Here’s a friendly system administration tip, for Linux/FreeBSD/Unix-type systems: root-owned files and directories in a directory owned by a user can still be modified by the user.
The scenario usually presented is that the sys admin doesn’t want a user modifying a certain configuration file in the user’s home directory. Modifying is usually understood as editing. Hence the sys admin will do the following:
# chmod 0600 /home/user/.settings # chown root:root /home/user/.settings
However, consider the following examples:
# ls -la total 12 drwxr-xr-x 3 user users 4096 Nov 10 21:58 . drwxr-xr-x 40 user users 4096 Nov 10 21:57 .. drwx------ 2 root root 4096 Nov 10 21:57 control -rw------- 1 root root 0 Nov 10 21:58 settings
user@example:~/work> rm settings rm: remove write-protected regular empty file `settings'? y user@example:~/work> ls -la total 12 drwxr-xr-x 3 user users 4096 2009-11-10 22:01 . drwxr-xr-x 40 user users 4096 2009-11-10 21:57 .. drwx------ 2 root root 4096 2009-11-10 21:57 control
user@example:~/work> mv control my_control user@example:~/work> ls -la total 12 drwxr-xr-x 3 user users 4096 2009-11-10 22:02 . drwxr-xr-x 40 user users 4096 2009-11-10 21:57 .. drwx------ 2 root root 4096 2009-11-10 21:57 my_control
As demonstrated in the examples a user still has control over root-owned files and directories in directories the user owns. For files a user may:
- Delete the file
- Rename the file
For directories the user may:
- Rename the directory
- Delete the directory, if the directory is empty
A user may take one of the above actions, then create his own file or directory containing the content he desires.
If the system administrator truly wants to prevent the user from manipulating such files and directories then the admin needs take one of the following actions:
- Do not put the files and directories in the user’s home directory
- Make the file or directory immutable ( not compatible with all systems )
In my opinion option #1 is the better way to go, when possible.
Note: other ways I’ve seen admins attempt to block this is to prevent a user from accessing his home directory. For example disabling SSH, FTP and similar methods of interfacing with the home directory.