1. Introduction to chattr command
The chattr command is used to change the attributes of a file or directory, including unmodifiable attributes, synchronization attributes, append attributes, endless attributes, compressed attributes, endless attributes, non-deletable attributes, etc. The chattr command can only be used by the superuser or the owner of the file.
2. Chattr command usage example
1. Set the version for the file
The -v parameter setting version information is only supported under the extX (ext4...) file system. When setting the file version in the xfs file system, an error will be reported due to inappropriate ioctl operations on the device.
[root@s153 ~]# chattr -v 2 -V hi.txt
chattr 1.41.12 (17-May-2010)
The flag of hi.txt is set to-------------e-
Version of hi.txt set as 2
[root@s152 test]# chattr -v 2 -V a.txt
chattr 1.42.9 (28-Dec-2013)
The flag of a.txt is set to ------- ---------
Version of a.txt set as 2
chattr: inappropriate ioctl operation for the device while setting version on a.txt
2. Recursively set file attributes in a directory
[root@s152 test]# chattr -R -a -V level1-1/
chattr 1.42.9 (28-Dec-2013)
The flag of level1-1/ is set to ------------- ----
The flag of level1-1//level2-1 is set to ----------------
The flag of level1-1//level2-2 is set to ---- ------------
The flag of level1-1//level2-2/ccc.txt is set to ----------------
level1-1// The flag of level2-3 is set to----------------
The flag of level1-1//bb.txt is set to------------- ---
3. Use the -V parameter to display the instruction execution process
[root@s152 test]# chattr -R -a -V level1-1
chattr 1.42.9 (28-Dec-2013)
The level1-1 flag is set to -------------- --The
flag of level1-1/level2-1 is set to----------------
The flag of level1-1/level2-2 is set to-------- --------
The flag of level1-1/level2-2/ccc.txt is set to ----------------
The flag of level1-1/level2-3 is set to The flag set to ----------------
level1-1/bb.txt is set to ----------------
4. Add an attribute
[root@s152 test]# lsattr a.txt
---------------- a.txt
[root@s152 test]# chattr +i a.txt
[root@s152 test]# lsattr a.txt
----i----------- a.txt
5. Delete an attribute
[root@s152 test]# chattr -i -V a.txt
chattr 1.42.9 (28-Dec-2013)
The flag of a.txt is set to----------------
[root@s152 test]# lsattr a.txt
---------------- a.txt
6. Specify file attributes
Use = to specify the attributes of the file. In fact, some of the attributes supported by the file are in conflict, so the = parameter is rarely used to specify the attribute. The ± parameter is commonly used to increase or decrease an attribute.
[root@s152 test]# chattr =iaA -V a.txt
chattr 1.42.9 (28-Dec-2013)
The flag of a.txt is set to----ia-A--------
3. chattr command syntax and parameter description
1. Command syntax
#chattr [parameter] file or directory
#chattr ±=[attribute] file or directory
#chattr [parameter] [attribute] file or directory
2. Parameter description
| parameter | Parameter Description |
|---|---|
| -R | Recursive processing, processing all files and subdirectories in the command directory together |
| -v<version number> | Set the file or directory version. This parameter only applies to exx file systems |
| -V | Display the instruction execution process |
| -f | Suppress most error messages |
| +<property> | Turn on this attribute of a file or directory |
| -<property> | Turn off this attribute of a file or directory |
| =<property> | Specifies the attribute of the file or directory |
3. Attribute description
The ext2, ext3 and ext4 file systems currently implemented in the mainstream Linux kernel do not support the "c", "s" and "u" attributes. In fact, only a and i are commonly used among these attributes. The append attribute is always used for log files to ensure that the log file will not be deleted and only append log records are allowed. The i attribute is used to lock important configuration files to avoid accidental deletion or modification.
| Attributes | Property description |
|---|---|
| a | This attribute only allows adding data to the end of the file, not modifying or deleting the file's contents. |
| A | When this attribute is set, the file atime time is no longer updated. |
| c | Files or directories are compressed by default. |
| C | Files with the "C" attribute set will not undergo copy-on-write updates. This flag is only supported on file systems that perform copy-on-write |
| d | When doing a file system backup, this file or directory is not backed up. |
| D | When a directory with the "D" attribute set is modified, the changes are written to disk synchronously; this is equivalent to the "dirsync" mount option applied to a subset of files. Requires kernel version 2.5.19 or above |
| i | Any modification operations to files or directories are prohibited, including modification, deletion, renaming, etc. |
| j | Allow the file system to support the log function, which is only supported in ext3 and ext4 environments. |
| s | When a file is deleted, its contents are zeroed out. |
| S | When a file with the "S" attribute set is modified, the changes are written to disk synchronously; this is equivalent to the "sync" mount option applied to a subset of the files |
| t | Let the file system support tail-merging. Only ext2 and ext3 support tail-merging. |
| T | Directories with the "T" attribute are considered to be at the top of the directory hierarchy. This is a hint to the block allocator used by ext3 and ext4. |
| u | When a file with the "u" attribute set is deleted, its contents are saved. This allows the user to request cancellation of deletion. |
4. Practice using chattr command
1. Use the i attribute to lock the /etc/shadow file to ensure the security of system users.
After the file is locked using the i attribute, even the root user cannot directly delete, modify, or update the file. It needs to be unlocked before the file can be operated. When editing a file locked by i, it will be prompted that it is a read-only file. Even if you use wr!, the save cannot be completed. Any updates or modifications to the file must be performed after unlocking it. After we complete the operating system user configuration, we can lock the /etc/shadow file to ensure the security of the system account.
[root@s152 test]# chattr +a a.txt
[root@s152 test]# rm -rf a.txt
rm: Unable to delete "a.txt": Operation not allowed
[root@s152 test]# echo “This is add message test” >> a.txt
-bash: a.txt: Insufficient permissions
[root@s152 test]# vim a.txt
2. Use the a attribute to lock /var/log/messages to prevent the log file from being tampered with.
Use the a attribute to control that the /var/log/messages file can only be appended, and operations such as deletion and overwriting are not allowed, which can ensure the security of the system log.
[root@s152 test]# chattr +a /var/log/messages
[root@s152 test]# lsattr /var/log/messages
-----a---------- /var/log/messages