Intermediate Prohibited Files
Author(s): Matthias Lee (ml2322)
Last Updated: 07-07-2025
Recommended Prerequisites (click to expand)
More efficient strategies to find prohibited files
find
The find command is a powerful tool to search the system for files matching certain criteria. To find prohibited files with it,
we can use the -name argument to search for all files with a specific extension. To do this, we can use a wildcard like -name "*.mp3"
to find everything that ends in .mp3. However, we still need to tell find where to look. For example, to search for all MP3 files in
/home, the command would be find /home -name "*.mp3". NOTE: * is a special character in bash, so you need to put it in quotes.
user@system:/home/user$ sudo find /home -name "*.wav"
/home/jacob/Audio/heyy_john.wav
Additionally, prohibited files may not always be in the user home directories. Therefore, it's useful to search other directories or even
the whole system sometimes (replace /home with / for the whole system, or some other directory). However, the more broad the search, the
longer it will take, and the more false positives you will get.
Remediating protected prohibited files
Prohibited files may sometimes have restrictive permissions to prevent you from deleting them.
Taking ownership of the file
A good first step to delete a file is to take ownership of it with the chown command. For several files, you can use a wildcard to target them all
at once. You specify user:user, as you change the user ownership and group ownership to yourself.
user@system:/home/user$ sudo chown user:user *.mp3
Setting permissions
The next step to take control of a file is to enable write permissions on it, with chmod. We will change the permissions to 775 to ensure
we are able to delete it.
user@system:/home/user$ sudo chmod 775 *.mp3
Changing attributes
If the above two methods didn't enable you to delete the file, the final thing to try is to remove the immutable and append only attributes
with chattr.
user@system:/home/user$ sudo chattr -ia *.mp3