Can root/superuser read my read-protected files?

Yes, root can:

$ echo Hello you\! > file
$ chmod 600 file
$ ls -l file
-rw------- 1 terdon terdon 11 Feb 27 02:14 file
$ sudo -i
# cat file
Hello you!

In any case, even if root couldn't read your files as root, they can always log in as you without a password:

$ whoami
terdon
$ sudo -i
[sudo] password for terdon: 
# whoami 
root
# su - terdon
$ whoami
terdon

So, root can change to any other username using su (or sudo -iu username) and will then be able to do anything at all as though they were you.


Always assume that root (and any other user/process with CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH) can do everything unless an LSM (SELinux, AppArmor or similar) prevents him from doing that.

That means also that you should assume that all your keystrokes can be read. Passwords aren't really safe. If you want a serious level of security then you must use a system which is completely controlled by you (and not even used by anyone else).


Yes root have all the privileges to do anything

Here you can see I have created a Directory name test and touched a file lonston.txt and listed the files

root@system99:/tmp# mkdir test && touch lonston.txt && ls -l
total 4
-rw-r--r-- 1 root root    0 Feb 27 16:35 lonston.txt
drwxr-xr-x 2 root root 4096 Feb 27 16:35 test

Then i have changed the permission of file and Directory to null permission using 000 and listed to see the permission

root@system99:/tmp# chmod 000 lonston.txt && chmod 000 test && ls -l
total 4
---------- 1 root root    0 Feb 27 16:35 lonston.txt
d--------- 2 root root 4096 Feb 27 16:35 test

Then even i can Write to the file and the read the file using cat

root@system99:/tmp# echo "Yes root have all Privileges than other user's, let we see the permission of user's too" > lonston.txt 

root@system99:/tmp# cat lonston.txt 
Yes root have all Privilages than other user's, let we see the permission of user's too

Even i can get into the directory which has d--------- (null) 000 permission, even root have no read or Write Permission.

root@system99:/tmp# cd test/
root@system99:/tmp/test# pwd
/tmp/test

Even i can Create the files and folder's after the change of permission from any were

root@system99:/tmp/test# touch /tmp/test/lonston/testdir/babin.txt

root@system99:/tmp/test# ls -l /tmp/test/lonston/testdir/
total 0
-rw-r--r-- 1 root root 0 Feb 27 16:39 babin.txt

Now here we can see Permission with 400

root@system99:/tmp/test# chmod 400 babin.txt

List to see the file permission

root@system99:/tmp/test# ls -l
total 8
-r-------- 1 root root   34 Feb 27 16:42 babin.txt
drwxr-xr-x 3 root root 4096 Feb 27 16:38 lonston

Using vim im i have added 1 line to the file babin.txt

root@system99:/tmp/test# vim babin.txt

But while in vim mode it will notice us W10: Warning: Changing a readonly file But it still Writeable

Now we can cat the file for output

root@system99:/tmp/test# cat babin.txt 
hi this is the write persmission 
this is added while the file have 400 permission

Then i have logout from root user to normal user and listed the file having null permisson what in root too

root@system99:/tmp# exit
exit

Navigate to /tmp Directory

sysadmin@system99:~$ cd /tmp/
sysadmin@system99:/tmp$ ls -l
total 8
---------- 1 root root   88 Feb 27 16:36 lonston.txt
d--------- 2 root root 4096 Feb 27 16:35 test

But while reading the file from normal user we can't

sysadmin@system99:/tmp$ cat lonston.txt 
cat: lonston.txt: Permission denied

sysadmin@system99:/tmp$ cd test/
cat: test/: Permission denied

That's it, Hope you got the power of root User

If you in Normal User, if you need to root privilege we need to use sudo, it will ask sudo password

example :

sysadmin@system99:/tmp$ sudo cat lonston.txt 
[sudo] password for sysadmin: 
Yes root have all Privilages than other user's, let we see the permission of user's too

Sudo user have collabration with root user's Group so what sudo have the root privilege.

To know more about sudo

# man sudoers

Here we can see they have defined as the normal user can have Sudo rights Only fewer lines i have mentioned here.

sysadmin@system99:/tmp$ sudo cat /etc/sudoers

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Totally we can read or edit or Delete the files even root Doesn't have the read permission.