3 min to read
chattr and lsattr Commands in Linux
Learn how to use chattr and lsattr commands for file attribute management
Overview
Unlike file permissions which control access based on users and groups, file attributes provide system-level protection that even applies to root users. Let’s explore how to use chattr and lsattr to manage these powerful file attributes.
What are chattr and lsattr?
chattr (Change Attribute)
A Linux command used to change file system attributes.
These attributes can protect files from modification or deletion, even by root users.
lsattr (List Attribute)
A command to display the special attributes of files in Linux file systems.
Basic Usage
1️⃣ Command Syntax
chattr [options] [operator][attributes] files
lsattr [options] files
2️⃣ Common Options
# chattr options
-R: Recursively change attributes
-V: Verbose output
-v: Set the file version number
# lsattr options
-R: Recursively list attributes
-a: List all files including hidden ones
-d: List directory attributes instead of contents
File Attributes
🔒 Key Attributes
a → Append only mode
i → Immutable (no modifications allowed)
s → Secure deletion
u → Undeletable
A → No atime updates
c → Compressed
d → No dump
j → Journal data
S → Synchronous updates
t → No tail-merging
a → Append only mode
i → Immutable (no modifications allowed)
s → Secure deletion
u → Undeletable
A → No atime updates
c → Compressed
d → No dump
j → Journal data
S → Synchronous updates
t → No tail-merging
Practical Examples
1️⃣ Protecting System Files
# Make a configuration file immutable
sudo chattr +i /etc/resolv.conf
lsattr /etc/resolv.conf
----i-------- /etc/resolv.conf
# Try to modify (will fail)
sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
-bash: /etc/resolv.conf: Operation not permitted
2️⃣ Secure Log Files
# Allow only appending to log file
sudo chattr +a /var/log/secure
lsattr /var/log/secure
-----a------- /var/log/secure
# Append works, but modification fails
echo "test log" >> /var/log/secure # Works
echo "test log" > /var/log/secure # Fails
3️⃣ Protecting Critical Directories
# Recursively protect a directory
sudo chattr -R +i /etc/ssl/certs/
lsattr -R /etc/ssl/certs/
----i-------- /etc/ssl/certs/ca-certificates.crt
----i-------- /etc/ssl/certs/ssl-cert-snakeoil.pem
Advanced Usage
1️⃣ Combining Attributes
# Make file append-only and undeletable
sudo chattr +au important.log
lsattr important.log
----ua------- important.log
2️⃣ Using Version Control
# Set file version
sudo chattr -v 1 document.txt
lsattr document.txt
--------------v1 document.txt
3️⃣ Secure Deletion
# Enable secure deletion
sudo chattr +s sensitive_file
lsattr sensitive_file
---s--------- sensitive_file
Security Best Practices
1. System File Protection
- Always protect critical system files with +i
- Use +a for log files
- Regularly audit file attributes
2. Backup Consideration - Document all chattr changes
- Consider attribute implications for backup systems
- Use -R carefully with directories
3. Common Use Cases - Protecting SSL certificates
- Securing configuration files
- Maintaining log file integrity
- Preventing accidental deletions
- Use +a for log files
- Regularly audit file attributes
2. Backup Consideration - Document all chattr changes
- Consider attribute implications for backup systems
- Use -R carefully with directories
3. Common Use Cases - Protecting SSL certificates
- Securing configuration files
- Maintaining log file integrity
- Preventing accidental deletions
Comments