Best chattr command to change File Attributes – Making Important Files Immutable
In this article, we are going to discuss how to use chattr command to change file attributes in Linux and make the important files immutable. chattr stands for Change Attribute. chattr command is a very nice and useful tool in Linux that is used to change file attributes and has the ability to make the file immutable. Immutable means once I set the attribute for some file by using chattr command then you will not be able to move the file, Delete the file, create a link of the file and edit the file even if you have full access to that file. root user also cannot do any changes to that file till the attribute is applied. you can use chattr command to set and unset the attributes of the file. root user only has access to set or unset attributes of files and directories using chattr command.
Best chattr command to change File Attributes – Making Important Files Immutable
So let’s have a look at some examples of chattr command to change File Attributes
Set “i” Attribute to a File
Suppose I have a file named itsmarttricks.txt which is accessible to everyone, that means any user can come and delete, move or edit that file. Refer to the output below.
[[email protected] ~]# ls -l itsmarttricks.txt -rwxrwxrwx. 1 root root 0 Apr 24 03:59 itsmarttricks.txt # Everyone has full access to "itsmarttricks.txt" [[email protected] ~]# rm itsmarttricks.txt # I am able to delete the file rm: remove regular empty file `itsmarttricks.txt'? y
Now let’s set Attribute to itsmarttricks.txt file using chattr command. To set an attribute we have to use the “+” sign and to unset the attribute we have to use the “–” sign.
[[email protected] ~]# chattr +i itsmarttricks.txt # Setting Attribute to a file
Where :
i – Immutable
You can also use -V option to check the Verbose output while setting the attribute to a file.
[[email protected] ~]# chattr -V +i itsmarttricks.txt # Setting attribute to a file with -V chattr 1.41.12 (17-May-2010) Flags of itsmarttricks.txt set as ----i--------e-
So we set the attribute to the file itsmarttricks.txt. to confirm the same you can use lsattr command. Refer to the sample output below. You will notice i (Highlighted in Red color) on the permission section of the file.
[[email protected] ~]# lsattr itsmarttricks.txt # confirm if attribute set or not ----i--------e- itsmarttricks.txt
Now let’s try to remove, delete, Move and change the permission of the file and I am sure you can’t do anyone of that.
- Remove the File
[[email protected] ~]# rm itsmarttricks.txt # Removing the File rm: remove regular empty file `itsmarttricks.txt'? y rm: cannot remove `itsmarttricks.txt': Operation not permitted # You can also try to remove the file forcefully. [[email protected] ~]# rm -rf itsmarttricks.txt # Removing the file forcefully rm: cannot remove `itsmarttricks.txt': Operation not permitted
- Move the File
[[email protected] ~]# mv itsmarttricks.txt test.txt # Move the file mv: cannot move `itsmarttricks.txt' to `test.txt': Operation not permitted
- Edit the File
[[email protected] ~]# cat >> itsmarttricks.txt bash: itsmarttricks.txt: Permission denied
- Change Permission of the File
[[email protected] ~]# chmod 755 itsmarttricks.txt chmod: changing permissions of `itsmarttricks.txt': Operation not permitted
As you can see from all the above examples we are unable to do any changes to that file.
To Remove “i” attribute use the below command.
[[email protected] ~]# chattr -i itsmarttricks.txt # Unset "i" attribute
After removing the attribute you will see the permission section will become blank.
[[email protected] ~]# lsattr itsmarttricks.txt --------------- itsmarttricks.txt
Now let’s try to Secure a directory by changing its attribute recursively using chattr command.
Here I have a directory named data and everyone has full access to that directory recursively. Refer to the sample output below.
[[email protected] office]# mkdir data [[email protected] office]# chmod -R 777 data/ [[email protected] office]# ls -l total 4 drwxrwxrwx. 2 root root 4096 Apr 24 04:25 data
Now set the attribute to that directory.
[[email protected] office]# chattr +i data/ [[email protected] office]# lsattr ----i--------e- ./data # You can also set attribute Recursively using -R option with chattr. [[email protected] office]# chattr -R +i data/
After setting the attribute to the directory now try to delete, move or create a file, I am sure you will not be allowed to do any one of that. Refer to the sample output below.
[[email protected] office]# rmdir data/ # Deleting the Directory rmdir: failed to remove `data/': Operation not permitted [[email protected] office]# rm -rf data/ # Deletiing the Directory Forcefully rm: cannot remove `data': Operation not permitted [[email protected] ~]# mv data/ mydata # Moving the Directory mv: cannot move `data/' to `mydata': Operation not permitted [[email protected] office]# cd data/ [[email protected] data]# cat > test.txt # Creating a File in the directory bash: test.txt: Permission denied
Where we can actually make use of chattr command?
Let’s take an example: As a Linux administrator obviously you don’t want anyone to access your configuration files, make changes on any files or remove any configuration files, or do any misuse of it. It’s your responsibility to make it secure and keep safe from the wrong hand who don’t have the authorization to access it. We can secure all configuration stuff by using chattr command.
In Linux, all configuration files are stored in /etc directory. If we set attribute to /etc directory then no one can able to access any of your configurations. So let’s do that.
[[email protected] ~]# chattr +i /etc/ # Setting attribute to /etc directory
Now let’s try to do some tasks :
Examples: 1 Create a Group
[[email protected] ~]# groupadd g5 groupadd: cannot lock /etc/group; try again later.
Example: 2 Set password for any User
[[email protected] ~]# passwd michelle Changing password for user michelle. New password: Retype new password: passwd: Authentication token manipulation error
Example : 3 Create a New User
[[email protected] ~]# useradd itsmarttricks useradd: cannot lock /etc/passwd; try again later.
As you can see above we unable to do some tasks like create a new user, set password for any user, create a new group. we can’t do all these tasks because when we create a new user or set a password for any user it updates the /etc/passwd file and /etc/shadow file which is not possible here as we set the attribute for complete /etc directory.
Note: Here I set attributes to complete /etc directory to just explain you as an example. But you can set file attributes as per your need for example if you want to just control user and group management then you don’t need to set the attribute for the complete /etc directory you can set only for /etc/passwd and /etc/shadow and for groups set the attribute for /etc/group. If you want to control Filesystem Table then set the attribute for /etc/fstab and so on.
Now let’s take another example and unmount a filesystem. Refer to the sample output below.
Example: 4 Unmount a File System
[[email protected] ~]# umount /media/ # Unmounting a File System can't create lock file /etc/mtab~2762: Permission denied (use -n flag to override)
We are also unable to unmount a filesystem. To do all the above tasks we have to unset attributes that we have applied for /etc directory.
Unset attribute by using chattr command
We can unset attribute by using chattr command with option -i
[[email protected] ~]# chattr -Vi /etc/ # Removing Attributes from directory chattr 1.41.12 (17-May-2010) Flags of /etc/ set as ----------I--e-
Allow appending a File using chattr command
You can allow a file to append data using chattr command with option +a. By applying this attribute you are only allowed to write data on that file and not allowed to delete and move.
Here I am allowing users to append data on itsmarttricks.txt file.
[[email protected] ~]# chattr +a itsmarttricks.txt # Setting +a Attribute
To check the applied attribute use the below command. You will notice an at permission section.
[[email protected] ~]# lsattr itsmarttricks.txt -----a-------e- itsmarttricks.txt
As you can see below we able to see the content of the file.
[[email protected] ~]# cat itsmarttricks.txt Welcome to itsmarttricks.com
Now let’s try to append some data in the file.
[[email protected] ~]# cat >> itsmarttricks.txt # Writing some data Here you will get Linux Tutorials # Now confirm the same by using cat command [[email protected] ~]# cat itsmarttricks.txt Welcome to itsmarttricks.com Here you will get Linux Tutorials
So we can successfully append data in itsmarttricks.txt. Now let’s try to delete the file.
[[email protected] ~]# rm itsmarttricks.txt # Deleting the File rm: remove regular file `itsmarttricks.txt'? y rm: cannot remove `itsmarttricks.txt': Operation not permitted [[email protected] ~]# rm -rf itsmarttricks.txt # Deleting the File Forcefully rm: cannot remove `itsmarttricks.txt': Operation not permitted
For more information related chattr command, you can use the below commands on your Linux system.
[r[email protected] ~]# man chattr [[email protected] ~]# man lsattr
Have look at some useful chattr command Options :
- +i – A File with +i attribute cannot be deleted, move, rename. in short, cannot be modified.
- -i – This option allows removing the I attribute from the file.
- -V – To see the Verbose output
- -a – By using this attribute will only allow appending data on a file and cannot be deleted or move.
Also Read – Useful RPM Command With Examples In Linux
That’s all, In this article, we have explained the Best chattr command to change File Attributes – Making Important Files Immutable. I hope you enjoy this article. If you like this article, then just share it. If you have any questions about this article, please comment.
