If I do:
ls -al /usr/local/bin/kill-all-sales-apps
I see:
-r-xr-xr-- 1 jenkins root 68 Aug 4 12:10 kill-all-sales-apps
If I sudo to root and then su to jenkins, I should be able to delete this, yes?
Other relevant information about the directory and its parent:
drwxr-xr-x 2 root root 4096 Aug 4 12:11 . drwxr-xr-x 10 root root 4096 May 7 17:20 ..
If I do:
groups jenkins
then I see than the user “jenkins” has been added to the “root” group:
jenkins : jenkins root run-server-software
But if I:
rm /usr/local/bin/kill-all-sales-apps
I get:
rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied
Why is permission denied?
Advertisement
Answer
As to why the jenkins user can’t delete, the jenkins user needs write permissions on the parent folder of the file you’re looking to delete. This is because you’re actually removing directory entries from the parent folder.
Usually, on most filesystems, deleting a file requires write permission on the parent directory (and execute permission, in order to enter the directory in the first place). (Note that, confusingly for beginners, permissions on the file itself are irrelevant. However, GNU rm asks for confirmation if a write-protected file is to be deleted, unless the -f option is used.)
So try running…
ls -ld /usr/local/bin
And make sure the jenkins user has write permissions on /usr/local/bin
Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here’s an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.
For example:
[root@joeyoung.io ~]# mkdir -p /usr/local/src/noperms [root@joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms [root@joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt [root@joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt [root@joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt [root@joeyoung.io ~]# su - joe [joe@joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt hi [joe@joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied [joe@joeyoung.io ~]$ exit [root@joeyoung.io ~]# visudo [root@joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers --- /tmp/sudoers.orig 2015-08-04 17:17:24.020781442 +0200 +++ /etc/sudoers 2015-08-04 17:24:21.258274163 +0200 @@ -101,6 +101,7 @@ ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL +joe ALL=(root) NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. [root@joeyoung.io ~]# su - joe [joe@joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt [joe@joeyoung.io ~]$ exit [root@joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory [root@joeyoung.io ~]# ls -al /usr/local/src/noperms/