Working with files in Linux - File Attributes

By: Luke Rawlins Feb 21, 2017 | 4 minutes read
Share this:

Tags: file permissions, filesystem, Linux, permissions

In the previous two posts, we’ve looked at file permissions and access control lists.

Today let’s take look at file attributes. Whereas, permissions and ACL’s deal with user and group access to a file, attributes are properties of a file that regulate how the operating system interacts with a given file.

There are 15 file attributes: append only (a), no atime updates (A), compressed (c), no copy on write (C), no dump (d), synchronous directory updates (D), extent format (e), immutable (i), data journalling (j), project hierarchy (P), secure deletion (s), synchronous updates (S), no tail-merging (t), top of directory hierarchy (T), and undeletable (u).

Even though there are 15 attributes it’s been my experience that (i) immutable, and (a) append only attributes seem to be the only ones that work consistently across filesystems. If you are using an ext2, ext3, or ext4 filesystem then c,s, and u will not be honored by your filesystems. The secure delete (s), and undeletable (u) attributes would definitely be a nice-to-have feature in the future. If you are using btrfs (likely on a SUSE or OpenSUSE based system) then (c) compression will be respected along with a few others (feel free to experiment).

The only attribute flag that I want to look at today is (i) immutable. The reason I have singled this attribute out is to demonstrate the power you have with this flag, and because it’s the only one I use on any regular basis.

List attributes with lsattr

Let’s make a file and add some content to it:

[email protected]:~/Documents> touch file1
[email protected]:~/Documents> echo "Some awesome file content" >> file1
[email protected]:~/Documents> cat file1
Some awesome file content
[email protected]:~/Documents>

What attributes does this file have upon creation?

[email protected]:~/Documents> lsattr file1
------------------- file1
[email protected]:~/Documents>

You will notice that newly created files have no attributes (at least if you are using OpenSUSE with btrfs like I am).

If you are using Ubuntu you will very likely see the “e” flag which means that your file system is using extents for mapping the file to disk.

What does it mean to make a file “immutable”?

Immutable means that the file cannot be changed in any way. You can’t delete it, you can’t add new data, or remove old data, or even change its name. When you add the (i) attribute you have chiseled the file into stone. Not even root can change a file that has been marked immutable (at least not without removing the flag first).

Attribute flags can be added and removed with sudo using the chattr command with +/- and the attribute.

sudo chattr +i file1

Now try to add another line to this file.

[email protected]:~/Documents> echo "Even more awesome content" >> file1
bash: file1: Operation not permitted
[email protected]:~/Documents>

What about as root? Still not permitted right?

Can you delete it?

[email protected]:~/Documents> rm file1
rm: cannot remove 'file1': Operation not permitted
[email protected]:~/Documents> sudo rm file1
rm: cannot remove 'file1': Operation not permitted
[email protected]:~/Documents>

Notice the message output “Operation not permitted” even when using sudo.

Our POSIX permissions have not changed if you check:

[email protected]:~/Documents> ls -l file1
-rw-r--r-- 1 luke users 26 Feb 21 10:49 file1

You can see that my user should have read and write access to this file. The file attribute tells the filesystem that the contents of this file are frozen and cannot change.

Remove the immutable flag by replacing +i with -i:

[email protected]:~/Documents> sudo chattr -i file1e

I see using these attributes as only a single layer to defend files that I want to protect against accidental deletion or to prevent them from being altered.

For example, I use a media server called Plex to stream photos and movies to other devices in my home. I use the immutable flag to prevent files from being accidentally deleted or maliciously deleted in the event that the wrong person was to gain access to my Plex server.

File attributes should be seen as a way to further layer your file access scheme, and not as a replacement for best practices.

Related Posts


Working with Linux Files - Access Control Lists

In the last post, we looked at basic file permissions. The ideas covered in that post are probably enough to get you through a large portion of the real world scenario’s that you will encounter. There are some special cases, however. One of them being access control lists (ACL) which I will discuss in this post. Access Control List - ACL As we saw in part 1 every file on a Linux system has an owner and a group associated with it, each of which has separate permissions. Read more

Working with files in Linux - Permissions

Over the next few posts I’ll be covering three basic elements of files in Linux: Permissions ACL’s (Access Control Lists) File Attributes The ls command Every file in Linux has three primary permissions settings (read, write, execute) that apply to three elements (owner, group, others). File permissions can be viewed on the command line using the “ls” command. [[email protected] stuff]$ ls -l total 0 -rwxrw-r-x 1 luke admins 0 Jun 21 19:44 file1 Looking at the output from ls -l, from left to right we can break the output into several groups as shown below. Read more

School District finds cost savings and flexibility with Linux

Being a big proponent of Linux on the desktop I was excited to have the opportunity to talk with Aaron Prisk of the West Branch Area School District, who has recently helped migrate 80% of the school district’s infrastructure to Linux. When I first heard about the district’s move to Linux I wanted to find out as much as I could about his experiences during and after the migration. This is a great story about how Linux can be used by people of all ages and technical skill while still providing a low cost and secure platform for everyday operations. Read more


Contact

If you’d like to get in touch, contact with me via email - or follow on Twitter.

[email protected]