I would like to understand how Fedora handles file permissions. Let’s say in terminal I make myself superuser with sudo -i. I then create a file with touch abc.txt /home/user/Downloads/.
I can see the created file’s owner is root then. However, the primary user is able to delete this file with rm abc.txt. So I wonder how comes that the primary user is able to delete files that belong to root.
Is this behavior as intended? And if so, how can I create a file in the primary user’s home folder which the primary user is not able to delete but still read from?
There is a difference between what intuition tells the permission do and what they actually do.
I’ll try to explain in a way that works for me to image the data structures and operations:
In Unix-like systems, everything is a file.
Directory is a file too.
It contains pairs of file names and inodes (identifier of where the file resides on disk)
So by read access to a directory, you can read a list of the pairs.
Which effectively means you can run commands like ‘ls’ on that directory and it will print out the list of the files.
By write access to a directory, you can change the pairs of file names and inodes.
So you can add, remove files, or modify to which file particular name points to.
Execute permission on directories is different altogether from regular files.
So you as long as a party has write access to a directory, that party can add and remove files from it.
I’m not sure if there is an easy way to do that. Even if you modify the permissions of a file’s parent directory to prevent deletion by a primary user, they can still potentially delete the entire parent directory if they have the necessary permissions on it. This is especially relevant since the parent directory in your case is the user’s home directory, typically owned and fully controlled by them.
However, if you create a new directory in a location outside the primary user’s home directory, for instance:
sudo mkdir /home/test
# this gives you
drwxr-xr-x. 1 root root 0 Dec 2 14:48 test/
The permissions drwxr-xr-x mean that the owner (root) has read, write, and execute permissions, while others have only read and execute (access) permissions, preventing them from modifying or deleting contents within ‘test’.