5 ‘chattr’ Commands to Make Important Files IMMUTABLE (Unchangeable) in Linux

chattr (Change Attribute) is a command line Linux utility that is used to set/unset certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.

In Linux native filesystems i.e. ext2, ext3, ext4, btrfs, etc. supports all the flags, though all the flags won’t support to all non-native FS. One cannot delete or modify file/folder once attributes are sets with chattr command, even though one have full permissions on it.

chattr command examples

5 chattr command examples

This is very useful to set attributes in system files like passwd and shadow files wherein user’s info are contains.

Syntax of chattr
# chattr [operator] [flags] [filename]
Attributes and Flags

Following are the list of common attributes and associated flags can be set/unset using the chattr command.

  1. If a file is accessed with ‘A‘ attribute set, its atime record is not updated.
  2. If a file is modified with ‘S‘ attribute set, the changes are updates synchronously on the disk.
  3. A file is set with ‘a‘ attribute, can only be open in append mode for writing.
  4. A file is set with ‘i‘ attribute, cannot be modified (immutable). Means no renaming, no symbolic link creation, no execution, no writable, only superuser can unset the attribute.
  5. A file with the ‘j‘ attribute is set, all of its information updated to the ext3 journal before being updated to the file itself.
  6. A file is set with ‘t‘ attribute, no tail-merging.
  7. A file with the attribute ‘d‘, will no more candidate for backup when the dump process is run.
  8. When a file has ‘u‘ attribute is deleted, its data are saved. This enables the user to ask for its undeletion.
Operator
  1. + : Adds the attribute to the existing attribute of the files.
  2. : Removes the attribute to the existing attribute of the files.
  3. = : Keep the existing attributes that the files have.

Here, we are going to demonstrate some of the chattr command examples to set/unset attributes to a file and folders.

1. How to add attributes on files to secure from deletion

For demonstration purpose, we’ve used folder demo and file important_file.conf respectively. Before setting up attributes, make sure to verify that the existing files have any attributes set using ‘ls -l‘ command. Did you see the results, currently no attribute are set.

[[email protected] tecmint]# ls -l
total 0
drwxr-xr-x. 2 root root 6 Aug 31 18:02 demo
-rwxrwxrwx. 1 root root 0 Aug 31 17:42 important_file.conf

To set attribute, we use the + sign and to unset use the sign with the chattr command. So, let’s set immutable bit on the files with +i flags to prevent anyone from deleting a file, even a root user don’t have permission to delete it.

[[email protected] tecmint]# chattr +i demo/
[[email protected] tecmint]# chattr +i important_file.conf

Note: The immutable bit +i can only be set by superuser (i.e root) user or a user with sudo privileges can able to set.

After setting immutable bit, let’s verify the attribute with command ‘lsattr‘.

[[email protected] tecmint]# lsattr
----i----------- ./demo
----i----------- ./important_file.conf

Now, tried to delete forcefully, rename or change the permissions, but it won’t allowed says “Operation not permitted“.

[[email protected] tecmint]# rm -rf demo/
rm: cannot remove âdemo/â: Operation not permitted
[[email protected] tecmint]# mv demo/ demo_alter
mv: cannot move âdemo/â to âdemo_alterâ: Operation not permitted
[[email protected] tecmint]# chmod 755 important_file.conf
chmod: changing permissions of âimportant_file.confâ: Operation not permitted

2. How to unset attribute on Files

In the above example, we’ve seen how to set attribute to secure and prevent files from a accidental deletion, here in this example, we will see how to reset (unset attribute) permissions and allows to make a files changeable or alterable using -i flag.

[[email protected] tecmint]# chattr -i demo/ important_file.conf

After resetting permissions, verify the immutable status of files using ‘lsattr‘ command.

[[email protected] tecmint]# lsattr
---------------- ./demo
---------------- ./important_file.conf

You see in the above results that the ‘-i‘ flag removed, that means you can safely remove all the file and folder reside in tecmint folder.

[[email protected] tecmint]# rm -rf *

[[email protected] tecmint]# ls -l
total 0

3. How to Secure /etc/passwd and /etc/shadow files

Setting immutable attribute on files /etc/passwd or /etc/shadow, makes them secure from an accidental removal or tamper and also it will disable user account creation.

[[email protected] tecmint]# chattr +i /etc/passwd
[[email protected] tecmint]# chattr +i /etc/shadow

Now try to create a new system user, you will get error message saying ‘cannot open /etc/passwd‘.

[[email protected] tecmint]# useradd tecmint
useradd: cannot open /etc/passwd

This way you can set immutable permissions on your important files or system configuration files to prevent from deletion.

4. Append data without Modifying existing data on a File

Suppose, you only want to allow everyone to just append data on a file without changing or modifying already entered data, you can use the ‘a‘ attribute as follows.

[[email protected] tecmint]# chattr +a example.txt

[[email protected] tecmint]# lsattr example.txt
-----a---------- example.txt

After setting append mode, the file can be opened for writing data in append mode only. You can unset the append attribute as follows.

[[email protected] tecmint]# chattr -a example.txt

Now try to replace already existing content on a file example.txt, you will get error saying ‘Operation not permitted‘.

[[email protected] tecmint]# echo "replace contain on file." > example.txt
-bash: example.txt: Operation not permitted

Now try to append new content on a existing file example.txt and verify it.

[[email protected] tecmint]# echo "replace contain on file." >> example.txt
[[email protected] tecmint]# cat example.txt
Here is the example to test 'a' attribute mean append only.
replace contain on file.

5. How to Secure Directories

To secure entire directory and its files, we use ‘-R‘ (recursively) switch with ‘+i‘ flag along with full path of the folder.

[[email protected] tecmint]# chattr -R +i myfolder

After setting recursively attribute, try to delete the folder and its files.

[[email protected] tecmint]# rm -rf myfolder/
rm: cannot remove 'myfolder/': Operation not permitted

To unset permission, we use same ‘-R’ (recursively) switch with ‘-i’ flag along with full path of the folder.

[[email protected] tecmint]# chattr -R -i myfolder

That’s it! To know more about chattr command attributes, flags and options use the man pages.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Narad Shrestha

He has over 10 years of rich IT experience which includes various Linux Distros, FOSS and Networking. Narad always believes sharing IT knowledge with others and adopts new technology with ease.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

12 Responses

  1. Rahul says:

    I have one file in my server with below permissions:

    # lsattr -a syshub
    
    ----i--------e-- syshub
    

    How can I delete this?

  2. Robin says:

    Thank you for the excellent summary and examples!

    There is one point I have a further question about:

    Your elaboration on the “i” attribute says “no execution”

    I could not find this mentioned in the man pages at https://linux.die.net/man/1/chattr

    Also, I tried to run an immutable (albeit executable) script on my Linux workstation, and it works just fine.

    Is it different on your system?

    I believe executable files would still be executable, even if set immutable, do you agree?

    • Bred Floggs says:

      Also wrong about creating symlinks. I’ve not checked every bit of info, but he frankly doesn’t knwo what he’s talking about

      • Bred Floggs says:

        Also: Don’t add attributes to passwd or shadow – this is a bad idea. It adds nothing to security – in fact, by preventing users from changing their passwords, it actively reduces security. Interesting that one small article can get so much wrong.

  3. ganesh says:

    Can anyone please explain me about -e options in chattr.
    I am seeing like this
    ——————–e– for the file.

    • Shashank says:

      It indicates that the file is using extents for mapping the blocks on disk. Extents is file system dependent. You’re most likely using ext4. It may not be removed using chattr. To know more about extent, see the wikipedia page for extent(filesystem)

  4. Noob says:

    I love Tecmint. Always great information. Thanks guys.

  5. Naagabaabu says:

    Thanks for you information on chattr command. There is one small modification in 4th point. You need to change the placements of the command..

    chattr +a filename and example to add data

    chattr -a filename and example to add data

  6. Nishant says:

    Thank you for pointing this out. I needed chattr -ai to fix a directory that was mute. Appreciate it.

  7. Kyle H says:

    If you chattr +i /etc/shadow, users can’t change their passwords either.

  8. Vinodh says:

    Thanks for the posting Narad :)

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.