Howto: Linux Write protect a file

last updated in Categories , , , , , , ,

Q. How do I write protect a file under Linux? I’m using CentOS 5 server Linux operating system. I need prevent accidental changes to my files.

A. There are two ways to write protect a file under Linux.

Method #1: You can make file readonly by removing users’ write permission for a file. Under Linux and UNIX user cannot remove or modify file if they don’t have a write permission. You can use normal chmod command for this purpose.

Method #2 : You need to use chattr command which changes the file attributes on a Linux second extended (ext2 / ext3) file system. You need to setup i attribute. A file with the i attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser (root) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Write protecting a file using chmod command

Let say you want to write protect the file called data.txt so that no other users can change it, enter:
$ chmod go-w data.txt
To provide back permission use:
$ chmod go+w data.txt

Write protecting a file using chattr command

Let say you want to write protect the file called data.txt so that no other users can change it including root user, enter (you must login as the root user to use chattr command):
# chattr +i data.txt
To remove i attribute, enter:
# chattr -i data.txt

How Linux file permissions work

last updated in Categories , , , , , , , , ,

Linux (and almost all other Unixish systems) have three user classes as follows:

  • User (u): The owner of file
  • Group (g): Other user who are in group (to access files)
  • Other (o): Everyone else

You can setup following mode on each files. In a Linux and UNIX set of permissions is called as mode:

  • Read (r)
  • Write (w)
  • Execute (x)

However, above three modes or permission have different meaning for file and directory:

Linux Read mode permissions

  • Read access on a file allows you to view file
  • Read access on a directory allows you to view directory contents with ls command

Write mode permissions

  • Write access on a file allows you to write to file
  • Write access on a directory allows you to remove or add new files

Execute mode permissions

  • Execute access on a file allows to run program or script
  • Execute access on a directory allows you access file in the directory

Octal numbers and permissions

You can use octal number to represent mode/permission:

  • r: 4
  • w: 2
  • x: 1

For example, for file owner you can use octal mode as follows. Read, write and execute (full) permission on a file in octal is
0+r+w+x = 0+4+2+1 = 7

Only Read and write permission on a file in octal is
0+r+w+x = 0+4+2+0 = 6

Only read and execute permission on a file in octal is
0+r+w+x = 0+4+0+1 = 5

Use above method to calculate permission for group and others. Let us say you wish to give full permission to owner, read & execute permission to group, and read only permission to others, then you need to calculate permission as follows:
User = r+w+x = 0+4+2+1 = 7
Group= r+w+x = 0+4+2+0 = 6
Others = r+w+x = 0+0+0+1 = 1

Effective permission is 761.

chmod command

To setup file permission you need to use chmod command:
chmod {mode} {file-name}

To setup file permission 761 you need to use chmod command as follows:
# chmod 0761 file
To setup a file readable by anyone and writable by the owner only:
# chmod 644 file
To setup a file readable/executable by everyone and writable by the owner only:
# chmod 755 file
You can change permissions for all files and directories within a directory by using the -R option on the chmod command. For example, to setup others read and execute access to all files and directories (and files and directories within directories), you need to type command as follows (i.e. change the modes of the file hierarchies rooted in the files instead of just the files themselves):
# chmod -R 755 directory-name/

Further readings

  1. Access rights: Linux’s first line of defense
  2. Read chmod command man page for more information.