Linux Password Trick With Immutable Bit Using chattr Command

You can make a file immutable on Linux with the help of utility called chattr. One can changes the file attributes on a Linux second extended file system. The operator + causes the selected attributes to be added to the existing attributes of the files; - causes them to be removed; and = causes them to be the only attributes that the files have.

What is an immutable attribute on a Linux?

A file with an immutable attribute can not be:

  • Modified
  • Deleted
  • Renamed
  • No soft or hard link created by anyone including root user.

Only the root (superuser) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Use the lsattr command to list file attributes on a Linux second extended file system that you set with the chattr command.

How to make a file immutable on Linux

First, you need to login as root user. Only root user can set and remove immutable flag on a file. The syntax is:

chattr +i file
chattr +i /path/to/filename

Type the following command to write protect /etc/shadow file on a Linux:
# chattr +i /etc/shadow

Now, login as the normal user (say vivek) and type the passwd command to change password:

$ passwd
Changing password for user vivek.
Changing password for vivek
(current) UNIX password: OLDPASSWED
New password: NEWPASSWD
Retype new password:NEWPASSWD
passwd: all authentication tokens updated successfully.

Logout and try to login with the new password. However, system will not accept your new password. You still need to use the old password.

To get the list of Linux second extended file system using the lsatter command (run as the root user ):

# lsattr /etc/shadow
----i-------- /etc/shadow

Please note that even root user is not allowed to change the password. You can remove the attribute using the following command (again must be run as the root user):

chattr -i /etc/shadow
lsattr /etc/shadow

Sample outputs:

------------- /etc/shadow

Securing mount points on a Linux

Want to write protect the entire mount point so that no one can add or delete files including root user? Try:

# secure partition mounted at /securebackup location ##
chattr +i -R /securebackup
lsattr -d /securebackup
lsattr -l /securebackup
cd /securebackup
## Try to add or delete something ##
echo "test" > foo.txt
mkdir foo
ls -l
rm SeaToolsDOS223ALL.ISO
## Remove it again ##
cd /
chattr -i -R /securebackup
lsattr -d /securebackup

Sample outputs:

Fig.01: How to make a file and mount point immutable on Linux to increase security

Fig.01: How to make a file and mount point immutable on Linux to increase security

The -R option recursively change attributes of directories and their contents. This is useful to protect web server DocumentRoot or other publicly accessible directory over sftp/ftp.

Protecting important files

You can protect important files such as:

  • /etc/php.ini
  • /etc/passwd
  • /etc/shadow
  • /etc/group and more

A note about FreeBSD or Apple OS X Unix-like users

Try the chflags command. This command modifies the file flags of the listed files as specified by the args including the user immutable flag.

To see all Linux second extended file system attributes read the man page by typing the following command:

man chattr
man lsattr

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 13 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
13 comments… add one
  • Mr Surbade Apr 4, 2009 @ 16:48

    Works like a charm.

  • Philippe Petrinko Jun 3, 2010 @ 11:24

    Nice topic.

    2 Typos Here:
    “For rest of Linux second extended file system attributes read man chatter, man lsatter.”
    => … read man chattr, man lsattr

  • Bijohn Vincent Feb 20, 2012 @ 4:15

    What does the attribute ‘e’ stands for? I am using centOS 6.
    [root@cfserver masterfiles]# lsattr /etc/passwd
    ————-e- /etc/passwd

    • Ben Mar 17, 2012 @ 15:07

      exactly what that means yet. i determined this by trying chattr -e ./somefile
      and it returned

      root@dell:~$ chattr -e somefile
      chattr: Clearing extent flag not supported on somefile

    • Curtis Feb 23, 2015 @ 16:27

      It uses extents in the _file system_ for allocation. One thing this article missing explicityly is that lsattr and chattr are from e2fsprogs, aka your FILE SYSTEM, and only ext3/4.

      This is why if you run “man chattr” and read it, you’ll see that many of the flags are related to mount-options, block-options, and other FS-specific tools, which is very UNLIKE ls, chmod, chown, chgrp, etc.

  • Ben Mar 17, 2012 @ 15:09

    Not sure exactly what that means yet. i determined this by trying chattr -e ./somefile
    and it returned

    root@dell:~$ chattr -e somefile
    chattr: Clearing extent flag not supported on somefile

  • phila_guy Dec 22, 2012 @ 14:52

    Also useful for clearing the lost+found directory for files that can’t be deleted by root directly using rm or rm -rf. I had to recover a 1TB USB 3 disk with e2fsck using an alternate block after I accidentally tried to dd an 8 Mb .iso to the USB disk and not the USB thumbdrive I had meant for it to go. I was able to recover the disk but this left me with a file and a directory in lost+found that I could not delete that cron.daily kept warning me about. I used lsattr to list the attributes that the file and directory had and just used chattr -R to recursively wipe all the attributes for everything in lost+found. A simple rm -rf worked after that.

  • Old BSD guy Feb 6, 2013 @ 21:28

    What good is the immutable flag without securelevels?

  • Bob Sep 2, 2013 @ 17:30

    I have had a horrible problem with a hacker changing my .htaccess file to redirect my website to a site selling drugs. I have tried changing the permissions of 444, but that doesn’t seem to prevent the hack. I am now trying making the file immutable. I hope this does the trick.

  • Moneybags Nov 5, 2013 @ 23:13

    I’m sorry, what is the point of doing this on /etc/shadow?

  • CMac Feb 26, 2014 @ 19:24

    I cant see any benefit to doing this, you should not play with things you dont fully understand, lest you bork your system……

    • Curtis Feb 23, 2015 @ 16:23

      Say you want to place a file in a user’s home directory that you do not want the user to change. By default, a user owns his/her home directory and can seize ownership, change and deletes files, etc. The traditional solution is to make the directory root-owned and then grant weird permissions to the user (sticky bit, etc) so they can still write, rename, etc.

      A much simpler solution is to just place the file, and as root, chattr +i /home/user/the_file and you are done. All of your hierarchy / inherited permissions still make perfect sense.

    • Jango Apr 19, 2016 @ 22:24

      Delete all shadow files and add on files to htacess and reset system to default.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum