Linux Password Trick With Immutable Bit Using chattr Command

You can make a file immutable on Linux with the help of utility called chattr. One can changes the file attributes on a Linux second extended file system. The operator + causes the selected attributes to be added to the existing attributes of the files; - causes them to be removed; and = causes them to be the only attributes that the files have.

What is an immutable attribute on a Linux?

A file with an immutable attribute can not be:

Modified
Deleted
Renamed
No soft or hard link created by anyone including root user.

Only the root (superuser) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Use the lsattr command to list file attributes on a Linux second extended file system that you set with the chattr command.

How to make a file immutable on Linux

First, you need to login as root user. Only root user can set and remove immutable flag on a file. The syntax is:

chattr +i file
chattr +i /path/to/filename

Type the following command to write protect /etc/shadow file on a Linux:
# chattr +i /etc/shadow

Now, login as the normal user (say vivek) and type the passwd command to change password:

$ passwd

Changing password for user vivek.
Changing password for vivek
(current) UNIX password: OLDPASSWED
New password: NEWPASSWD
Retype new password:NEWPASSWD
passwd: all authentication tokens updated successfully.

Logout and try to login with the new password. However, system will not accept your new password. You still need to use the old password.

To get the list of Linux second extended file system using the lsatter command (run as the root user ):

# lsattr /etc/shadow

----i-------- /etc/shadow

Please note that even root user is not allowed to change the password. You can remove the attribute using the following command (again must be run as the root user):

chattr -i /etc/shadow
lsattr /etc/shadow

Sample outputs:

------------- /etc/shadow

Securing mount points on a Linux

Want to write protect the entire mount point so that no one can add or delete files including root user? Try:

# secure partition mounted at /securebackup location ##
chattr +i -R /securebackup
lsattr -d /securebackup
lsattr -l /securebackup
cd /securebackup
## Try to add or delete something ##
echo "test" > foo.txt
mkdir foo
ls -l
rm SeaToolsDOS223ALL.ISO
 
## Remove it again ##
cd /
chattr -i -R /securebackup
lsattr -d /securebackup

Sample outputs:

Fig.01: How to make a file and mount point immutable on Linux to increase security

The -R option recursively change attributes of directories and their contents. This is useful to protect web server DocumentRoot or other publicly accessible directory over sftp/ftp.

Protecting important files

You can protect important files such as:

/etc/php.ini
/etc/passwd
/etc/shadow
/etc/group and more

A note about FreeBSD or Apple OS X Unix-like users

Try the chflags command. This command modifies the file flags of the listed files as specified by the args including the user immutable flag.

To see all Linux second extended file system attributes read the man page by typing the following command:

chattr(1)
lsattr(1)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

13 comment

Works like a charm.

Nice topic.

2 Typos Here:
“For rest of Linux second extended file system attributes read man chatter, man lsatter.”
=> … read man chattr, man lsattr

What does the attribute ‘e’ stands for? I am using centOS 6.
[root@cfserver masterfiles]# lsattr /etc/passwd
————-e- /etc/passwd

Ben says:
March 17, 2012 at 3:07 pm
extent.
exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned
”
root@dell:~$ chattr -e somefile
chattr: Clearing extent flag not supported on somefile
“
Curtis says:
February 23, 2015 at 4:27 pm
It uses extents in the _file system_ for allocation. One thing this article missing explicityly is that lsattr and chattr are from e2fsprogs, aka your FILE SYSTEM, and only ext3/4.
This is why if you run “man chattr” and read it, you’ll see that many of the flags are related to mount-options, block-options, and other FS-specific tools, which is very UNLIKE ls, chmod, chown, chgrp, etc.

extent.
Not sure exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned

root@dell:~$ chattr -e somefile
chattr: Clearing extent flag not supported on somefile

Also useful for clearing the lost+found directory for files that can’t be deleted by root directly using rm or rm -rf. I had to recover a 1TB USB 3 disk with e2fsck using an alternate block after I accidentally tried to dd an 8 Mb .iso to the USB disk and not the USB thumbdrive I had meant for it to go. I was able to recover the disk but this left me with a file and a directory in lost+found that I could not delete that cron.daily kept warning me about. I used lsattr to list the attributes that the file and directory had and just used chattr -R to recursively wipe all the attributes for everything in lost+found. A simple rm -rf worked after that.

What good is the immutable flag without securelevels?

I have had a horrible problem with a hacker changing my .htaccess file to redirect my website to a site selling drugs. I have tried changing the permissions of 444, but that doesn’t seem to prevent the hack. I am now trying making the file immutable. I hope this does the trick.

I’m sorry, what is the point of doing this on /etc/shadow?

I cant see any benefit to doing this, you should not play with things you dont fully understand, lest you bork your system……

Curtis says:
February 23, 2015 at 4:23 pm
Say you want to place a file in a user’s home directory that you do not want the user to change. By default, a user owns his/her home directory and can seize ownership, change and deletes files, etc. The traditional solution is to make the directory root-owned and then grant weird permissions to the user (sticky bit, etc) so they can still write, rename, etc.
A much simpler solution is to just place the file, and as root, chattr +i /home/user/the_file and you are done. All of your hierarchy / inherited permissions still make perfect sense.
Jango says:
April 19, 2016 at 10:24 pm
Delete all shadow files and add on files to htacess and reset system to default.

Mr Surbade says:
April 4, 2009 at 4:48 pm
Works like a charm.
Philippe Petrinko says:
June 3, 2010 at 11:24 am
Nice topic.
2 Typos Here:
“For rest of Linux second extended file system attributes read man chatter, man lsatter.”
=> … read man chattr, man lsattr
Bijohn Vincent says:
February 20, 2012 at 4:15 am
What does the attribute ‘e’ stands for? I am using centOS 6.
[root@cfserver masterfiles]# lsattr /etc/passwd
————-e- /etc/passwd
1. Ben says:
  March 17, 2012 at 3:07 pm
  extent.
  exactly what that means yet. i determined this by trying chattr -e ./somefile
  and it returned
  ”
  root@dell:~$ chattr -e somefile
  chattr: Clearing extent flag not supported on somefile
  “
2. Curtis says:
  February 23, 2015 at 4:27 pm
  It uses extents in the _file system_ for allocation. One thing this article missing explicityly is that lsattr and chattr are from e2fsprogs, aka your FILE SYSTEM, and only ext3/4.
  This is why if you run “man chattr” and read it, you’ll see that many of the flags are related to mount-options, block-options, and other FS-specific tools, which is very UNLIKE ls, chmod, chown, chgrp, etc.
Ben says:
March 17, 2012 at 3:09 pm
extent.
Not sure exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned
root@dell:~$ chattr -e somefile
chattr: Clearing extent flag not supported on somefile
phila_guy says:
December 22, 2012 at 2:52 pm
Also useful for clearing the lost+found directory for files that can’t be deleted by root directly using rm or rm -rf. I had to recover a 1TB USB 3 disk with e2fsck using an alternate block after I accidentally tried to dd an 8 Mb .iso to the USB disk and not the USB thumbdrive I had meant for it to go. I was able to recover the disk but this left me with a file and a directory in lost+found that I could not delete that cron.daily kept warning me about. I used lsattr to list the attributes that the file and directory had and just used chattr -R to recursively wipe all the attributes for everything in lost+found. A simple rm -rf worked after that.
Old BSD guy says:
February 6, 2013 at 9:28 pm
What good is the immutable flag without securelevels?
Bob says:
September 2, 2013 at 5:30 pm
I have had a horrible problem with a hacker changing my .htaccess file to redirect my website to a site selling drugs. I have tried changing the permissions of 444, but that doesn’t seem to prevent the hack. I am now trying making the file immutable. I hope this does the trick.
Moneybags says:
November 5, 2013 at 11:13 pm
I’m sorry, what is the point of doing this on /etc/shadow?
CMac says:
February 26, 2014 at 7:24 pm
I cant see any benefit to doing this, you should not play with things you dont fully understand, lest you bork your system……
1. Curtis says:
  February 23, 2015 at 4:23 pm
  Say you want to place a file in a user’s home directory that you do not want the user to change. By default, a user owns his/her home directory and can seize ownership, change and deletes files, etc. The traditional solution is to make the directory root-owned and then grant weird permissions to the user (sticky bit, etc) so they can still write, rename, etc.
  A much simpler solution is to just place the file, and as root, chattr +i /home/user/the_file and you are done. All of your hierarchy / inherited permissions still make perfect sense.
2. Jango says:
  April 19, 2016 at 10:24 pm
  Delete all shadow files and add on files to htacess and reset system to default.

Have a question? Post it on our forum!

Adblock detected 😱