '21 at 19:19