Linux: Permission Denied Even as Root
You're root — or using sudo — and Linux still says 'Permission denied'. Root normally ignores file permissions, so this means something else is blocking you: a read-only mount, an immutable flag, or a security module. Here's how to find it.
You run a command as root (or with sudo) and Linux still refuses:
-bash: /path/to/file: Permission denied
This is confusing because root is supposed to be all-powerful — it bypasses normal file permission bits entirely. So when root itself is denied, the cause is almost never ordinary permissions. Something else is enforcing a rule that even root has to obey.
Cause 1: The filesystem is read-only
The most common reason. The partition is mounted read-only — either on purpose, or because the kernel remounted it read-only after disk errors.
mount | grep ' / ' # look for "ro," in the options
touch /some/file # "Read-only file system" confirms it
Remount it read-write (after checking the disk is healthy):
mount -o remount,rw /
If it keeps going read-only, the disk is likely failing — check dmesg for I/O errors.
Cause 2: The file is immutable (chattr +i)
A file can carry an immutable attribute that blocks all writes, deletes, and renames — even by root — until it's cleared.
lsattr /path/to/file # an 'i' in the flags = immutable
chattr -i /path/to/file # remove it, then retry
Cause 3: The mount forbids execution (noexec)
If you're trying to run a script or binary and only that fails, the filesystem may be mounted noexec (common on /tmp, /dev/shm, and hardened mounts).
mount | grep noexec # is the file's filesystem noexec?
Move the binary to a normal filesystem, or remount without noexec.
Cause 4: SELinux or AppArmor is denying it
Mandatory Access Control (MAC) sits above root. On RHEL/Fedora (SELinux) or Ubuntu (AppArmor), a policy can deny an action no matter who you are.
getenforce # SELinux: "Enforcing"?
ausearch -m avc -ts recent # SELinux denials (or check /var/log/audit/audit.log)
dmesg | grep -i apparmor # AppArmor denials
The fix is to adjust the policy (add the right context/label or an AppArmor rule) — not to blanket-disable security.
The checklist
- Root being denied ≠ a normal permission problem — root ignores those.
- Read-only filesystem?
mount | grep ' / ', thenmount -o remount,rw. - Immutable file?
lsattr, thenchattr -i. - Only execution fails? Check for a
noexecmount. - RHEL/Ubuntu with a denial in the audit log? It's SELinux/AppArmor — fix the policy.
Frequently Asked Questions
Why is root getting "Permission denied"?
Because root bypasses ordinary file permissions, so the block is coming from something higher: a read-only filesystem, an immutable (chattr +i) file, a noexec mount, or a security module like SELinux or AppArmor.
How do I fix "permission denied" caused by an immutable file?
Run lsattr on the file — an i in the flags means it's immutable. Clear it with sudo chattr -i /path/to/file, then retry. Set it back later with chattr +i if it was intentional.
What's the difference between "Permission denied" and "Operation not permitted" as root?
"Permission denied" (EACCES) typically points to a filesystem or MAC restriction. "Operation not permitted" (EPERM) as root usually means an immutable attribute or a missing Linux capability (common inside containers) — check lsattr and, in containers, the granted capabilities.
Stop reading, start building
This pairs with a hands-on BytExplorer course — do it on your own machine and actually keep the skill.