Can root/superuser read my read-protected files?
Yes, root can:
$ echo Hello you\! > file
$ chmod 600 file
$ ls -l file
-rw------- 1 terdon terdon 11 Feb 27 02:14 file
$ sudo -i
# cat file
Hello you!
In any case, even if root couldn't read your files as root, they can always log in as you without a password:
$ whoami
terdon
$ sudo -i
[sudo] password for terdon:
# whoami
root
# su - terdon
$ whoami
terdon
So, root
can change to any other username using su
(or sudo -iu username
) and will then be able to do anything at all as though they were you.
Always assume that root
(and any other user/process with CAP_DAC_OVERRIDE
and CAP_DAC_READ_SEARCH
) can do everything unless an LSM (SELinux, AppArmor or similar) prevents him from doing that.
That means also that you should assume that all your keystrokes can be read. Passwords aren't really safe. If you want a serious level of security then you must use a system which is completely controlled by you (and not even used by anyone else).
Yes root have all the privileges to do anything
Here you can see I have created a Directory name test and touched a file lonston.txt and listed the files
root@system99:/tmp# mkdir test && touch lonston.txt && ls -l
total 4
-rw-r--r-- 1 root root 0 Feb 27 16:35 lonston.txt
drwxr-xr-x 2 root root 4096 Feb 27 16:35 test
Then i have changed the permission of file and Directory to null permission using 000 and listed to see the permission
root@system99:/tmp# chmod 000 lonston.txt && chmod 000 test && ls -l
total 4
---------- 1 root root 0 Feb 27 16:35 lonston.txt
d--------- 2 root root 4096 Feb 27 16:35 test
Then even i can Write to the file and the read the file using cat
root@system99:/tmp# echo "Yes root have all Privileges than other user's, let we see the permission of user's too" > lonston.txt
root@system99:/tmp# cat lonston.txt
Yes root have all Privilages than other user's, let we see the permission of user's too
Even i can get into the directory which has d--------- (null) 000 permission, even root have no read or Write Permission.
root@system99:/tmp# cd test/
root@system99:/tmp/test# pwd
/tmp/test
Even i can Create the files and folder's after the change of permission from any were
root@system99:/tmp/test# touch /tmp/test/lonston/testdir/babin.txt
root@system99:/tmp/test# ls -l /tmp/test/lonston/testdir/
total 0
-rw-r--r-- 1 root root 0 Feb 27 16:39 babin.txt
Now here we can see Permission with 400
root@system99:/tmp/test# chmod 400 babin.txt
List to see the file permission
root@system99:/tmp/test# ls -l
total 8
-r-------- 1 root root 34 Feb 27 16:42 babin.txt
drwxr-xr-x 3 root root 4096 Feb 27 16:38 lonston
Using vim im i have added 1 line to the file babin.txt
root@system99:/tmp/test# vim babin.txt
But while in vim mode it will notice us W10: Warning: Changing a readonly file But it still Writeable
Now we can cat the file for output
root@system99:/tmp/test# cat babin.txt
hi this is the write persmission
this is added while the file have 400 permission
Then i have logout from root user to normal user and listed the file having null permisson what in root too
root@system99:/tmp# exit
exit
Navigate to /tmp Directory
sysadmin@system99:~$ cd /tmp/
sysadmin@system99:/tmp$ ls -l
total 8
---------- 1 root root 88 Feb 27 16:36 lonston.txt
d--------- 2 root root 4096 Feb 27 16:35 test
But while reading the file from normal user we can't
sysadmin@system99:/tmp$ cat lonston.txt
cat: lonston.txt: Permission denied
sysadmin@system99:/tmp$ cd test/
cat: test/: Permission denied
That's it, Hope you got the power of root User
If you in Normal User, if you need to root privilege we need to use sudo, it will ask sudo password
example :
sysadmin@system99:/tmp$ sudo cat lonston.txt
[sudo] password for sysadmin:
Yes root have all Privilages than other user's, let we see the permission of user's too
Sudo user have collabration with root user's Group so what sudo have the root privilege.
To know more about sudo
# man sudoers
Here we can see they have defined as the normal user can have Sudo rights Only fewer lines i have mentioned here.
sysadmin@system99:/tmp$ sudo cat /etc/sudoers
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Totally we can read or edit or Delete the files even root Doesn't have the read permission.