Today I Learned: removing or renaming a file does not invoke the write() system call.
To be able to do anything with a file, the first step is to look it up in its directory. Listing a directory’s contents is controlled by the execute flag. If a user has execute permissions on a directory, he can see what’s inside it. Also, the execute flag on the directory gives access to its files’
inodes, which is crucial in this context, as the removal process unlinks the file.Next, the removing part. Renaming or removing a file doesn’t involve the
write()system call. Practically, we don’t need any permissions to remove the file, nor do we care about its owner. The only requirement is to have write permissions on the parent directory (and the execute flag on the parent directory).
Source: Casually removing root files