Linux file attributes and directories

In linux you can assign attributes to files, this allows to increase the security level. It is possible for example, to protect a file so that can not be removed.

To view the attributes of a file:

Source   
[root@tester1 prueba]# lsattr
-------------e- ./fich.txt
-------------e- ./fich2.txt

The modification of the attributes can be done with the command:

Source   
chattr [ -RVf ] [ -v version ] [ mode ] files...

For complete documentation is the best resort to man. The attributes that look like me most interesting are:

  • a, You can not delete the file, just make a append.
  • i, Immutable, you can not delete, modify, or create hard links over.

To enable an attribute option put a “+” and to disable a “-“.

For example avoid deleting a file but allow append:

Source   
[root@tester1 prueba]# ls -l
total 24
-rw-r-xr--. 1 root root 9376 mar 6 16:50 fich2.txt
-rw-r-xr--. 1 root root 9376 mar 6 16:51 fich.txt
[root@tester1 prueba]# lsattr
-------------e- ./fich.txt
-------------e- ./fich2.txt
[root@tester1 prueba]# chattr +a fich.txt
[root@tester1 prueba]# lsattr
-----a-------e- ./fich.txt
-------------e- ./fich2.txt
[root@tester1 prueba]# rm fich.txt
rm: cannot remove «fich.txt»: Operation not permitted
[root@tester1 prueba]# cat fich2.txt >> fich.txt
[root@tester1 prueba]# ls -l
total 32
-rw-r-xr--. 1 root root 9376 mar 6 16:50 fich2.txt
-rw-r-xr--. 1 root root 18752 mar 6 16:52 fich.txt

Protect a file:

Source   
[root@tester1 prueba]# chattr -a fich.txt
[root@tester1 prueba]# lsattr
-------------e- ./fich.txt
-------------e- ./fich2.txt
[root@tester1 prueba]# chattr +i fich.txt
[root@tester1 prueba]# lsattr
----i--------e- ./fich.txt
-------------e- ./fich2.txt
[root@tester1 prueba]# rm fich.txt
rm: cannot remove «fich.txt»: Operation not permitted
[root@tester1 prueba]# cat fich2.txt >> fich.txt
-bash: fich.txt: Permission denied
[root@tester1 prueba]# ln fich.txt lfich.txt
ln: creating hard link «lfich.txt» => «fich.txt»: Operation not permitted
[root@tester1 prueba]# ln -s fich.txt lfich.txt

The possible to protect entire directories recursively with:

Source   
chattr -R +i prueba

I think it is very useful to protect application configuration files.

Leave a Reply