Linux Password Trick With Immutable Bit Using chattr Command

by on April 26, 2004 · 12 comments· LAST UPDATED January 26, 2015

in , ,

You can make a file immutable on Linux with the help of utility called chattr. One can changes the file attributes on a Linux second extended file system. The operator + causes the selected attributes to be added to the existing attributes of the files; - causes them to be removed; and = causes them to be the only attributes that the files have.

What is an immutable attribute on a Linux?

A file with an immutable attribute can not be:

  • Modified
  • Deleted
  • Renamed
  • No soft or hard link created by anyone including root user.

Only the root (superuser) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Use the lsattr command to list file attributes on a Linux second extended file system that you set with the chattr command.

How to make a file immutable on Linux

First, you need to login as root user. Only root user can set and remove immutable flag on a file. The syntax is:

chattr +i file
chattr +i /path/to/filename

Type the following command to write protect /etc/shadow file on a Linux:
# chattr +i /etc/shadow

Now, login as the normal user (say vivek) and type the passwd command to change password:

$ passwd
Changing password for user vivek.
Changing password for vivek
(current) UNIX password: OLDPASSWED
New password: NEWPASSWD
Retype new password:NEWPASSWD
passwd: all authentication tokens updated successfully.

Logout and try to login with the new password. However, system will not accept your new password. You still need to use the old password.

To get the list of Linux second extended file system using the lsatter command (run as the root user ):

# lsattr /etc/shadow
----i-------- /etc/shadow

Please note that even root user is not allowed to change the password. You can remove the attribute using the following command (again must be run as the root user):

chattr -i /etc/shadow
lsattr /etc/shadow

Sample outputs:

------------- /etc/shadow

Securing mount points on a Linux

Want to write protect the entire mount point so that no one can add or delete files including root user? Try:

# secure partition mounted at /securebackup location ##
chattr +i -R /securebackup
lsattr -d /securebackup
lsattr -l /securebackup
cd /securebackup
## Try to add or delete something ##
echo "test" > foo.txt
mkdir foo
ls -l
rm SeaToolsDOS223ALL.ISO
 
## Remove it again ##
cd /
chattr -i -R /securebackup
lsattr -d /securebackup
 

Sample outputs:

Fig.01: How to make a file and mount point immutable on Linux to increase security

Fig.01: How to make a file and mount point immutable on Linux to increase security


The -R option recursively change attributes of directories and their contents. This is useful to protect web server DocumentRoot or other publicly accessible directory over sftp/ftp.

Protecting important files

You can protect important files such as:

  • /etc/php.ini
  • /etc/passwd
  • /etc/shadow
  • /etc/group and more

A note about FreeBSD or Apple OS X Unix-like users

Try the chflags command. This command modifies the file flags of the listed files as specified by the args including the user immutable flag.

To see all Linux second extended file system attributes read the man page by typing the following command:

man chattr
man lsattr
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 12 comments… read them below or add one }

1 Mr Surbade April 4, 2009 at 4:48 pm

Works like a charm.

Reply

2 Philippe Petrinko June 3, 2010 at 11:24 am

Nice topic.

2 Typos Here:
“For rest of Linux second extended file system attributes read man chatter, man lsatter.”
=> … read man chattr, man lsattr

Reply

3 Bijohn Vincent February 20, 2012 at 4:15 am

What does the attribute ‘e’ stands for? I am using centOS 6.
[root@cfserver masterfiles]# lsattr /etc/passwd
————-e- /etc/passwd

Reply

4 Ben March 17, 2012 at 3:07 pm

extent.
exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned

root@dell:~$ chattr -e somefile
chattr: Clearing extent flag not supported on somefile

Reply

5 Curtis February 23, 2015 at 4:27 pm

It uses extents in the _file system_ for allocation. One thing this article missing explicityly is that lsattr and chattr are from e2fsprogs, aka your FILE SYSTEM, and only ext3/4.

This is why if you run “man chattr” and read it, you’ll see that many of the flags are related to mount-options, block-options, and other FS-specific tools, which is very UNLIKE ls, chmod, chown, chgrp, etc.

Reply

6 Ben March 17, 2012 at 3:09 pm

extent.
Not sure exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned

root@dell:~$ chattr -e somefile
chattr: Clearing extent flag not supported on somefile

Reply

7 phila_guy December 22, 2012 at 2:52 pm

Also useful for clearing the lost+found directory for files that can’t be deleted by root directly using rm or rm -rf. I had to recover a 1TB USB 3 disk with e2fsck using an alternate block after I accidentally tried to dd an 8 Mb .iso to the USB disk and not the USB thumbdrive I had meant for it to go. I was able to recover the disk but this left me with a file and a directory in lost+found that I could not delete that cron.daily kept warning me about. I used lsattr to list the attributes that the file and directory had and just used chattr -R to recursively wipe all the attributes for everything in lost+found. A simple rm -rf worked after that.

Reply

8 Old BSD guy February 6, 2013 at 9:28 pm

What good is the immutable flag without securelevels?

Reply

9 Bob September 2, 2013 at 5:30 pm

I have had a horrible problem with a hacker changing my .htaccess file to redirect my website to a site selling drugs. I have tried changing the permissions of 444, but that doesn’t seem to prevent the hack. I am now trying making the file immutable. I hope this does the trick.

Reply

10 Moneybags November 5, 2013 at 11:13 pm

I’m sorry, what is the point of doing this on /etc/shadow?

Reply

11 CMac February 26, 2014 at 7:24 pm

I cant see any benefit to doing this, you should not play with things you dont fully understand, lest you bork your system……

Reply

12 Curtis February 23, 2015 at 4:23 pm

Say you want to place a file in a user’s home directory that you do not want the user to change. By default, a user owns his/her home directory and can seize ownership, change and deletes files, etc. The traditional solution is to make the directory root-owned and then grant weird permissions to the user (sticky bit, etc) so they can still write, rename, etc.

A much simpler solution is to just place the file, and as root, chattr +i /home/user/the_file and you are done. All of your hierarchy / inherited permissions still make perfect sense.

Reply

Leave a Comment

Tagged as: , , , , , ,

Previous post:

Next post: