How to make a file immutable on Linux

Suppose you want to write-protect some important files on Linux, so that they cannot be deleted or tampered with by accident or otherwise. In other cases, you may want to prevent certain configuration files from being overwritten automatically by software. While changing their ownership or permission bits on the files by using chown or chmod is one way to deal with this situation, this is not a perfect solution as it cannot prevent any action done with root privilege. That is when chattr comes in handy.

chattr is a Linux command which allows one to set or unset attributes on a file, which are separate from the standard (read, write, execute) file permission. A related command is lsattr which shows which attributes are set on a file. While file attributes managed by chattr and lsattr are originally supported by EXT file systems (EXT2/3/4) only, this feature is now available on many other native Linux file systems such as XFS, Btrfs, ReiserFS, etc.

In this tutorial, I am going to demonstrate how to use chattr to make files immutable on Linux.

chattr and lsattr commands are a part of e2fsprogs package which comes pre-installed on all modern Linux distributions.

Basic syntax of chattr is as follows.

$ chattr [-RVf] [operator][attribute(s)] files...

The operator can be '+' (which adds selected attributes to attribute list), '-' (which removes selected attributes from attribute list), or '=' (which forces selected attributes only).

Some of available attributes are the following.

  • a: can be opened in append mode only.
  • A: do not update atime (file access time).
  • c: automatically compressed when written to disk.
  • C: turn off copy-on-write.
  • i: set immutable.
  • s: securely deleted with automatic zeroing.

Immutable Attribute

To make a file immutable, you can add "immutable" attribute to the file as follows. For example, to write-protect /etc/passwd file:

$ sudo chattr +i /etc/passwd

Note that you must use root privilege to set or unset "immutable" attribute on a file. Now verify that "immutable" attribute is added to the file successfully.

$ lsattr /etc/passwd

Once the file is set immutable, this file is impervious to change for any user. Even the root cannot modify, remove, overwrite, move or rename the file. You will need to unset the immutable attribute before you can tamper with the file again.

To unset the immutable attribute, use the following command:

$ sudo chattr -i /etc/passwd

If you want to make a whole directory (e.g., /etc) including all its content immutable at once recursively, use "-R" option:

$ sudo chattr -R +i /etc

Append Only Attribute

Another useful attribute is "append-only" attribute which forces a file to grow only. You cannot overwrite or delete a file with "append-only" attribute set. This attribute can be useful when you want to prevent a log file from being cleared by accident.

Similar to immutable attribute, you can turn a file into "append-only" mode by:

$ sudo chattr +a /var/log/syslog

Note that when you copy an immutable or append-only file to another file, those attributes will not be preserved on the newly created file.

Conclusion

In this tutorial, I showed how to use chattr and lsattr commands to manage additional file attributes to prevent (accidental or otherwise) file tampering. Beware that you cannot rely on chattr as a security measure as one can easily undo immutability. One possible way to address this limitation is to restrict the availability of chattr command itself, or drop kernel capability CAP_LINUX_IMMUTABLE. For more details on chattr and available attributes, refer to its man page.


Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

4 thoughts on “How to make a file immutable on Linux

  1. Very useful on mountpoints to prevent programs writing there when unmounted.
    Make sure it's not mounted when you run "chattr +i" command.
    When your partition is actually mounted there, the immutable flag isn't taken into consideration, so you'll still be able to write when it's mounted.

  2. I always thought that the only way to really ensure a file or a filesystem was not going to be changed was to hard set the "read only" switch on the actual hard disks .
    Those days seem to be gone with modern SAS or FCAL disks.

  3. Root holds the power to set and unset the flag. But the flag protects files from accidental removal. If running the remove command as root ignored this, it would overall defeat the purpose of setting the flag to begin with.
    Root simply is "you do whatever you want, provided you know how" - Basically, unless you need to run as root, you never should first off. And even running as root, you often should not be poking the beast. Unix doesn't exactly hold your hand, and fixing broken files can be a time consuming endeavor.
    A few use cases for when setting the flag may be useful:
    - Backups of working configs
    - Finished copy of a Resume or final copy of a paper for school.
    - Config files you do not want changed for any reason (say an config file for a web server).

    By locking the ability to edit config files, you can prevent editing of details, you could also lock files related to passwords, email account information and so on. Although the use cases are few and far between, it's a tool - and although for most people it's not a tool that they will use, or find useful, for those that do - it is VERY useful.
    Of course - you could write a small script that calls for a check if the flag is set, removes the flag if it is and then removes the file in question if you so chose. But that would defeat the purpose of the flag in the first place.

  4. Yes, it is a very usefull tool to use in the any linux system. For example I use the +/- a on any log files from logrotate, like this:

    /var/log/syslog
    {
    rotate 24
    daily
    missingok
    notifempty
    delaycompress
    compress
    prerotate
    /usr/bin/chattr -a /var/log/syslog
    endscript
    postrotate
    invoke-rc.d rsyslog reload > /dev/null
    /usr/bin/chattr +a /var/log/syslog
    endscript
    }

Leave a comment

Your email address will not be published. Required fields are marked *