Changing the File Attributes
This explains how to use chattr to keep important system files secure. However, this command is only available on ext2 and ext3 partitions.
chattr [options] mode files
Modify file attributes. Specific to Linux Second and Third Extended Filesystem (ext2 and ext3). Behaves similarly to symbolic chmod, using +, -, and =. mode is in the form opcode attribute. See also lsattr.
-R Modify directories and their contents recursively.
-V Print modes of attributes after changing them.
-v version Set the file’s version.
Assign attributes (removing unspecified attributes).
A —> Don’t update access time on modify.
a —> Append only for writing. Can be set or cleared only by a privileged user.
d —> No dump.
i —> Immutable. Can be set or cleared only by a privileged user.
j —> Journalled file. This is useful only in cases where you are using an ext3 filesystem mounted with the data=”ordered” or data=”writeback” attributes. The data=”journalled” option for the filesystem causes this operation to be performed for all files in the system and makes this option irrelevant.
S —> Synchronous updates.
s —> Secure deletion. The contents are zeroed on deletion, and the file cannot be undeleted or recovered in any way.
u —> Undeletable. This causes a file to be saved even after it has been deleted, so that a user can undelete it later.
Examples of using chattr and lsattr
// Set the immutable bit on a file so it cannot be changed or removed
# chattr +i myfile
# lsattr myfile
// Testing the immutable flag by attempting to delete the file
# rm myfile
rm: cannot remove `myfile’: Operation not permitted
// Set myfile to append-only
# chattr +a myfile
# lsattr myfile
# echo testing > myfile
myfile: Operation not permitted
# echo testing >> myfile
// no errors – file was appended to
In some instances this may useful to keep important files safe from deletion. Remember that even root can’t delete a file that is immutable or append-only without first explicitly removing that attribute. Using this flag on /etc/passwd or /etc/shadow files keeps them safe from an accidental rm -f and also ensures no new accounts can be added in the event of an exploit. Keeping other files append-only means once they are written, that data can’t be changed.