Files can also have attributes that are expressed in another way than the permissions we have seen so far. An example of this is making a file immutable (a fancy word, which means it cannot be changed). An immutable file still has normal ownership and group and RWX permissions, but it will not allow the user to change it, even if it contains the writable permission. Another characteristic of this is that the file cannot be renamed.
In this post, we are going to discuss on how to use chattr command to change file attributes in Linux and make the important files immutable. chattr stands for Change Attribute. chattr command is a very useful tool in Linux and is used to change file attributes. Immutable means once I set the attribute for some file by using chattr command then you will not be able to move the file, delete the file, create a link of the file or edit the file even if you have full access for that file. root user also cannot do any changes to that file till the attribute is applied. you can use chattr command to set and unset the attributes of the file. root user only has access to set or unset attributes of files and directories using chattr command.
So let’s have a look at some examples of chattr command to change File Attributes:
Set “i” Attribute to a File
Suppose I have a file named geek.txt which is accessible to everyone, that means any user can come and delete, move or edit that file. Refer the output below.
# ls -l geek.txt -rwxrwxrwx. 1 root root 0 Apr 24 03:59 geek.txt # Everyone has full access to "geek.txt"
# rm geek.txt # I am able to delete the file rm: remove regular empty file `geek.txt'? y
Now let’s set Attribute to geek.txt file using chattr command. To set attribute we have to use “+” sign and to unset attribute we have to use “–” sign.
# chattr +i geek.txt # Setting Attribute to a file
Where,
i – Stands for Immutable.
You can also use -V option to check the Verbose output while setting attribute to a file.
# chattr -V +i geek.txt # Setting attribute to a file with -V
chattr 1.41.12 (17-May-2010)
Flags of geek.txt set as ----i--------e- So we set attribute to the file geek.txt. to confirm the same you can use lsattr command. Refer the sample output below. You will notice a i (Highlighted in Red color) on permission section of the file.
# lsattr geek.txt # confirm if attribute set or not
----i--------e- geek.txt Now let’s try to Remove, delete, Move and change the permission of the file and I am sure you can’t do any one of that.
1. Remove the File:
# rm geek.txt # Removing the File rm: remove regular empty file `geek.txt'? y rm: cannot remove `geek.txt': Operation not permitted
# You can also try to remove the file forcefully. # rm -rf geek.txt # Removing the file forcefully rm: cannot remove `geek.txt': Operation not permitted
2. Move the File:
# mv geek.txt test.txt # Move the file mv: cannot move `geek.txt' to `test.txt': Operation not permitted
3. Edit the File:
# cat >> geek.txt bash: geek.txt: Permission denied
4. Change Permission of the File:
# chmod 755 geek.txt chmod: changing permissions of `geek.txt': Operation not permitted
As you can see on all above examples we are unable to do any changes to that file.
Removing the -i (immutable) attribute from the files
To Remove “i” attribute use below command.
# chattr -i geek.txt # Unset "i" attribute
After removing the attribute you will see the permission section will become blank.
# lsattr geek.txt --------------- geek.txt
Making a directory immutable using chattr
Now let’s try to Secure a directory by changing it’s attribute recursively using chattr command. Here I have a directory named data and everyone have full access to that directory recursively. Refer the sample output below.
# mkdir data # chmod -R 777 data/ # ls -l total 4 drwxrwxrwx. 2 root root 4096 Apr 24 04:25 data
Now set attribute to that directory.
# chattr +i data/ # lsattr ----i--------e- ./data
You can also set attribute Recursively using -R option with chattr.
# chattr -R +i data/
After setting the attribute to the directory now try to delete, move or create a file, I am sure you will not allowed to do any one of that. Refer the sample output below.
# rmdir data/ # Deleting the Directory rmdir: failed to remove `data/': Operation not permitted
# rm -rf data/ # Deletiing the Directory Forcefully rm: cannot remove `data': Operation not permitted
# mv data/ mydata # Moving the Directory mv: cannot move `data/' to `mydata': Operation not permitted
# cd data/ # cat > test.txt # Creating a File in the directory bash: test.txt: Permission denied
Where we can actually make use of chattr command?
Let’s take an Example : As a Linux administrator obviously you don’t want anyone to be access you configuration files, make changes on any files or remove any configuration files or do any misuse of it. It’s your responsibility to make it secure and keep safe from wrong hand who don’t have the authorise to access it. We can secure our all configuration stuff’s by using chattr command.
In Linux, all configuration files are stored in /etc directory. If we set attribute to /etc directory then no can able to access any of your configurations. So let’s do that.
# chattr +i /etc/ # Setting attribute to /etc directory
Now let’s try to do some tasks:
Examples : 1 Create a Group
# groupadd g5 groupadd: cannot lock /etc/group; try again later.
Example : 2 Set password for any User
# passwd michelle Changing password for user michelle. New password: Retype new password: passwd: Authentication token manipulation error
Example : 3 Create a New User
# useradd thegeekdiary useradd: cannot lock /etc/passwd; try again later.
As you can see above we unable to do some tasks like create a new user, set password for any user, create a new group. we can’t do all this tasks because when we create a new user or set password for any user it updates the /etc/passwd file and /etc/shadow file which is not possible here as we set attribute for complete /etc directory.
Now let’s take another example and unmount a filesystem. Refer the sample output below.
Example : 4 Unmount a File System
# umount /media/ # Unmounting a File System can't create lock file /etc/mtab~2762: Permission denied (use -n flag to override)
We are also unable to unmount a filesystem. To do all above tasks we have to unset attributes that we have applied for /etc directory.
Unset attribute by using chattr command
We can unset attribute by using chattr command with option -i.
# chattr -Vi /etc/ # Removing Attributes from directory chattr 1.41.12 (17-May-2010) Flags of /etc/ set as ----------I--e-
Allow to append a File using chattr command
You can allow a file to append data using chattr command with option +a. By applying this attribute you are only allowed to write data on that file and not allowed to delete and move.
Here I am allowing users to append data on thegeekdiary.txt file.
# chattr +a thegeekdiary.txt # Setting +a Attribute
To check the applied attribute use below command. You will notice a at permission section.
# lsattr thegeekdiary.txt -----a-------e- thegeekdiary.txt
As you can see below we able to see the content of the file.
# cat thegeekdiary.txt Welcome to thegeekdiary.com
Now let’s try to append some data in the file.
# cat >> thegeekdiary.txt # Writing some data Here you will get Linux Tutorials
# Now confirm the same by using cat command
# cat thegeekdiary.txt Welcome to thegeekdiary.com Here you will get Linux Tutorials
So we can successfully append data in thegeekdiary.txt. Now let’s try to delete the file.
# rm thegeekdiary.txt # Deleting the File rm: remove regular file `thegeekdiary.txt'? y rm: cannot remove `thegeekdiary.txt': Operation not permitted
# rm -rf thegeekdiary.txt # Deleting the File Forcefully rm: cannot remove `thegeekdiary.txt': Operation not permitted
For more information related chattr command you can use below commands on your linux system.
# man chattr # man lsattr
Have look at some useful chattr command Options:
- +i – A File with +i attribute cannot be delete, move, rename. in short cannot be modified.
- -i – This option allows to remove i attribute from the file.
- -V – To see the Verbose output
- -a – By using this attribute will only allow to append data on a file and cannot be delete or move.