The chattr command in Linux is a file system command which is used for changing the attributes of a file in a directory. The primary use of this command is to make several files unable to alter for users other than the superuser. As we know Linux is a multi-user operating system, there exist a chance that a user can delete a file that is of much concern to another user, say the administrator. To avoid such kinds of scenarios, Linux provides ‘chattr‘. In short, ‘chattr’ can make a file immutable, undeletable, only appendable and many more!
In this tutorial, we will discuss this tool using some easy to understand examples.
1. Syntax of chattr command
Basically, the chattr command is used to change file attributes on a Linux file system. Following is its syntax:
# chattr [operator] [flags] [filename]
Attributes and Flags
Following are the list of common attributes and associated flags can be set/unset using the chattr command.
- If a file is accessed with ‘A‘ attribute set, its atime record is not updated.
- If a file is modified with ‘S‘ attribute set, the changes are updates synchronously on the disk.
- A file is set with ‘a‘ attribute, can only be open in append mode for writing.
- A file is set with ‘i‘ attribute, cannot be modified (immutable). Means no renaming, no symbolic link creation, no execution, no writable, only superuser can unset the attribute.
- A file with the ‘j‘ attribute is set, all of its information updated to the ext3 journal before being updated to the file itself.
- A file is set with ‘t‘ attribute, no tail-merging.
- A file with the attribute ‘d‘, will no more candidate for backup when the dump process is run.
- When a file has ‘u‘ attribute is deleted, its data are saved. This enables the user to ask for its undeletion.
- + : Adds the attribute to the existing attribute of the files.
- – : Removes the attribute to the existing attribute of the files.
- = : Keep the existing attributes that the files have.
Here, we are going to demonstrate some of the chattr command examples to set/unset attributes to a file and folders.
1. ow to set file attribute (Set immutable bit)
To set a file attribute we will use chattr command with
+ operator followed by the attribute name.
Let check with examples how to set immutable attribute to a file. Only root or user with sudo privilege can set and remove immutable flag on a file.
A file with an immutable attribute:
- Cannot be modified, deleted, renamed
- No soft or hard link can be created by anyone including the root user.
- No data can be written to the file
Let’s create an empty file using touch command as follows:
Now let’s see how to list attributes of the file using lsattr command:
$ lsattr -------------e-- ./testfile.txt
To set attribute, we use the
+ sign and to unset use the – sign with the chattr command. So, let’s set immutable bit on the files with +i flags to prevent anyone from deleting a file, even a root user don’t have permission to delete it.
$ chattr +i testfile.txt
[box type=”note” align=”” class=”” width=””]Note: The immutable bit +i can only be set by superuser (i.e root) user or a user with sudo privileges can able to set.[/box]
After setting immutable bit, let’s verify the attribute with command ‘lsattr‘.
$ lsattr ----i--------e-- ./testfile.txt
Now, tried to delete forcefully, rename or change the permissions, but it won’t allowed says “Operation not permitted“.
$ rm -f testfile.txt rm: cannot remove 'testfile.txt': Operation not permitted
2. How to remove attribute (unset) on files
To remove any attribute from the file we have to use
- operator followed by the attribute name.
In the following example, let us unset the immutable attribute from the file (sestfile.txt).
$ sudo chattr -i testfile.txt
Let’s verify the attribute:
$ lsattr -------------e-- ./testfile.txt
You should be now able to do all normal operations on the file.
3. How to secure directories with ‘i’ attribute
In order to secure directory, we have to set attribute recursively
The following command will set the immutable bit on the directory (‘testdir’) recursively:
$ sudo chattr -R +i testdir/ $ lsattr -d linoxide ----i--------e-- testdir/
To unset, you have use – operator followed by
$ sudo chattr -R -i testdir/
4. Append data on file without changing existing data
It is possible to allow everyone to just append data on a file without changing or modifying already entered data with the a attribute.
It means that you can only add content on the current file without modifying data already present.
The following examples set append atrribute to the file (testfile2.txt).
$ sudo chattr +a testfile2.txt
Now we know how we can protect our files and folders using chattr command in linux. I hope you enjoyed reading this tutorial and please leave your suggestions in the below comment section. For more information please refer man chattr.