# Can't delete file, operation not permitted (SOLVED)

## i92guboj

For around two weeks I haven't been able to update coreutils in my server, I didn't get the chance to look into this until today. It seems that /usr/bin/md5sum can't be updated for some reason. I can't erase it by hand either. I can't chmod it or do any other thing. 

I've tried forcing an fsck on the drive then rebooting. It succeeded without a problem, no fs errors. The fs is ext3 and seems to be clean. The offending file is:

```
-rwxr-xr-x   1 122      114         31452 Apr  1 00:37 /usr/bin/md5sum
```

As you can see, ownership seem to be messed up, but that shouldn't matter to root... However, when I try to do something it won't let me do it.

```

# LC_ALL=C rm /usr/bin/md5sum 

rm: remove regular file `/usr/bin/md5sum'? s

# LC_ALL=C rm /usr/bin/md5sum 

rm: remove regular file `/usr/bin/md5sum'? y

rm: cannot remove `/usr/bin/md5sum': Operation not permitted

# LC_ALL=C unlink /usr/bin/md5sum 

unlink: cannot unlink `/usr/bin/md5sum': Operation not permitted

# LC_ALL=C chmod 777 /usr/bin/md5sum 

chmod: changing permissions of `/usr/bin/md5sum': Operation not permitted

# LC_ALL=C chown root:root /usr/bin/md5sum 

chown: changing ownership of `/usr/bin/md5sum': Operation not permitted

```

And now I am unable to update coreutils, which is bothering me a bit. Any ideas where to look?

Thanks for reading.

EDIT: I think I have managed to rm the file using debugfs. Let's see if that's the end of the problem or only the beginning   :Laughing: 

----------

## causality

It really seems unusual that the ownership was set that way.  That makes me wonder how that would happen and whether it could cause other, related problems.  Just curious, did you try "chown root:root /usr/bin/md5sum"?  Wondering if that was successful for you.  I am also curious about what kind of output you would have received from "lsattr /usr/bin/md5sum".

----------

## i92guboj

 *causality wrote:*   

> It really seems unusual that the ownership was set that way.  That makes me wonder how that would happen and whether it could cause other, related problems.  Just curious, did you try "chown root:root /usr/bin/md5sum"?  Wondering if that was successful for you.  I am also curious about what kind of output you would have received from "lsattr /usr/bin/md5sum".

 

I can't really test anymore because I fixed this long ago. But no, I remember perfectly that I couldn't remove or chmod/chown any file affected by this (yes, later more appeared). This turned to be a problem with a rootkit. I discovered that later, which is why I didn't report it here. I had two rootkits installed (besides having a tight security scheme and being usually careful when reviewing -my very verbose- logs. This caused a lot of trouble when emerging ebuilds, and that put me in track to finding what the problem was. I couldn't emerge some programs because some files under /var/tmp/portage had been set the same way (so emerge would complain when trying to overwrite them on the next compilation). 

I suspect that everything was cause by the rootkit(s).

----------

