jump to navigation

Protecting files/directories even from the root user with “chattr” January 22, 2011

Posted by Tournas Dimitrios in Linux.
trackback

Here is a cool tip on how you can make files on your system immutable. By immutable, I mean even root can’t delete the files if he choose to. Linux ships with a tool called chattr which can be used for the purpose. ‘chattr’ is similar to the ‘attrib’ DOS equivalent tool but much more powerful and flexible.
To make your file (test_file) immutable  : chattr +i  test_file .

chattr can be used to set/unset many more file attributes. The table below lists all options of chattr :

syndax of chattr is  :  chattr  + – =[ASacDdIijsTtu]   file_or_dir_name

To list the attributes of a file use the
“lsattr  filename”
command .

command line options of  chattr
-A Don’t update access time on modify.
-a Append only for writing. Can be set or cleared only by a privileged user.
-c A file with the `c’ attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk.
-D When a directory with the `D’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the `dirsync’ mount option applied to a subset of the files.
-d A file with the `d’ attribute set is not candidate for backup when the dump(8) program is run.
-E The ‘E’ attribute is used by the experimental compression patches to indicate that a compressed file has a compression error. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
-I The ‘I’ attribute is used by the htree code to indicate that a directory is behind indexed using hashed trees. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
-i A file with the `i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process pessessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
-j A file with the `j’ attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is mounted with the “data=ordered” or “data=writeback” options. When the filesystem is mounted with the “data=journalled” option all file data is already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or clear this attribute.
-s When a file with the `s’ attribute set is deleted, its blocks are zeroed and written back to the disk.
-S When a file with the `S’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the `sync’ mount option applied to a subset of the files.
-T A directory with the ‘T’ attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator (which is used in on systems with Linux 2.5.46 or later).
-t A file with the ‘t’ attribute will not have a partial block fragment at the of the file merged with other files (for those filesystems which support tail-merging). This is necessary for applications such as LILO which read the filesystem directly, and who don’t understand tail-merged files.
-u When a file with the `u’ attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion.
-X The ‘X’ attribute is used by the experimental compression patches to indicate that a raw contents of a compressed file can be accessed directly. It currently may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
-Z The ‘Z’ attribute is used by the experimental compression patches to indicate a compressed file is dirty. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).

Read also :

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s