[SOLVED] Unable to delete file as root

RattleSn@ke · 02-09-2010, 02:27 PM

Hi All,

I search these forums and the internet, but all results are about regular users wanting to delete files owned by root.
I have a slightly different problem.

I have files which are owned by root, but user root is unable to delete them?

Code:

[root@ .montepio]# ls -lash
total 24K
8.0K drwxr-xr-x 2 root        root        4.0K Feb  1 05:19 .
8.0K drwxr-xr-x 3 userA       groupA       4.0K Feb  1 22:04 ..
8.0K -rwxrwxrwx 1 root        groupA       90 Feb  2 12:58 Actualizacao-Montepio.php

[root@ .montepio]# lsattr Actualizacao-Montepio.php
------------- Actualizacao-Montepio.php

[root@ .montepio]# rm -rf Actualizacao-Montepio.php
rm: cannot remove `Actualizacao-Montepio.php': Permission denied

Ow by the way, I am able to 'empty' the file or write other things in it.
So how the **** do I delete these things??
I don't know how the files are created.

I also reinstalled coreutils just to make sure a 'clean' version of rm is installed.

Anyone an idea?

Thanks!
Onno.

anomie · 02-09-2010, 02:35 PM

Try lsattr on its parent directory.

unSpawn · 02-09-2010, 03:41 PM

Quote:

Originally Posted by RattleSn@ke

I don't know how the files are created.

Might be a Remote File Inclusion, might be lax FTPd settings, I don't know either w/o details, but since it's got root ownership I'd comb the server over thoroughly. Start with the logs and auth data as recon will show up. That it's bad goes without saying, accessing an URI with the PHP file leads to D/L of a mcrsft executable, as in hosting malware. Who has access to the fs as userA and as groupA?

PTrenholme · 02-09-2010, 03:47 PM

To expand on anomie's comment, in order to delete a file, you need permission to change the contents of the directory in which the file is listed. (After all, you're removing data from that file. [Note that a "directory" is just another file in *nix systems.])

And also note that the "directory" file coud be in a read only file system on some other physical device, so having w access on the "directory" does not necessarily mean that you can actually change the "directory's" contents. (This is an unlikely scenario, since lot's of other things would "go wrong" if the "directory" was on a r/o fs.")

RattleSn@ke · 02-12-2010, 04:44 AM

Hi All,

First of all, thanks for all the replies.
After the hint of 'anomie', I looked further on how to view the permissions of a directory. lsattr normally only shows attributes of files. So I rechecked the man page and found that I need to use the '-d' option. So I did:

Code:

[root@ .montepio]# lsattr -d
su--ia-A----- .

Tata .. there's the bastard. After removing the attributes I was able to remove the complete directory:

Code:

[root@ images]# chattr -d -suSiadAc .montepio
[root@ images]# cd .montepio/
[root@ .montepio]# lsattr -d
------------- .
[root@ images]# rm -rf .montepio
[root@ images]#

Thank you all again!

Kind regards,
Onno.

unSpawn · 02-12-2010, 10:43 AM

You haven't followed up on post #3. If that's intentional at least let me know, OK?