Re: Wednesday Linux Challenge: Root denied

TudorRaduta

Wednesday Challenge: The File Even Root Can't Touch

Happy Wednesday. Let’s break a Linux myth together.

Most people believe that when you are root, nothing can stop you. This challenge proves the system is smarter than that.

No permission tricks. No SELinux drama. This one lives deeper.

The Scenario

You are logged in as root. You need to remove an old file called:

/etc/old_config.conf

You run:

[root@server ~]# rm /etc/old_config.conf
rm: cannot remove '/etc/old_config.conf': Operation not permitted

So you verify the permissions:

-rw-r--r--. 1 root root 1024 Nov 26 09:00 /etc/old_config.conf

You are root. You own the file. You have write access. SELinux is permissive. And still, the kernel says no.

Your Challenge

There is a hidden protection layer here. Find it.

Which command shows file attributes that ls will never display?
You notice a flag like this: ----i-------. What does that i actually mean?
What exact command removes that protection so the file can finally be deleted?

Bonus: Why would an admin intentionally apply this flag to a file like /etc/resolv.conf?

Let’s see who knows where Linux really hides its power. Your move.

TudorRaduta

Looping in a few familiar faces who usually spot these things fast. How would you handle this? @sa_sachin @Ad_astra @Blue_bird @Trevor

Trevor

Thanks for the invite Tudor!!!

Trevor "Red Hat Evangelist" Chandler

Trevor

What a beautiful question! It's questions like this that will either develop new knowledge, keep current knowledge updated, or both!

Okay, we know the questions, so let me get right to the answers:

1) lsattr - this is the command that will display attributes that the "ls" command never display

2) The "i" flag (i.e. file attribute) means Immutable. How do I know? The primary means of this discovery is made with the following command: lsattr -l /etc/old_config.conf

Another resource to educate me about this "i" flag, is on the man page of the chattr command. Check it out! There's some wonderful information there.

3) chattr -i /etc/old_config.conf - this is the command that will remove that flag (i.e. file attribute), so that the file can now be removed.

Commentary: The lsattr and chattr commands don't get a lot of publicity, but these are definitely 2 commands that you want to know about - especially admins!

Bonus:

An admin would apply this flag to the file /etc/resolv.conf because this is the home of some critical (well above important) information - DNS name server(s)!!!!! You can't imagine what life on the Internet would be like without DNS. Okay, I won't get on my soapbox about this

Trevor "Red Hat Evangelist" Chandler

Chetan_Tiwary_

@Trevor my friend - you are back with a bang!

Look - it's a bird, it's a plane - its superman - Trevor!

sa_sachin

History

When the interviewer asked me this question, I was honestly stunned—how could root not delete a file it owns? It didn’t make sense at first. Luckily, I cleared the interview, but the very first thing I did afterward was dig into it. That’s when I learned about the immutable attribute and how powerful it really is.

What’s really blocking root?

Even as root, you can be denied deletion if the file (or its parent directory) is marked immutable. Linux has special attributes that sit below normal permissions. These aren’t visible in ls -l and they override typical access rules—including root’s ability to modify or remove the file.

1.Which command shows file attributes that ls will never display?
#lsattr

2.You notice a flag like this: ----i-------. What does that i actually mean?
The i stands for immutable.

* When set, the file cannot be modified, renamed, deleted, linked, or truncated—not even by root.

* It’s enforced by the kernel via filesystem flags (supported on ext2/3/4, XFS, btrfs, etc.).

* Think of it as a “kernel-level read-only lock” that beats normal permissions and even SELinux permissive mode.

3.What exact command removes that protection so the file can finally be deleted?
Use chattr (change attributes) to remove the immutable flag:
#chattr -i /etc/old_config.conf

If the immutable flag was on the directory (e.g., /etc), you’d need to remove it:
#chattr -i /etc

Bonus: Why would an admin intentionally apply this flag to a file like /etc/resolv.conf?
/etc/resolv.conf controls DNS resolution. It’s commonly modified by:

* Network managers (NetworkManager, systemd-resolved),
* DHCP clients (dhclient, dhcpcd),
* Cloud-init or provisioning tools.

Admins sometimes set it immutable to:
* Prevent auto-overwrites by DHCP or network daemons,
* Lock in known-good DNS during troubleshooting or in hardened environments,
* Defend against misconfigurations or malware altering name resolution.

Blue_bird

1) lsattr /etc/old_config.conf

2) The i stands for immutable.

An immutable file: Cannot be modified, Cannot be deleted, Cannot be renamed, Cannot be hard-linked, Cannot be truncated, Even by root, as long as the immutable flag is set.

3) chattr -i /etc/old_config.conf
rm /etc/old_config.conf

Bonus: By making /etc/resolv.conf immutable, the admin ensures DNS settings stay stable and predictable until they explicitly remove the flag and edit it.

To protect critical resolver configuration from: Misconfigurations, Buggy scripts, Malicious changes

To prevent network tools from overwriting DNS settings.

Thanks

Architect_005

Which command shows file attributes that ls will never display?
# lsattr
You notice a flag like this: ----i-------. What does that i actually mean?
i for immutable
What exact command removes that protection so the file can finally be deleted?
```
chattr -i <filename>
```

Bonus: Why would an admin intentionally apply this flag to a file like /etc/resolv.conf?
To prevent unwanted overwrites by automated services, ensuring consistent and secure DNS resolution.