The chattr (change attribute) command in Linux is a powerful tool used to modify the attributes of files on an ext2, ext3, or ext4 filesystem. It allows users to set certain attributes that control how files can be accessed and modified. For example, the +i option can make a file immutable, meaning it cannot be altered, deleted, or renamed, even by the root user, until the immutable attribute is removed. Other attributes include +a, which allows a file to be opened only in append mode, and +c, which marks the file for compression. This command is especially useful for system administrators who need to enforce strict access controls and protect critical system files from accidental or malicious changes. The chattr command must be used with caution, as improper use can restrict access to files in unintended ways.
Prerequisites
- A server running Linux operating system.
- A root password is configured on the server.
Basic Syntax
The basic syntax of the chattr command is shown below:
chattr [OPTIONS] [OPERATOR][ATTRIBUTES] FILE
A brief explanation of each option is shown below:
- +: Used to add the specific attributes to the file.
- -: Used to remove the specific attributes from the file.
- =: Used to set specified attributes as the only attributes.
- a: Can only be open in append mode for writing.
- A: The atime record is not updated.
- c: Will automatically compressed the file.
- i: Protect your file from accidental deletion.
- S: File changes are written synchronously on the disk.
Secure File from Accidental Deletion
Securing important files is very important for any system administrator. You can use the chattr command to secure your file so any user can not delete, rename or modify your files.
For better understanding, create a directory named dir1 and file named file1 with the following command:
mkdir dir1 touch file1
Next, print the attributes of both file1 and dir1 with the following command:
ls -l
Output:
drwxr-xr-x 2 root root 4096 May 3 11:56 dir1 -rw-r--r-- 1 root root 0 May 3 11:56 file1
Next, set the +i flags on both dir1 and file1 to prevent anyone from deleting a file.
chattr +i dir1 chattr +i file1
Next, verify the attribute using the following command:
ls -l
Output:
drwxr-xr-x 2 root root 4096 May 3 11:56 dir1 -rw-r--r-- 1 root root 0 May 3 11:56 file1
Now, try to delete file and directory:
rm -rf file1 dir1
Output:
rm: cannot remove ‘file1’: Operation not permitted rm: cannot remove ‘dir1’: Operation not permitted
Now, try to rename the file:
mv file1 file2
Output:
mv: cannot move ‘file1’ to ‘file2’: Operation not permitted
Now, try to change the permission of file:
chmod 777 file1
Output:
chmod: changing permissions of ‘file1’: Operation not permitted
How to Reset Attribute on Files
You can also use chattr command to reset the file attribute that we have set in the previous step. So that anyone can change and delete the file.
You can use -i flag to remove the attribute from the file and directory:
chattr -i file1 dir1
You can now verify the status of file and directory with the following command:
lsattr
Output:
-------------e-- ./dir1 -------------e-- ./file1
Allow to Append Data without Modifying existing Data on a File
If you want to allow all users to only append the data without modifying or changing the existing data. Then, you can use +a flag on the file.
Let’s create a new file with some content:
echo "Hi How Are You" > newfile.txt
Next, set the +a attribute on the file:
chattr +a newfile.txt
Now, try to replace already existing content:
echo "I am replacing" > newfile.txt
You should get the following error:
bash: newfile.txt: Operation not permitted
Now, try to append new content on an existing file:
echo "This is new content" >> newfile.txt
Now, verify the content of a file:
cat newfile.txt
Output:
Hi How Are You This is new content
Protect Directories Recursively
You can use the flag -R with +i to protect the directory and sub-directories recursively.
First, create a directory and sub-directories with the following command:
mkdir -p test/dir1/dir2 mkdir -p test/dir3/dir4 mkdir -p test/dir5/dir6
Now, secure the test directory and all subdirectories with the following command:
chattr -R +i test
Now, try to delete the test directory with all sub-directories:
rm -rf test/
You should get the following error:
rm: cannot remove ‘test/dir1/dir2’: Permission denied rm: cannot remove ‘test/dir5/dir6’: Permission denied rm: cannot remove ‘test/dir3/dir4’: Permission denied
Now, reset the attribute from the test directory using the following command:
chattr -R -i test
You can now able to delete the test directory with all sub-directories.
Conclusion
In the above guide, you learned how to protect files and directories with the chattr command. I hope this will help you to secure your important config files.