RHCE Study Guide

This tutorial explains how to set and mange immutable or sticky bit in Linux step by step with examples including chattr command and lsattr command.

Since Linux is a multiuser networking operating system where several users access files or directories simultaneously, there is always a chance of deleting critical files or directories accidently or intentionally. The chattr command provides a better way to deal with this situation. The chattr command sets attributes on critical files or directories. Once attributes are set, accesses will be granted based on attributes instead of files or directories’ actual permission.

As we have already learned from previous parts of this tutorial, every file or directory have three types of permission (read, write and execute) for three types of user (owner, group and other). If attributes are not set, access will be granted based on this permission set, but if attributes are set, this permission set will be ignored while processing access request. In this tutorial we will learn the types of attribute and the way they are set on files or directories in detail with examples.

This tutorial is the last part of our article “Learn how to manage file permission in Linux step by step with examples”. You can read other parts of this article here.

Linux file permission explained in easy language

This tutorial is the first part of this article. It explains how to read the Linux file permission step by step with examples.

Chmod command in linux explained with example

This tutorial is the second part of this article. It explains how to set and manage file attributes and permission with chmod command in Linux from both symbolic and octal methods.

How to change default umask permission

This tutorial is the third part of this article. It explains how to change the default umask permission temporary and permanently.

Chattr Command Attributes; append and immutable

The chattr command supports several attribute, most of them are less significant and rarely used in file system management. For initial stage only two attributes are important; append and immutable.

Before we understand append and immutable attributes in details, let’s have a quick look on two important commands that are used to manage and list the attributes.

chattr command

This command is used to set or unset the attributes. This command uses following syntax.

#chattr [operator] [attribute flag] [filename]

In above command,

chattr: - This is the main command.

Operator: - There are three operators; + (add), - (remove) and = (keep). The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.

attribute flag: - This is an attribute which we want to upate.

filename: - This is the name of file which attribute we want to change.

lsattr command

This command is used to list the attribute of file or directory. This command uses following syntax.

#lstattr [File or directory]

In above command,

lsattr:- This is the main command.

[File or directory]:- The name of file or directory which attribute we want to list.

Now we know the both necessary commands used in managing and listing the attribute, let’s have some practical examples to understand attribute in detail.

How to set / unset / list a (append) attribute (Practical Example)

Append (a) attribute is used to control the file operation. If this attribute is set, file can only be appended. Regardless how much permission a user have, he cannot perform other file operations (such as move, edit or delete) except append operation.

To understand it practically, let’s create a directory /demo and a test file test-file under this directory.

make directory in linux

The /demo directory will be used to explain and perform all examples used in this tutorial. If you are following this tutorial with system, you should consider deleting this directory once you are finished with all exercises. This way, you can understand this concept without changing anything in existing file system.

Before we assign any attribute to this file, let’s check the default owner and attributes.

lsattr command

As we can see in above output, root is the owner and no attribute is set so far. Let’s add a (append) attribute on this file and verify again that attribute is added successfully.

chattr append attribute

As above output shows a (append) attribute has been set successfully. Now all classical file permission will be overruled by append attribute. Regardless how much permission a user have, he will be able to perform the file operations allowed by append attribute only. To see it in action, let’s perform all regular file operations one by one.

Delete operation

chattr linux example

Edit operation

linux chattr example

Move or Rename operation

linux append attribute example

Hard link operation

chattr command example

Append operation

linux chattr command example

Read operation

chattr linux command example

Copy operation

chattr a flag example

Soft link operation

chattr soft link example

Following table summarize the test result from above outputs.

Allowed File Operation Denied File Operation
Read Edit
Append Rename or Move
Copy Delete
Soft link Hard link

In copy or soft link operation, attributes are not inherited from source file.

lsattr command

As we can see in above output, append attribute is not copied with the content of file. Since destination files are not protected with append attribute, they can be deleted as normal files.

chattr flag

How to remove a (append) attribute

To remove an attribute, following command is used.

#chattr –[attribute] [file name]

Following figure illustrates the example of removing append attribute.

remove a flag chattr command

Once attribute is removed, file can be deleted as a regular file.

remove a flag chattr example

How to set / unset / list i (immutable) attribute (Practical Example)

The immutable attribute can also be managed in the same way as we managed the append attribute. Let’s create another file named dummy-file in directory demo and set immutable on it.

chattr set i flag

Let’s perform all regular file operations again to see what action is permitted while immutable bit is set on file.

Delete operation

chattr i flag testing

Edit operation

immutable flag example linux

Append operation

i flag append testing

Move/rename operation

immutable bit testing linux

Hard link operation

linux chattr i flag testing

Read operation

i attribute read testing

Copy operation

chattr i flag copy testing

Soft link operation

linux i flag chattr command testing

Following table summarize the test result from above outputs.

Allowed File Operation Denied File Operation
Read Edit
Copy Rename or Move
Soft link Delete
Hard link
Append

As we know, a copied or soft link file does not inherit any attribute from parent; it can be removed as a regular file.

lsattr command

How to delete a file secured with i (immutable) attribute

To delete a file secured with immutable bit, we first have to remove immutable flag or attribute. Once attribute is removed, file can be deleted as a regular file.

remove i flag

Key points
  • Both append and immutable bits are used to protect a file or directory from accidently delete or update.
  • Both attributes provide same security features except i (immutable) bit does not allow append operation while a (append) bit does.
  • Both attributes allow read, copy and soft link operation.
  • A file created by copy or soft link operation does not inherit any attribute form source file.
  • The chattr and lsattr commands are provided by e2fsprogs package which is pre-installed in all modern Linux distributions.
  • Only root user (or user who has root privilege) can set immutable flag.
  • Directories can also be secured with attributes. Same command and attribute flag are used for directories also.
  • To set or remove a flag on all files or directories in a directory, –R option is used.

Chattr Command Attributes

Attribute Flag Description
A If this attribute is set, atime record of file is not modified.
a (append) If this attribute is set, file can be appended only.
c If this attribute is set, file will be automatically compressed by kernel
C This attribute will protract copy-on-write update on file
d If this attribute is set, file will be excluded from backup when the dump program is run.
D If this attribute is set on directory, the changes will be written to disk synchronously.
e This attribute indicates that the file is using extents for mapping the blocks on disk.
E This attribute is used by the experimental compression patches to indicate that a compressed file has a compression error.
h This attribute indicates that file is storing its blocks in units of the file system block size instead of in units of sectors.
i (immutable) File with this attribute cannot be modified, deleted, renamed, linked or appended. Only super user can set or clear this attribute.
I This attribute indicate that a directory is being indexed using hashed trees.
j With this attribute data will be written to journal before written to the file itself.
N This attribute indicates that the file has stored inline, within the inode itself.
s If this attribute is set, file is marked as deleted and its blocks are zeroed and written back to the disk.
S When a file with S attribute set is modified, the changes are written to disk synchronously.
t A file with this attribute does not have a partial block fragment at the end of the file merged with other files which file system supports tail-merging.
T A directory with this attribute will be deemed to be the top of the directory hierarchies for the purpose of the 0rlov block allocator.
u When a file with this attribute is deleted, its contents are saved.
X This attribute is used by the experimental compression patches to indicate that the raw contents of a compressed file can be accessed directly.
Z This attribute is used by the experimental compression patches to indicate a compressed file id is dirty.

That’s all for this tutorial. In next tutorial we will learn another Linux topic in detail.