6 Linux chattr Commands to Protect Files by Immutable Feature

Posted on : May 5, 2013 , Last Updated on : April 18, 2017 By
| Reply More

chattr (Change Attribute) is a command line Linux utility that is used to change the file attributes. It sets/unsets certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user. So, you make the file immutable. In others words, it means that it is used to stop accidentally delete of files and folder. You cannot delete the files secured via chattr attribute even though you have full permission over files. This is very usefull in system files like shadow and passwd files which contain all user information and passwords.  These attributes can only be set on files and directories located in an ext2, ext3, or an ext4 file system. There are two commands lsattr and chattr that are used for attribute management. The following is the list of commonly used attributes

Understanding chattr command behaviour

The syntax is

       chattr [ -RVf ] [ -v version ] [ mode ] files...

chattr command operates by indicating attributes and options to set to a file.  An attribute is a specific condition in which a file or directory can exist and an option is the manner that the attributes will be set

Files and folders aren't actually changed when attributes are applied or removed, they're just understood differently by the operating system and other software. A file with an immutable attribute:

  • Can not be modified, deleted, renamed
  • No soft or hard link can be created by anyone including root user.
  • No data can be written to the file

chattr command operates by adding/setting, listing and removing/unsetting attributes. Theses attributes can be manipulated with operators:

  • + causes the selected attributes to be added (set) to the existing attributes of the files;
  • - causes the selected attributes to be removed (unset);
  • = causes the selected attributes to be the only attributes that the files have.

Possible options for chattr command are:

  • -R recursively changes attributes of directories and their contents
  • -V is to be verbose and print the program version
  • -f suppresses most error messages

Possibles attributes are:

  • a: the file can only be opened in append mode for writing.
  • A: the atime record of the file is not modified. This avoids a certain amount of disk I/O for laptop systems.
  • c: the file is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk.
  • C: the file will not be subject to copy-on-write updates. This flag is only supported on file systems which perform copy-on-write. If the 'C' flag is set on a directory, it will have no effect on the directory
  • d: the file is not candidate for backup when the dump program is run.
  • D: when a directory is modified, the changes are written synchronously on the disk; this is equivalent to the 'dirsync' mount option applied to a subset of the files.
  • i: file cannot be modified, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.
  • j: the file has all of its data written to the ext3 or ext4 journal before being written to the file itself,
  • s: if the file is deleted, its blocks are zeroed and written back to the disk.
  • S: if the file is modified, the changes are written synchronously on the disk; this is equivalent to the 'sync' mount option applied to a subset of the files.
  • t: the file will not have a partial block fragment at the end of the file merged with other files
  • T: the directory will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator.
  • u: makes that if a file is deleted, its contents are saved. This allows the user to ask for its undeletion

1) How to check file attributes

Before setting up attributes, it is recommended to check any existing files attributes. We can do this with lsattr command# lsattr

# lsattr 
-------------e-- ./coreutils-8.22-18.el7.x86_64.rpm
-------------e-- ./pac
-------------e-- ./utils
-------------e-- ./linox

To directly check attributes of a file, do:

# lsattr coreutils-8.22-18.el7.x86_64.rpm 
-------------e-- coreutils-8.22-18.el7.x86_64.rpm

To directly check attributes of a folder, do:

$ lsattr -d test
-------------e-- test/

Our command shows that there is no attributes.

Notice that it exists some attributes which can not be applied with chattr command but can only be listed with lsattr command. You need to be able to know the signification if you see it somewhere. So the attributes below can only be displayed with lsattr command

  • e: it indicates that the file is using extents for mapping the blocks on disk.
  • E: it is used by the experimental compression patches to indicate that a compressed file has a compression error.
  • h: attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors, and means that the file is (or at one time was) larger than 2TB.
  • I: it is used by the htree code to indicate that a directory is being indexed using hashed trees.
  • N: file has data stored inline, within the inode itself.

During our test, we will create files and directories to test each command shown below

2) How to set and unset an attribute

We have seen that chattr command uses operators to set attributes on files. So to set a flag, we will use one the attribute listed above with the + operator as the command shows below

chattr +i file1

When a file a flag, it means that an attributed is set on it. To remove an attribute, we use - operator as the command shows

chattr -i file1

3) How to protect file with 'i' attribute

With i attribute, you can only read the file. All other actions excepts read will be denied including append, edit, rename or delete. Only root user can set and remove immutable flag on a file.

In this scenario, we will create a file as normal user, change permissions, and set it immutable. We will try to delete it after

$ touch file1
$ ls -l
total 99120
-rw-r--r-- 1 root   root   101490688 Apr 12 18:33 chefdk_1.3.40-1_amd64.deb
-rw-rw-r-- 1 ubuntu ubuntu         0 Apr 13 00:50 file1
drwxr-xr-x 8 root   root        4096 Apr 12 18:06 nagios-cookbook-tutorial

Now let's see the defaults attributes

$ lsattr 
-------------e-- ./nagios-cookbook-tutorial
-------------e-- ./chefdk_1.3.40-1_amd64.deb
-------------e-- ./file1

In the commands below, we will put a content on the file and apply the chattr command

$ echo "Test of i attribute" > file1 
$ cat file1 
Test of i attribute
$ chattr +i file1 
chattr: Operation not permitted while setting flags on file1
$ sudo chattr +i file1 

$ lsattr 
-------------e-- ./nagios-cookbook-tutorial
-------------e-- ./chefdk_1.3.40-1_amd64.deb
----i--------e-- ./file1

You can see that we can't use the i attribute if we are not root user.
In the commands below, we wil try to do some operations on the file and see the results

$ echo "Try to edit after set i attribute" >> file1 
-bash: file1: Permission denied
$ sudo echo "Try to edit after set i attribute" >> file1 
-bash: file1: Permission denied
$ rm -f file1 
rm: cannot remove 'file1': Operation not permitted
$ sudo rm -f file1 
rm: cannot remove 'file1': Operation not permitted
$ lsattr file1
----i--------e-- ./file1
$ chattr -i file1 
chattr: Operation not permitted while setting flags on file1
$ sudo chattr -i file1 

Look how there is no operation possible on the file. You can see that, on the root user can remove the attribute

$ lsattr file1
-------------e-- ./file1
$ sudo echo "Try to edit after set i attribute" >> file1 

$ cat file1 
Test of i attribute
Try to edit after set i attribute
$ rm -f file1 

$ ls -l
total 99120
-rw-r--r-- 1 root   root   101490688 Apr 12 18:33 chefdk_1.3.40-1_amd64.deb
drwxr-xr-x 8 root   root        4096 Apr 12 18:06 nagios-cookbook-tutorial

As you can see, after addition of flag i, file1 is not being appended, deleted even by the owner, root. Only root was be able to add and remove the flag. Directly after removing the flag, we were able to edit and delete the file

4) How to secure folders with 'i' attribute

As with files, we can also protect folder for modifications. So, let us create a directory for the example

$ mkdir linoxide
$ lsattr -d linoxide
-------------e-- ./linoxide

Let's put a content in our created directory. We will create files and sub-directories

$ cd linoxide/
$ ls -l
total 0

~/linoxide$ mkdir folder1
~/linoxide$ touch sun mecha
~/linoxide$ ls 
folder1  mecha  sun

~/linoxide$ mv sun folder1/
/linoxide$ lsattr 
-------------e-- ./folder1
-------------e-- ./mecha
~/linoxide$ ls folder1
sun
~/linoxide$ cd ..
~$ lsattr -d linoxide
-------------e-- ./linoxide

Now that we have created our sub-directories, we will apply the attributes on the folder and see the result

$ sudo chattr +i linoxide/
$ lsattr -d linoxide/
----i--------e-- linoxide/

You can see that it took effect. Now let's go see if it also affects the files and sub-directories

cd linoxide/
ubuntu@ubuntu-xenial:~/linoxide$ lsattr 
-------------e-- ./folder1
-------------e-- ./mecha

NB: You can see that i attribute doesn't appear when we check the attributes of the content for "linoxide" folder. Try to do some operations in the direct content of our folder

~/linoxide$ rm mecha
~/linoxide$ rm mecha
rm: cannot remove 'mecha': Permission denied
~/linoxide$ rm -r folder1/
rm: cannot remove 'folder1/': Permission denied
~/linoxide$ rm -rf folder1/
rm: cannot remove 'folder1/': Permission denied
~/linoxide$ rm -rf mecha
rm: cannot remove 'mecha': Permission denied
$ mkdir toto
mkdir: cannot create directory ‘toto’: Permission denied
touch papi
touch: cannot touch ‘papi’: Permission denied

We can't delete any content event create a directory or file. Now let's try to edit the file to add a content

~/linoxide$ echo "just look" > mecha
~/linoxide$ cat mecha
just look
~/linoxide$ echo "add a line" >> mecha
~/linoxide$ cat mecha
just look
add a line
~/linoxide$ echo "replace the content" > mecha
~/linoxide$ cat mecha
replace the content

See, We are able to modify the content of the file even if we are not able to delete it.

~/linoxide$ mv mecha new-mecha
mv: cannot move 'mecha' to 'new-mecha': Permission denied

See, not able to rename the file too. Now let's try to make some operations in the sub-directory. So enter to our sub-directory for some operations on the contents already presents.

~/linoxide$ cd folder1/
~/linoxide/folder1$ lsattr
-------------e-- ./sun
~/linoxide/folder1$ mkdir test
~/linoxide/folder1$ ls
sun  test
~/linoxide/folder1$ touch possible
~/linoxide/folder1$ ls
possible  sun  test

See, we are able to create a file in the sub-directory folder1 of linoxide

~/linoxide/folder1$ echo "modify sun" > sun
~/linoxide/folder1$ cat sun
modify sun
~/linoxide/folder1$ echo "edit possible" > possible
~/linoxide/folder1$ cat possible
edit possible
~/linoxide/folder1$ mv sun test/
~/linoxide/folder1$ ls
possible  test
$ lsattr
-------------e-- ./possible
-------------e-- ./test

We can see that there is no attribute applied in the sub-directory, so let's try to delete something

~/linoxide/folder1$ rm -R test/
~/linoxide/folder1$ ls
possible
~/linoxide/folder1$ rm possible
~/linoxide/folder1$ ls -l
total 0

You can see that we were not able to delete direct contents of our linoxide directory but we have easily deleted the contents of folder1 sub-directory.

Now, we need to apply the attribute on the content of sub-directory too. So let's use -R option to set attributes and let's look the changes

$ sudo chattr -R +i linoxide/
$ sudo chattr -R +i linoxide/
$ lsattr -d linoxide/
----i--------e-- linoxide/

We can see that attribute is applied. Now enter to the folder and check the sub-directory

$ cd linoxide/
~/linoxide$ lsattr
----i--------e-- ./folder1
----i--------e-- ./mecha

We can see that it affects sub-directory too

~/linoxide$ echo "Test of recursion" > mecha
-bash: mecha: Permission denied
~/linoxide$ echo "it doesn't work" >> mecha
-bash: mecha: Permission denied
~/linoxide$ sudo echo "waouh, different with -R" >> mecha
-bash: mecha: Permission denied

We can notice that, with -R option, we are not able to modify the content of a file and delete anything while we were able to edit a file not to delete it without -R option. Now Let's us try some operations on our sub-directory

~/linoxide$ cd folder1/
~/linoxide/folder1$ ls -l
total 0
~/linoxide/folder1$ touch sun-test
touch: cannot touch 'sun-test': Permission denied
~/linoxide/folder1$ mkdir test2
mkdir: cannot create directory ‘test2’: Permission denied
~/linoxide/folder1$ ls -l
total 0

Now we were not able a create a file on the sub-directory. There is a difference with -R option. We see that we can't create a file or directory in the subdirectory while we could do it earlier. So we can notice that -R option apply the attribute to subdirectories and all the contents

NB: You can protect important files as /etc/passwd or /etc/shadow, makes them secure from an accidental removal or tamper and also it will disable user account creation. But when you will try to create a new system user, you will get error message saying cannot open /etc/passwd. If you try to change the password, you will be prompt to enter a new password but when you will log in next time, the new password will not appear to be valid, you will have to use the old password to log in.

5) How to append data on file with 'a' attribute

It is possible to only allow everyone to just append data on a file without changing or modifying already entered data with the a attribute. It means that, you can only add content on the current file without modifying data already present.

We will create a file for the example

$ touch file2

$ ls -l
total 99128
-rw-r--r-- 1 root   root   101490688 Apr 12 18:33 chefdk_1.3.40-1_amd64.deb
-rw-rw-rw- 1 ubuntu ubuntu        79 Apr 13 01:15 file1
-rw-rw-r-- 1 ubuntu ubuntu        22 Apr 13 01:23 file2
drwxr-xr-x 8 root   root        4096 Apr 12 18:06 nagios-cookbook-tutorial
$ lsattr file2
-------------e-- file2

Now will edit it

$ echo "Test of 'a' attribute" > file2

$ cat file2
Test of 'a' attribute

Now we will set the the flag

$ sudo chattr +a file2

$ lsattr file2
-----a-------e-- file2

We will try some operations by editing our file

$ echo "Test of setting append on file2" > file2
-bash: file2: Operation not permitted

See that the > redirection replaces the content, so it means that we have tried to remove a content to add another one. Or a attribute only authorizes to add content without removing any data already present.

$ echo "Test of setting append on file2" >> file2
$ cat file2
Test of 'a' attribute
Test of setting append on file2

You can see that we the >> redirection, it works because we add a content without modifying data present before.

6) How to append data on folders with 'a' attribute

It is the same thing that with i attribute. Let's create a folder with a content

$mkdir barbatos
$ cd barbatos/
~/barbatos$ mkdir amazing wonder
~/barbatos$ touch file3 file4
~/barbatos$ ls
amazing  file3  file4  wonder

Add a content on the files

~/barbatos$ echo "attr a is wonderful" > file3
~/barbatos$ echo "attr a is also amazing" > file4
~/barbatos$ cat file3
attr a is wonderful
~/barbatos$ cat file4
attr a is also amazing

check the default attributes

~/barbatos$ lsattr
-------------e-- ./amazing
-------------e-- ./wonder
-------------e-- ./file4
-------------e-- ./file3
$ cd ..
$ sudo chattr -R +a barbatos/
$ lsattr -d barbatos
-----a-------e-- ./barbatos

Wee set attribute. Now take a look in the content

$ cd barbatos
~/barbatos$ lsattr
-----a-------e-- ./amazing
-----a-------e-- ./wonder
-----a-------e-- ./file4
-----a-------e-- ./file3

it takes effect. Now let's try to modify the content by adding and removing data

$ echo "change the content?" > file3
-bash: file3: Operation not permitted
~/barbatos$ echo "add a content?" >> file3
~/barbatos$ cat file3
attr a is wonderful
add a content?
~/barbatos$ rm file4
rm: cannot remove 'file4': Operation not permitted
~/barbatos$ touch file6 file7
~/barbatos$ ls
amazing  file3  file4  file6  file7  wonder

We are not able to delete file but able to create news files so we added a content so it's normal

~/barbatos$ mv file wonder/
mv: cannot stat 'file': No such file or directory
~/barbatos$ mv file6 wonder/
mv: cannot move 'file6' to 'wonder/file6': Operation not permitted

move a file to a sub-directory means remove something in the current directory with a flag so it is not permitted.

~/barbatos$ touch wonder/file8
~/barbatos$ ls wonder/
file8

While it is permitted to create a file into a sub-directory

~/barbatos$ touch amazing/file9
~/barbatos$ ls amazing/
file9
~/barbatos$ echo "add content" >> amazing/file9
~/barbatos$ cat amazing/file9
add content

We see that a flag is applied to our folder and its sub-directory.

$ cd
$ rm -Rf barbatos/
rm: cannot remove 'barbatos/amazing/file9': Operation not permitted
rm: cannot remove 'barbatos/file7': Operation not permitted
rm: cannot remove 'barbatos/wonder/file8': Operation not permitted
rm: cannot remove 'barbatos/file6': Operation not permitted
rm: cannot remove 'barbatos/file4': Operation not permitted
rm: cannot remove 'barbatos/file3': Operation not permitted

We can't delete the folder. See that it indicates that we can't also remove sub-directories and files.

So the difference beetwen a and i attribute is that a attribute preserve data but allow modifications only to add data not to remove or replace while i attribute preserve data without allowing any modification.

NB: You have seen that -R option also replicate attributes to sub-directories where we can only add a content. If we don't use it, we will not have the replication.

Conclusion

Now we know how we can protect our files and folders. It si possible to only add a content without removing something. Only the root or a user with root permission can change the attributes.

Filed Under : FILE SYSTEM, HOWTOS, LINUX COMMANDS

Tagged With :

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.