Saturday, October 9, 2010

root - The king of kings - Question (Part 1)

After these many years of linux, i have finally found something that root cannot do but a non-root user can do! Yes, its true and it was difficult for myself to believe this in the first place. Its like the phrase, “I saw binary numbers floating in my dreams, wait a second, i think i saw a two!”.

I have always not liked the fact that root is the king of linux and he never respects anyone else. Of course we need a system administrator who should be able to control the entire system, but at the same time, using a system administrator account should not be considered as dangerous, as many of the linux distros warn me.

Consider a simple case, root executes rm -rf * from a directory that is owned by xxxxxx and permissions set to 700. root will be able to successfully do this as he has no limits (which is the cause of the danger). I feel that root should still respect the permissions and not be able to do this in one step. If he really knows that he wants to do it, first he should change the permissions of the file (say to 720) and then perform the rm. By this, it requires two mistakes to screw up, rather than one. But the point is, root should respect permissions and he should modify the permissions when he clearly knows what he is doing and must not be entitled to do anything arbitrarily.

Now, to the actual topic. Here’s what a normal linux user would think is always true:

user@user$ marry me
fuck off!
user@user$ sudo marry me
with pleasure sir!


The point of the above statements is that, no matter what, root can always do anything and everything, unless i recently found one exception. I was able to run a command as non root but not as root.

user@user$ touch foo
user@user$ sudo touch foo
touch: Permission denied


Can anyone figure out how on earth could this happen ? (Yes it is really possible!). I’m posting this as two parts (Question and Answer). I will post the scenario i came up with along with the explanation how it is theoretically correct in the next part. If you know of such a scenario, please share it on comments :-)

-Vignesh