Since Linux is a multi-user operating system, users can access the shared files. To make those files immutable, we use the chattr command on Linux. You can use the chattr command-line utility to change the attributes of a file residing on the Linux file system.
The attributes define the properties of a file. Other than file permissions and time/date of file creation, the Linux file system supports other attributes that you can adjust using the chattr command. The set of supported attributes may differ based on file system type and distribution.
In this tutorial, you will learn how to use the chattr command on Linux. You will also learn how to use it to modify the attributes of the shared files and folders.
Command Syntax
The chattr command takes several arguments as described below.
chattr [Options] [Operator][Attributes] <file>No white space should exist between operator and attributes. Please note that the options and attributes may differ across different file systems and distributions.
You can use one or several out of the following options:
-R: Recursively changes attributes and contents of directories.-V: Prints chattr utility’s version and shows a user-friendly output.-f: Suppresses most error messages.-v<version>: Sets the given version.-p<project>: Sets the given project number.
Operators can be one of the following:
+: Applies the attributes specified in the command to the file. These are in addition to attributes that are already assigned to the file.-: Removes the attributes specified in the command from the file.=: Assigns only the given attributes to the file regardless of the existing attributes.
Attributes can be one or more of the following. Please note that we have described a subset of attributes here. To see all supported attributes, use the man chattr command.
A: Disallows file access time to be updated when a file is accessed. Or, in other words, freezes the time stamp on the file.a: Allows the file to be opened in append mode only for writing.c: Stores the file in compressed form. The file is uncompressed on reading and compressed back after writing.e: The file uses extents for storage. The contiguous blocks on the hard disks are called extents. These are used to store the files together. They also prevent fragmentation.i: Disallows the file to be modified, deleted, or renamed.u: Disallows deleting file content from the filesystem.
How to Use the chattr command
You can use the chattr command to assign various attributes to a file. This can indicate to the operating system the type of file without opening it. Based on these attributes, the operating system or other applications treat a file a certain way.
For example, if the root user wants to disallow modifications to a file from other users, they can assign the ‘immutable’ attribute to a file. Other users can not delete it using the rm command. Furthermore, they can not change it using any applications. Such a feature is crucial for system files, which users can delete by mistake. Additionally, malicious users can also try to change the files intentionally.
Another example is the ‘undeletion’ attribute. If you set this attribute on the file, the operating system saves the file even after you delete it. This feature can be helpful for file recovery. Let’s look at the use of the chattr command in detail.
1. Check File Attributes
Before using the chattr command to modify the attributes, it is essential to check them first. For this, we will use the lsattr command. We use the lsattr command to list the attributes of a file. You can also use this command to confirm the change to the attributes after you have executed the chattr command. The syntax for this command is:
lsattr [FILENAME]For example:
lsattr ./confidential_file.logYou will get a similar output as shown below:
The e flag represents the extent as discussed above.
2. Use chattr Command for Read-Only Permission
To make any file immutable, we use the +i flag along with the chattr command.
For example:
chattr +i ./confidential_file.log
After that, you can confirm the attributes of the file using the lsattr command as shown in the image above.
To confirm the immutability feature, try renaming the file using the mv command.
sudo mv ./confidential_file.log ./non_confidential_file.log
As you can see from the image given above, we cannot rename the file. This is because you have set the immutable attribute on this file using the chattr command.
3. Use chattr Command to Remove the Attributes
You can also use the chattr command to remove the existing attributes from a file. To remove an attribute from a file, there are two ways: the dash (-) operator and the equal (=) operator. While the – is the direct way, you can also use the = operator.
Let’s use the - operator first to remove the i flag.
sudo chattr -i ./confidential_file.log
Alternatively, you can also use the = operator to remove all the flags except the one identified.
For example:
sudo chattr =e ./confidential_file.log
This command will remove all the attributes from the file and only keep the e attribute.
4. Use chattr Command to Freeze Access Time
Let’s go through another example. The following example demonstrates how to freeze file access time.
First, check the access time of the file before changing the “time” attribute using the stat command. For this, you will first access the file using the cat command so that the last access time is updated. Then, check the recent access time using the stat command.
stat –format=%x ./confidential_file.log
Next, add an attribute A to the file to freeze its access time using the chattr command. For example:
sudo chattr +A ./confidential_file.log
Now, access the file using the cat command. After that, check its stat. You will see that the access time has not been updated even though it was read using the cat command.
In conclusion, you can use the chattr command to manipulate different attributes of a file. You can also utilize its flags and attributes to modify and restrict the files. Such control on file attributes is necessary for super users or system administrators to limit or extend the scope of file access. For more information on the chattr command, check out its original documentation.
If you have any questions or feedback, feel free to leave a comment.
If this guide helped you, please share it.
