What is an immutable attribute on a Linux?
A file with an immutable attribute can not be:
- Modified
- Deleted
- Renamed
- No soft or hard link created by anyone including root user.
Only the root (superuser) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Use the lsattr command to list file attributes on a Linux second extended file system that you set with the chattr command.
How to make a file immutable on Linux
First, you need to login as root user. Only root user can set and remove immutable flag on a file. The syntax is:
chattr +i file chattr +i /path/to/filename |
Type the following command to write protect /etc/shadow file on a Linux:
# chattr +i /etc/shadow
Now, login as the normal user (say vivek) and type the passwd command to change password:
$ passwd
Changing password for user vivek. Changing password for vivek (current) UNIX password: OLDPASSWED New password: NEWPASSWD Retype new password:NEWPASSWD passwd: all authentication tokens updated successfully.
Logout and try to login with the new password. However, system will not accept your new password. You still need to use the old password.
To get the list of Linux second extended file system using the lsatter command (run as the root user ):
# lsattr /etc/shadow
----i-------- /etc/shadow
Please note that even root user is not allowed to change the password. You can remove the attribute using the following command (again must be run as the root user):
chattr -i /etc/shadow lsattr /etc/shadow |
Sample outputs:
------------- /etc/shadow
Securing mount points on a Linux
Want to write protect the entire mount point so that no one can add or delete files including root user? Try:
# secure partition mounted at /securebackup location ## chattr +i -R /securebackup lsattr -d /securebackup lsattr -l /securebackup cd /securebackup ## Try to add or delete something ## echo "test" > foo.txt mkdir foo ls -l rm SeaToolsDOS223ALL.ISO ## Remove it again ## cd / chattr -i -R /securebackup lsattr -d /securebackup |
Sample outputs:
The -R option recursively change attributes of directories and their contents. This is useful to protect web server DocumentRoot or other publicly accessible directory over sftp/ftp.
Protecting important files
You can protect important files such as:
- /etc/php.ini
- /etc/passwd
- /etc/shadow
- /etc/group and more
A note about FreeBSD or Apple OS X Unix-like users
Try the chflags command. This command modifies the file flags of the listed files as specified by the args including the user immutable flag.
To see all Linux second extended file system attributes read the man page by typing the following command:
chattr(1) lsattr(1)
13 comment
Works like a charm.
Nice topic.
2 Typos Here:
“For rest of Linux second extended file system attributes read man chatter, man lsatter.”
=> … read man chattr, man lsattr
What does the attribute ‘e’ stands for? I am using centOS 6.
[[email protected] masterfiles]# lsattr /etc/passwd
————-e- /etc/passwd
extent.
exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned
”
“
It uses extents in the _file system_ for allocation. One thing this article missing explicityly is that lsattr and chattr are from e2fsprogs, aka your FILE SYSTEM, and only ext3/4.
This is why if you run “man chattr” and read it, you’ll see that many of the flags are related to mount-options, block-options, and other FS-specific tools, which is very UNLIKE ls, chmod, chown, chgrp, etc.
extent.
Not sure exactly what that means yet. i determined this by trying chattr -e ./somefile
and it returned
Also useful for clearing the lost+found directory for files that can’t be deleted by root directly using rm or rm -rf. I had to recover a 1TB USB 3 disk with e2fsck using an alternate block after I accidentally tried to dd an 8 Mb .iso to the USB disk and not the USB thumbdrive I had meant for it to go. I was able to recover the disk but this left me with a file and a directory in lost+found that I could not delete that cron.daily kept warning me about. I used lsattr to list the attributes that the file and directory had and just used chattr -R to recursively wipe all the attributes for everything in lost+found. A simple rm -rf worked after that.
What good is the immutable flag without securelevels?
I have had a horrible problem with a hacker changing my .htaccess file to redirect my website to a site selling drugs. I have tried changing the permissions of 444, but that doesn’t seem to prevent the hack. I am now trying making the file immutable. I hope this does the trick.
I’m sorry, what is the point of doing this on /etc/shadow?
I cant see any benefit to doing this, you should not play with things you dont fully understand, lest you bork your system……
Say you want to place a file in a user’s home directory that you do not want the user to change. By default, a user owns his/her home directory and can seize ownership, change and deletes files, etc. The traditional solution is to make the directory root-owned and then grant weird permissions to the user (sticky bit, etc) so they can still write, rename, etc.
A much simpler solution is to just place the file, and as root, chattr +i /home/user/the_file and you are done. All of your hierarchy / inherited permissions still make perfect sense.
Delete all shadow files and add on files to htacess and reset system to default.