Files and Attributes: chattr

By Juliet Kemp (Send Email)
Posted Mar 23, 2009


Juliet Kemp
chattr allows you to change some of the attributes of files in ext2 and ext3 Linux filesystems. Here's a couple of useful options. The syntax is
Tip of the Trade: Don't just talk about it. Change some of the attributes of files in ext2 and ext3 Linux filesystems with chattr.
chattr +option filename
and options can be reversed with -option.
  • +i: Makes a file immutable: even root can't alter it. This is useful to protect against accidentally altering particularly important files.
  • +a: Sets files such that they can only be appended to, not overwritten. If you set this for your logfiles, if an attacker gets access to the machine, they can't rewrite the logs to hide the breakin. Two things to bear in mind:
    1. An attacker with full root access could simply use the -a flag to remove this protection. Look into the lcap utility to remove the capability to make this change from the kernel (after which it will take a reboot to restore it).
    2. Setting this attribute will break log rotation. It's a tradeoff between that slight inconvenience and the advantages of much better audit.
  • -S (note capitalization): The file equivalent of setting mount -o sync for a directory. Instead of holding the data in a buffer and writing to disk asynchronously (which improves performance but slightly increases the risk of data corruption), the write happens immediately when the change is made. On a per-file basis the performance hit is minor, so this may be useful, again, for particularly important files.

The -R flag will set these attributes recursively (chattr -R +i /directory). You can also see the attributes set for a particular file by using lsattr filename.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.