Chattr stands for Change Attribute. It is command line utility which is used to set or unset certain attributes to a file in UNIX/Linux system to secure accidental deletion or modification of files and folders even with root user privileges. You can’t delete the files secured via chattr attribute even though you have full permission over files. System files such as shadow and passwd are very useful file which contains all users information and password.
chattr command syntax:
# chattr [operator] [flags] [filename]
- + :- Adds the attribute to the existing attribute of the files.
- – :- Removes the attribute to the existing attribute of the files.
- = :- Keep the existing attributes that the files have.
Chattr Command Example
Here I am going to demonstrate some chattr command example to set or unset attributes to a file and folders. First, I am going to create test directory and example.conf file to set or unset attributes on it.
# mkdir test # touch example.conf # ls -l total 0 -rw-r--r-- 1 root root 0 Apr 21 01:32 example.conf drwxr-xr-x 2 root root 4096 Apr 21 01:32 test
1. Add attributes on files to secure from deletion
You can use + sign to set attribute and – sign to unset attribute. Now set immutable bit on the files with +i flags to prevent anyone from deleting a file.
# chattr +i test/ # chattr +i example.conf
Note: Immutable bit +i can only be set by root user or a user with sudo privileges.
Now lets verify it using ‘lsattr‘ command.
# lsattr ----i----------- ./test ----i----------- ./example.conf
Now try to delete forcefully, rename or change the permissions.
# rm -rvf test/ rm: cannot remove directory `test/': Operation not permitted # mv test/ test1 mv: cannot move `test/' to `test1': Operation not permitted # chmod 777 test/ chmod: changing permissions of `test/': Operation not permitted
Do the same for example.conf file and you will get the same message for example.conf file.
2. Unset attribute on files
Above example you have seen how to set attribute to secure file and prevent file from accidental deletion. Now we will see how to unset or reset permissions and allow to make a file and folder changeable using –i flag.
# chattr -i test/ example.conf
After resetting permissions verify the immutable status of files using ‘lsattr‘ command.
# lsattr ------------- ./test ------------- ./example.conf
You can see –i flag has been removed, means you can remove and modify the file and folder.
# rm -rvf test/ removed directory: `test/' # rm -rvf example.conf removed `example.conf'
3. Secure /etc/passwd and /etc/shadow files
You can secure your system /etc/passwd and /etc/shadow files setting immutable attribute on it. Setting immutable attribute on these files also disable user account creation.
# chattr +i /etc/passwd # chattr +i /etc/shadow
Now try to create a new user on system, you will get error message ‘cannot open /etc/passwd‘.
# useradd santosh useradd: cannot open /etc/passwd
4. Add data into file without modifying existing data of a file
If you want to allow everyone to add the data into a file without changing or modifying data, you can use ‘a‘ attribute with chattr command like below.
# chattr +a test_file.txt # lsattr test_file.txt -----a---------- test_file.txt
In append mode, only data can be added into a file.
Now try to replace already existing content on a file test_file.txt, you will get error ‘Operation not permitted‘.
# echo "A site of Linux Power." > test_file.txt -bash: test_file.txt: Operation not permitted
Now try to add new content on a existing file test_file.txt.
# echo "A site of Linux Power." >> test_file.txt # cat test_file.txt looklinux.com A site of Linux Power.
Unset the append attribute
# chattr -a test_file.txt
5. Secure Directories
You can secure entire directory and its files using –R with +i flag.
# chattr -R +i mydirectory
Now try to delete the directory and its files.
# rm -rf mydirectory/ rm: cannot remove 'mydirectory/': Operation not permitted
Unset permission using -R with -i flag.
# chattr -R -i mydirectory
I hope this article will help you to set and unset attribute on file and folder. To know more about
chatter command use its man pages.