One of the key reasons Linux is gaining traction in the corporate world is its robust security features. Consider a scenario where you have a sensitive file on your system that must not be tampered with—whether by deletion, renaming, or content modification. As a System Administrator, it is your responsibility to ensure that this file remains secure from unauthorized changes by other users.
Even if a user has full permissions (read, write, execute) on the file, Linux allows you to set specific attributes that can render the file immutable. Once this attribute is applied, not even the root user can modify the file, ensuring maximum security and integrity.
Chattr is the command for setting attributes on files and directories. It uses flags(A, a, S, i, u, d, t, j) and operators(=, +, -).
Command syntax
chattr [operator][flag] filename
To list or show the attribute of a file, we use lsattr
Below is the descriptions of some attributes and it associate flags
| Attribute | Flag | Description |
| No atime updates | A | file atime record is not modifiedThis avoids a certain amount of disk I/O operation |
| append only | a | You can only append text to the fileThis attribute is very useful as a means of keeping records. One can only add a text to the file but cannot delete a text |
| No copy-on-write(CoW) | C | File not be subject to copy-on-write updatesUpdates to these files may not be subject to atomic snapshots, and may lack some reliability information on some filesystems and kernels. |
| No dump | d | A file is not subject for backup when the dump program is run. |
| Immutable | i | When a file has “i” attribute it subject to not undergo any modification.The file cannot be deleted, rename, append a text or moved to a different location or link.This is the most used attribute to protect sensitive files. |
| Synchronous update | S | Changes to this file are written synchronously on the disk; this is equivalent to the sync mount option applied toa subsets of a file |
| Undelatable | u | When a file with u attribute is deleted, its contents are savedit allows the user to ask for its undeletion |
Note: Not all flags are supported by all file systems. This tutorial focuses more on the “a” and “i” flags which support all file system types
For more info on flags and its attributes please click here
Operators
- + to add or set and attribute
- – to remove an attribute
- = to remove all attributes on the file or maintains the existing attributes
Man page of chattr
# man chattr
How to use the chattr and lsattr command
Setting attributes;
We will learn how to use the a and i flags effectively.
“a” flag
This flag will set-append only attribute to the file. This means that no user can delete content of the file or re-arrange the content. The only option the user has is to append or add a new text to the file. This is very useful when you want to keep track of a certain data. The previous data can never be deleted but you can add a new line of data to the file.
This command sets the attribute#chattr +a file
Use the command to list the attribute on the file
# lsattr file
The append only can be set on directory. This makes all files in the that directory inherit the attribute of the directory. No file in that directory can be deleted but rather new files can be created
# chattr -R +a dir/
“i” flag
This is the most used attribute as it really helps keep files save and secure. When the immutable attribute is set, the file cannot be deleted, rename, moved, linked or append content to the file.
One of the practical scenario of this attribute is setting it on /etc/passwd and /etc/shadow files to protect users information from unfortunate modification of the files.
This command sets the attribute
# chattr +i file
This attribute can also be set on directories to protect the content of the directory.
# chattr +i dir/
Removing attributes
In removing attribute on a file we the use “-“ operator. This only removes a specific attribute. To remove all attribute on a file to have on original original attribute, we use the “=” operator.
Conclusion
I hope this tutorial has really helped you to understand how important the chattr command is. Setting attribute on file is a must know practice of every Linux administrator. Assign this attribute to your files to protect them.
Leave a Reply