How to set Immutable Sticky bit with Chattr command
Along with traditional file permissions (owner, group, others, = read, write, execute), Linux offers a set of attributes we can use to specify what users can do with the file. Attributes work over the standard file permissions. If we configure and use them, they override the default file permissions. For example, if the default file permission allows a user to delete a file while the attribute denies it, the user cannot delete it. The chattr command sets attributes. Only the owner and root user can set attributes.
Linux offers many attributes. However, most of them are experimental, unimplemented, or read-only. In addition, the underlying filesystem must support the corresponding attribute. Because of this, we cannot use all attributes on all filesystem types. The following table describes the attributes that are functional and supported by modern file systems such as ext4 and xfs.
| Attribute | Option | Description |
| Append only | a | Allow users to append the file contents while preventing them from deleting and modifying existing contents. |
| No dump | d | Stop the dump command from taking the backup. |
| Immutable | i | Block users from deleting and making changes to the file. |
The d (no backup) attribute sets an advisory flag. If the file system does not honour it, it has no meaning. The immutable (i) and append-only (a) are the most commonly used attributes. Administrators use these to make the system more resistant to hackers or hostile code tampering. We will discuss both options in this tutorial. The following table lists the remaining attributes.
| Attribute | Supported file system | Description |
| A | XFS, Btrfs, ext3 | Do not update the last access time |
| a | XFS, Btrfs, ext3 | Allow writing only in the append mode |
| C | Btrfs | Disable copy-on-write updates |
| c | Btrfs | Compress contents |
| D | Btrfs, ext3 | Write directory updates simultaneously |
| j | ext3 | Keep a journal for data changes |
| S | XFS, Btrfs, ext3 | No buffering, write changes synchronously |
| X | Btrfs | Avoid data compression |
Viewing attributes
The lsattr command displays the file's attributes. It takes the file's name as an argument. It uses the following syntax.
#lsattr [file-name]
The output of this command displays all enabled attributes. By default, all attributes are disabled. It uses a dash sign to denote a disabled attribute.
Create a file and check its attributes.
#touch testfile #lsattr testfile
Configuring attributes
The chattr command manages file attributes. It uses the following syntax.
#chattr +/- attribute [file name]
- The plus (+) sign enables the attribute.
- The minus (-) sign disables the attribute.
The append-only (a) attribute
If we enable this option, we can append the file contents, but cannot change the existing contents or delete the file. This attribute is mainly used with log files to ensure that logs always remain available without being accidentally overwritten or deleted. The following table lists the allowed and denied actions of this attribute.
| Allowed actions | Denied actions |
| Read | Edit |
| Append | Rename/Move |
| Copy | Delete |
| Soft link | Hard link |
Example
- Change umask permissions to 000.
- It grants all permissions to all user types.
- Create a file and check its default file permissions.
- The default file grants read and write access to the owner, group, and others.
- With the default permissions, all users can access, edit, and delete the file.
#umask #umask 000 #umask #touch testfile #ls -l
Previous parts of this tutorial explained the above steps.
This tutorial is part of the tutorial " Linux file permission Explained with Examples.". Other parts of this tutorial are as follows:
Chapter 1 Linux File Permission Explained in Easy Language
Chapter 2 How to use chmod command in Linux Explained with Examples
Chapter 3 How to change default umask permission in Linux
Chapter 4 SUID, SGID, and Sticky Bit Explained
Chapter 5 How to set immutable bit with chattr command
By default, Linux does not enable any attributes. To verify this, check the attributes of the test file.
#lsattr testfile
Enable and verify the append-only attribute.
#chattr +a testfile #lsattr testfile
Perform edit, update, delete, move, and hard link operations on the file. It will deny all these actions, even if the user has permissions. It verifies that the attributes override default file permissions.
#rm -rf testfile #cat > testfile #mv testfile testfile2 #ln testfile testfile2
Perform the following actions to verify the allowed actions.
- Append the file and read the added contents to verify the append and read actions.
- Copy the file and check the attributes of the copied file.
- The copied file does not receive the source file's attributes. We can manage it as a regular file. Delete the copied file to verify it.
- Create a soft link to the file. Verify and delete it.
#cat >> testfile This text verifies the append operation. Ctrl+D #cat testfile #cp testfile testfile2 #ls test* #lsattr testfile2 #rm -rf testfile2 #ln -s testfile testfile3 #lsattr testfile3 #ls -l testfile3 #rm -rf testfile3 #ls test*
Remove and verify the append-only attribute.
To remove the append-only attribute, use the minus option with the attribute.
#chattr -a testfile #lsattr testfile
After removing the attribute, we can manage it as a regular file. To verify this, delete the file.
#rm -rf testfile
The immutable (i) attribute
If we enable this option, we cannot edit, append, modify and delete the file. We can only read, copy, and create a soft link. Developers use this attribute to secure read-only critical configuration files from unauthorized modifications.
The following table lists the allowed and denied actions of this attribute.
| Allowed actions | Denied actions |
| Read | Edit |
| Copy | Append |
| Soft link | Rename/Move |
| Delete | |
| Hard link |
Example
- Create a test file.
- Enable and verify the immutable attribute.
#touch testfile #chattr +i testfile #lsattr testfile
Perform edit, append, update, delete, move, and hard link operations on the file. It will deny all these actions.
#rm -rf testfile #cat > testfile #cat >> testfile #mv testfile testfile2 #ln testfile testfile2
Perform the following actions to verify the allowed actions.
- Read the file contents to verify the read action.
- Copy the file and check the attributes of the copied file.
- The copied file does not receive the source file's attributes. We can manage it as a regular file. Delete the copied file to verify it.
- Create a soft link to the file. Verify and delete it.
#cat testfile #cp testfile testfile2 #ls test* #lsattr testfile2 #rm -rf testfile2 #ln -s testfile testfile3 #lsattr testfile3 #ls -l testfile3 #rm -rf testfile3 #ls test*
Remove and verify the immutable attribute.
#chattr -i testfile #lsattr testfile
After removing the attribute, delete the file.
#rm -rf testfile
Conclusion
Attributes enhance file permissions. They add extra layers of security. Linux offers many attributes. However, only two of them are commonly used. These are append-only and immutable. This tutorial explained both attributes through various examples.
By ComputerNetworkingNotes Updated on 2025-12-22