A tutorial on creating write-protected files under Linux

If you want to write-protect some of the important files in Linux so they can't be deleted or tampered with earlier versions or other things, or in other cases, you might want to avoid some of the configuration files being automatically modified by the software. Using the Chown and chmod commands to modify the ownership of a file or permission bit is a workaround for this situation, but this is not perfect because it does not avoid operations with root permissions. Then Chattr came in handy.

Chattr is a Linux command that can set or remove a flag bit of a file, and it is separate from the standard file permissions (read, write, execute). Another command associated with this is lsattr, which shows which flags of the file are set up. Initially only the Ext file system (EXT2/3/4) supports chattr and lsattr, but many other native Linux file systems are now supported, such as XFS, Btrfs, ReiserFS, and so on.

In this tutorial, I'll demonstrate that if you use chattr to make files in Linux immutable.

The chattr and LSATTR commands are part of the E2fsprogs package, which is pre-installed in all modern Linux distributions.

The following is the basic syntax for chattr.

$ chattr [-RVF] [operator] [flag bit] file ...

Where the operator can be "+" (add the selected flag bit to the label list), "-" (remove the selected flag bit from the label list), or "=" (Force the selected flag bit).

The following are some of the available flag bits.

A: can only be opened in append mode.

A: Cannot update atime (file access time).

C: Compressed automatically when written to disk.

C: Turn off "copy on Write".

I: not to be changed.

S: Safely removed by zeroing automatically. (LCTT: General situation documents are deleted after the content will not be modified, change the mark will make the document deleted after the original content was "0" replaced)

"Non-change" flag bit

In order for a file to be immutable, you need to add a "non-altered" flag to the file as follows. For example, write protection for/etc/passwd files:

The code is as follows:

$ sudo chattr +i/etc/passwd

Note setting or canceling the "non-change" flag bit for a file requires root user privileges. Now check that the "no change" flag bit is added to the file.

The code is as follows:

$ lsattr/etc/passwd

Once the file is set to be immutable, no user will be able to modify the file. Even the root user is not allowed to modify, delete, overwrite, move, or rename the file. If you want to modify this file again, you need to cancel the "no change" sign.

Cancel the "No change" flag bit with the following command:

The code is as follows:

$ sudo chattr-i/etc/passwd

If you want a directory (such as/etc) to be immutable with everything underneath it, use the "-r" option:

The code is as follows:

$ sudo chattr-r +i/etc

"Append only" flag bit

Another useful flag bit is "append only", which only allows the contents of the file to be modified in a way that is appended. You cannot overwrite or delete a file with the "Append only" flag bit set. This sign is useful in situations where you want to avoid log files from being accidentally cleaned up.

Like the "No change" flag bit, you can use the following command to turn the file into "append only" mode:

The code is as follows:

$ sudo chattr +a/var/log/syslog

Note that when you copy a "non-change" or "Append only" file to another location, the new file will not retain these flags!

Conclusion

In this tutorial, I showed you how to use the Chattr and LSATTR commands to manage additional file flag bits to avoid tampering with files (unexpected or otherwise). Note that you cannot use chattr as a security measure because a "non-change" flag can easily be canceled. One possible way to solve this problem is to limit the availability of the chattr command itself, or to remove the caplinuximmutable kernel power flag. For more details on chattr and the available logo bits, refer to its man manual.