-->
  • Recent Articles

    How to change Important Files IMMUTABLE (Unchangeable) in Linux

     With the help of the Linux command-line tool chattr (Change Attribute), you can secure crucial files and folders from being accidentally deleted or altered, even when you are logged in as the root user.

    Syntax of chattr
    # chattr [operator] [flags] [filename]
    Flags

    Following are the list of common attributes and associated flags can be set/unset using the chattr command.

    1. no atime updates (A) : If a file is accessed with ‘A‘ attribute set, its atime record is not updated.
    2. append only (a) :  A file is set with ‘a‘ attribute, can only be open in append mode for writing.
    3. immutable (i): A file is set with ‘i‘ attribute, cannot be modified (immutable). Means no renaming, no symbolic link creation, no execution, no writable, only superuser can unset the attribute.
    4. data journalling (j): A file with the ‘j‘ attribute is set, all of its information updated to the ext3 journal before being updated to the file itself.The 'j' option is only useful if the filesystem is mounted as ext3 or ext4.
    5. no tail-merging (t): A file is set with ‘t‘ attribute, no tail-merging.
    6. no dump (d): A file with the attribute ‘d‘, will no more candidate for backup when the dump process is run.
    7. undeletable (u): When a file has ‘u‘ attribute is deleted, its data are saved. This enables the user to ask for its undeletion.
    8. synchronous updates (S): If a file is modified with ‘S‘ attribute set, the changes are updates synchronously on the disk.
    9. compressed (c) : A  file  with the 'c' attribute set is automatically compressed on the disk by the kernel.
    10. no copy on write (C) : A file with the 'C' attribute set will not be subject to copy-on-write updates.  This flag is only supported on file systems which perform copy-on-write. 
    Operator

    • The operator '+' causes the selected attributes to be added to the existing attributes of the files.
    •  '-' causes them to be removed.
    • '=' causes them to be the only attributes that the files have.

    Here, we'll go through a few chattr command examples for setting and unsetting attributes on files and folders.

    1. How to secure files from deletion by adding attributes

    We have used the folder demo and the file file.txt, respectively, for demonstration purposes. Make sure to use the 'lsattr' command to confirm that the existing files have any attributes set before setting up attributes.

    [root@devopszones devopszones]#lsattr
    ---------------- ./demo
    ---------------- ./file.txt
    [root@devopszones devopszones]#

    With the chattr command, we use the + sign to set an attribute and the - sign to unset it. In order to prohibit anyone from deleting a file even the root user.  Let's the immutable bit on the files using the +i flags.

    [root@devopszones devopszones]#chattr +i demo
    [root@devopszones devopszones]#chattr +i file.txt

    After setting immutable bit, let’s verify the attribute with command ‘lsattr‘.

    [root@devopszones devopszones]#lsattr
    ----i----------- ./demo
    ----i----------- ./file.txt
    [root@devopszones devopszones]#
    

    Now, tried to delete forcefully, rename or change the permissions, but it won’t allowed says “Operation not permitted“.

    [root@devopszones devopszones]#rm -rf demo/
    rm: cannot remove ‘demo/’: Operation not permitted
    [root@devopszones devopszones]#
    
    [root@devopszones devopszones]#mv demo/ /tmp/
    mv: cannot move ‘demo/’ to ‘/tmp/demo’: Operation not permitted
    [root@devopszones devopszones]#
    
    [root@devopszones devopszones]#chmod 777 demo/
    chmod: changing permissions of ‘demo/’: Operation not permitted
    [root@devopszones devopszones]#

    2. How to unset attributes from files 

    Using the -i flag, we will see how to reset (unset attribute) permissions and make a file changeable or alterable. In the example above, we saw how to set attributes to secure and guard against inadvertent file deletion.

    [root@devopszones devopszones]#chattr -i demo/ file.txt
    [root@devopszones devopszones]#
    

    After resetting permissions, verify the immutable status of files using ‘lsattr‘ command.

    [root@devopszones devopszones]#lsattr
    ---------------- ./demo
    ---------------- ./file.txt
    [root@devopszones devopszones]#
    

    You see in the above results that the ‘-i‘ flag removed, that means you can safely remove all the file and folder reside in tecmint folder.

    [root@devopszones devopszones]#ls -la
    total 16
    drwx------   2 root root     6 Nov 23 14:41 .
    drwxrwxrwt. 78 root root 12288 Nov 23 14:40 ..
    [root@devopszones devopszones]#

    3. How to Secure passwd and shadow file

    Setting immutable attribute on files /etc/passwd or /etc/shadow, makes them secure from an accidental removal or tamper and also it will disable user account creation.

    [root@devopszones devopszones]# chattr +i /etc/passwd
    [root@devopszones devopszones]# chattr +i /etc/shadow

    Thanks for reading. Please do share.

    No comments