Lesson 54: chattr Command
In this lesson, you'll learn how to use the chattr command to set and unset file attributes to protect important files from accidental deletion or modification in Linux.
chattr (Change Attribute) is a command-line Linux utility that is used to set/unset certain attributes to a file in a Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.
In Linux native filesystems such as ext2, ext3, ext4, btrfs, etc., all the flags are supported, though all the flags won't support all non-native filesystems.
One cannot delete or modify a file/folder once attributes are set with the chattr command, even though one has full permissions on it.
This is very useful to set attributes in system files, like passwd and shadow files wherein the user's info is contained.
chattr Command Syntax
The syntax of the chattr command is as follows:
# chattr [OPERATOR] [FLAGS] [FILENAME]
Attributes and Flags
The following is the list of common attributes and associated flags that can be set/unset using the chattr command:
| Flag | Description |
|---|---|
A |
If a file is accessed with the A attribute set, its atime record is not updated |
S |
If a file is modified with the S attribute set, the changes are updated synchronously on the disk |
a |
A file set with the a attribute can only be opened in append mode for writing |
i |
A file set with the i attribute cannot be modified (immutable) β no renaming, no symbolic link creation, no execution, no writable; only the superuser can unset the attribute |
j |
A file set with the j attribute has all its information updated in the ext3 journal before being updated in the file itself |
t |
A file set with a t attribute has no tail-merging |
d |
A file with the d attribute will no longer be a candidate for backup when the dump process is run |
u |
When a file with the u attribute is deleted, its data is saved β this enables the user to ask for its undeletion |
Operators
| Operator | Description |
|---|---|
+ |
Adds the attribute to the existing attributes of the file |
- |
Removes the attribute from the existing attributes of the file |
= |
Keeps only the specified attributes and clears all others |
Let's now demonstrate some of the chattr command examples to set/unset attributes to files and folders.
1. Add Attributes to Secure Files from Deletion
For demonstration purposes, we've used the folder demo and the file important_file.conf.
Before setting up attributes, make sure to verify that the existing files do not have any attributes set using the ls -l command.
[root@tecmint tecmint]# ls -l
total 0
drwxr-xr-x. 2 root root 6 Aug 31 18:02 demo
-rwxrwxrwx. 1 root root 0 Aug 31 17:42 important_file.conf
Currently, no attributes are set. To set attributes, we use the + sign, and to unset, we use the - sign with the chattr command.
So, let's set an immutable bit on the files with +i flags to prevent anyone from deleting a file even a root user doesn't have permission to delete it.
[root@tecmint tecmint]# chattr +i demo/
[root@tecmint tecmint]# chattr +i important_file.conf
Note: The immutable bit +i can only be set by a superuser (i.e., root) user or a user with sudo privileges.
After setting the immutable bit, let's verify the attribute with the lsattr command.
[root@tecmint tecmint]# lsattr
----i----------- ./demo
----i----------- ./important_file.conf
Now, try to delete, rename, or change the permissions, it won't be allowed and will say "Operation not permitted".