Free Certification Practice Tests and Study Guides
Join Us! | Login | Help




Advanced Filesystem Attributes in Linux


As a Linux administrator, you may be called upon to set up a control system for file access. You probably already know how to set read, write, and execute permissions on files, and you will need to make extensive use of that knowledge. But, sometimes, you'll need more than just these permissions settings to get the job done. That's where filesystem attributes will come in handy. You can set different attributes on files in order to gain more control over how they are accessed.

There are two slight catches, though. You can only set file attributes on machines with hard drives that are formatted with either the ext2 or ext3 filesystems. That's not a problem for machines that are running a Red Hat-type operating system, since ext3 is your only choice with them. But, if you're setting up a machine with, say, Ubuntu Server, you'll have other filesystems to choose from. Just be sure to choose ext3 if you want to set file attributes.

Also, if you're accessing files on another computer via NFS, the attributes will still be in effect, but you won't be able to view or change the attributes.

To view file attributes, you'd use the lsattr command. Entering just the command by itself will show a list of all files in the current directory.

[[email protected] ~]$ lsattr
------------- ./mytext.txt
------------- ./Duron_backup
------------- ./iptables-L.txt
------------- ./New_error.txt
------------- ./Desktop
------------- ./moodle-2007-8-25
------------- ./test_dir
------------- ./BOINC
------------- ./ts2_client_rc2_2032.tar.bz2
------------- ./OOo_2.3.0_LinuxIntel_install_wJRE_en-US.tar.gz
------------- ./ifconfig_output.txt
------------- ./dmesg
------------- ./BOINC.tar.bz2
------------- ./ts2_client_rc2_2032
------------- ./tls_handshake_error.txt
[[email protected] ~]$ lsattr mytext.txt
------------- mytext.txt
[[email protected] ~]$


You can see from the listing that no attributes have been set. Now, let's say that we don't want to allow the "mytext.txt" file to be backed up with the "dump" command. We'll use the chattr command to set the "d" attribute.

[[email protected] ~]$ chattr +d mytext.txt
[[email protected] ~]$ lsattr mytext.txt
------d------ mytext.txt
[[email protected] ~]$


Here, we've used the "+" sign to add the attribute. We'll use the "-" sign to remove it.

[[email protected] ~]$ chattr -d mytext.txt
[[email protected] ~]$ lsattr mytext.txt
------------- mytext.txt
[[email protected] ~]$


Setting the "s" attribute will cause the file to be securely wiped when someone deletes it. This makes it much harder for unauthorized persons to recover and view the file.

[[email protected] ~]$ chattr +s mytext.txt
[[email protected] ~]$ lsattr mytext.txt
s------------ mytext.txt
[[email protected] ~]$


Using an upper-case "S" instead of a lower-case "s" tells the filesystem to immediately write the file to disk, instead of storing it in a buffer. (Note also, that we left the "s" attribute this time, so that we now have two attributes set for this file.)

[[email protected] ~]$ chattr +S mytext.txt
[[email protected] ~]$ lsattr mytext.txt
s-S---------- mytext.txt
[[email protected] ~]$


The upper-case "A" attribute tells the filesystem to not update the file's atime. This can cut down on disk access, which could help extend a laptop's battery life, and can cut down on bandwidth usage if you're accessing files via NFS.

[[email protected] ~]$ chattr +A mytext.txt
[[email protected] ~]$ lsattr mytext.txt
s-S----A----- mytext.txt
[[email protected] ~]$


Of course, you'll seldom want to use the "A" attribute. If you need to turn off atime updates, you're better off mounting the filesystem with the "noatime" parameter, instead.

So far, we've performed all attribute changes with only normal user privileges, and on the user's own files. There are still two other attributes that can only be set with root privileges. Even if the file belongs to you, you'll receive an error if you try to change them with only your normal user privileges.

[[email protected] ~]$ chattr +a mytext.txt
chattr: Operation not permitted while setting flags on mytext.txt
[[email protected] ~]$


The "a" attribute will allow a file to be opened only in append mode. This will allow you to add more text or data to a file, but will not allow you to overwrite it.

[[email protected] ~]$ sudo chattr +a mytext.txt
Password:
[[email protected] ~]$ lsattr mytext.txt
s-S--a-A----- mytext.txt
[[email protected] ~]$ echo "This is a test of the a attribute." > mytext.txt
bash: mytext.txt: Operation not permitted
[[email protected] ~]$ echo "This is a test of the a attribute." >> mytext.txt
[[email protected] ~]$


The final attribute we'll cover, which also requires root privileges, is the "i" attribute. This make a file immutable. In other words, it can't be changed, renamed, or deleted. And, no links can be created to it.

[[email protected] ~]$ sudo chattr +i mytext.txt
Password:
[[email protected] ~]$ lsattr mytext.txt
s-S-ia-A----- mytext.txt
[[email protected] ~]$ rm mytext.txt
rm: remove write-protected regular file `mytext.txt'? y
rm: cannot remove `mytext.txt': Operation not permitted
[[email protected] ~]$


Finally, if you need to add or delete more than one attribute, you can combine the operations into one single command.

[[email protected] ~]$ sudo chattr -AaisS mytext.txt
[[email protected] ~]$ lsattr mytext.txt
------------- mytext.txt
[[email protected] ~]$


There are a few other attributes that we haven't covered. But they either have operational bugs, or they're attributes that are set by the system, and not by the user.

For more information, enter "man chattr" at the command-line.

About the Author:
Donnie is certified LPI Level 2, and is a course developer and instructor for SpiderTools.com and BeginLinux.com.