Skip to content
Advertisement

Why can’t this user delete this file?

If I do:

ls -al /usr/local/bin/kill-all-sales-apps

I see:

-r-xr-xr--  1 jenkins root   68 Aug  4 12:10 kill-all-sales-apps

If I sudo to root and then su to jenkins, I should be able to delete this, yes?

Other relevant information about the directory and its parent:

drwxr-xr-x  2 root    root 4096 Aug  4 12:11 .
drwxr-xr-x 10 root    root 4096 May  7 17:20 ..

If I do:

groups jenkins

then I see than the user “jenkins” has been added to the “root” group:

jenkins : jenkins root run-server-software

But if I:

 rm /usr/local/bin/kill-all-sales-apps

I get:

rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied

Why is permission denied?

Advertisement

Answer

As to why the jenkins user can’t delete, the jenkins user needs write permissions on the parent folder of the file you’re looking to delete. This is because you’re actually removing directory entries from the parent folder.

Usually, on most filesystems, deleting a file requires write permission on the parent directory (and execute permission, in order to enter the directory in the first place). (Note that, confusingly for beginners, permissions on the file itself are irrelevant. However, GNU rm asks for confirmation if a write-protected file is to be deleted, unless the -f option is used.)

Source: Wikipedia – Rm_(Unix)

So try running…

ls -ld /usr/local/bin

And make sure the jenkins user has write permissions on /usr/local/bin

Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here’s an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.

For example:

[root@joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root@joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root@joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# su - joe
[joe@joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe@joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe@joeyoung.io ~]$ exit
[root@joeyoung.io ~]# visudo
[root@joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig   2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers        2015-08-04 17:24:21.258274163 +0200
@@ -101,6 +101,7 @@
 ##
 ## Allow root to run any commands anywhere
 root            ALL=(ALL)       ALL
+joe        ALL=(root)      NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt

 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.
[root@joeyoung.io ~]# su - joe
[joe@joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe@joeyoung.io ~]$ exit
[root@joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root@joeyoung.io ~]# ls -al /usr/local/src/noperms/
User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement