Chattr Command in Linux (Set Immutable Bit)

Chattr (Change Attribute) is a command line Linux utility that is used to change the file attributes. It can sets and unsets certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.

So, using chattr command you make the file immutable. In other words, it means that it is used to stop accidentally deleting files and directories. You cannot delete the files secured via chattr attribute even though you have full permission over files.

This is very useful in system files like shadow and passwd files which contain all user information and passwords.  These attributes can only be set on files and directories located in an ext2, ext3, or an ext4 file system.

Syntax of chattr command and Usage

Below is the syntax for chattr command:

       chattr [ -RVf ] [ -v version ] [ mode ] files...

File attributes we can use with chattr command:

  • a - the file can only be opened in append mode for writing.
  • A - the atime record of the file is not modified. This avoids a certain amount of disk I/O for laptop systems.
  • c - the file is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk.
  • C - the file will not be subject to copy-on-write updates. This flag is only supported on file systems which perform copy-on-write. If the 'C' flag is set on a directory, it will have no effect on the directory
  • d - the file is not candidate for backup when the dump program is run.
  • D - when a directory is modified, the changes are written synchronously on the disk; this is equivalent to the 'dirsync' mount option applied to a subset of the files.
  • i - file cannot be modified, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.
  • j - the file has all of its data written to the ext3 or ext4 journal before being written to the file itself,
  • s - if the file is deleted, its blocks are zeroed and written back to the disk.
  • S - if the file is modified, the changes are written synchronously on the disk; this is equivalent to the 'sync' mount option applied to a subset of the files.
  • t - the file will not have a partial block fragment at the end of the file merged with other files
  • T - the directory will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator.
  • u - makes that if a file is deleted, its contents are saved. This allows the user to ask for its undeletion

1) How to set file attribute (Set immutable bit)

To set a file attribute we will use chattr command with  + operator followed by the attribute name.

Let check with examples how to set immutable attribute to a file. Only root or user with sudo privilege can set and remove immutable flag on a file.

A file with an immutable attribute:

  • Cannot be modified, deleted, renamed
  • No soft or hard link can be created by anyone including the root user.
  • No data can be written to the file

Let's create an empty file using touch command as follows:

$ touch file1

Now let's see how to list attributes of the file using lsattr command:

$ lsattr 
-------------e-- ./nagios-cookbook-tutorial
-------------e-- ./chefdk_1.3.40-1_amd64.deb
-------------e-- ./file1

Add some content to the file using echo command:

$ echo "Test of i attribute" > file1 
$ cat file1 
Test of i attribute

Now we can set immutable attribute using +i on the file (file1).

$ sudo chattr +i file1
$ lsattr 
-------------e-- ./nagios-cookbook-tutorial
-------------e-- ./chefdk_1.3.40-1_amd64.deb
----i--------e-- ./file1

In the following commands we will try append, delete both using normal user and sudo user (root):

$ echo "Try to edit after set i attribute" >> file1 
-bash: file1: Permission denied
$ sudo echo "Try to edit after set i attribute" >> file1 
-bash: file1: Permission denied
$ rm -f file1 
rm: cannot remove 'file1': Operation not permitted
$ sudo rm -f file1 
rm: cannot remove 'file1': Operation not permitted

We can observe that above all operations are not permitted.

Note: You can protect important files as /etc/passwd or /etc/shadow, makes them secure from an accidental removal or tamper and also it will disable user account creation. But when you will try to create a new system user, you will get an error message saying 'cannot open /etc/passwd'. If you try to change the password, you will be prompt to enter a new password but when you will log in next time, the new password will not appear to be valid, you will have to use the old password to log in.

2) How to remove attribute (unset) on files

To remove any attribute from the file we have to use - operator followed by the attribute name.

In the following example, let us unset the immutable attribute from the file (file1).

$ sudo chattr -i file1 
$ lsattr file1
-------------e-- ./file1

You should be now able to do all normal operations on the file.

3) How to secure directories with 'i' attribute

In order to secure directory, we have to set attribute recursively (-R) using + operator.

The following command will set the immutable bit on the directory ('linoxide') recursively:

$ sudo chattr -R +i linoxide/ 
$ lsattr -d linoxide
----i--------e-- linoxide/

To unset, you have use  - operator followed by i attribute.

$ sudo chattr -R -i linoxide/

4) Append data on file without changing existing data

It is possible to allow everyone to just append data on a file without changing or modifying already entered data with the a attribute.

It means that you can only add content on the current file without modifying data already present.

The following examples set append atrribute to the file (file2).

$ sudo chattr +a file2

6) How to list file attributes

To list files or directories current attributes we have to use lsattr command. The following command will list file attributes for all files and folders in the current directory:

$ lsattr 
-------------e-- ./coreutils-8.22-18.el7.x86_64.rpm
-------------e-- ./pac
-------------e-- ./utils
-------------e-- ./linox

You can check file attribute of a single using the following command:

$ lsattr coreutils-8.22-18.el7.x86_64.rpm 
-------------e-- coreutils-8.22-18.el7.x86_64.rpm

To check attributes of a directory use -d option

$ lsattr -d test
-------------e-- test/

Conclusion

Now we know how we can protect our files and folders using chattr command in linux. I hope you enjoyed reading this tutorial and please leave your suggestions in the below comment section. For more information please refer man chattr.

Bobbin Zachariah 7:58 am

Comments

Your email address will not be published. Required fields are marked *