Secure and Prevent Files from Accidental Deletion with Chattr Command

terminal logo

There are plenty of tools and methods out there to secure and prevent your files and folders from accidental deletion. chattr is one of them. It is a command-line utility to change the file attributes on an ext2/ext3/ext4 filesystems. It prevents the accidental deletion of your important files. Even though you have full permissions over files, you can’t delete them which are secured by chattr.

Syntax

# chattr [operator] [switch] [filename]

Operator

+     causes  the  selected attributes to be added to the existing attributes of the files;
-     causes them to  be  removed;
=     causes them to be the only attributes that the files have.

Switch

R     - Recursively change attributes of directories and their contents.
a     - A  file  with the `a' attribute set can only be open in append mode for writing.   Only   the   superuser   or   a   process   possessing   the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
i     - A file with the `i' attribute cannot be modified: it cannot be  deleted or  renamed,  no  link  can  be created to this file and no data can be written to the file.  Only the superuser or a  process  possessing  the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

The difference between ‘a’ and ‘i’ switch are the file with ‘a’ attribute can append the contents and the file with ‘i’ attribute can’t append. You can view the attributes of files using command lsattr.

Usage

Let us create a sample files in /home/sk directory called unixmen1, unixmen2:

sk@sk:~$ touch unixmen1 unixmen2

Example 1: chattr with ‘i’ switch

sk@sk:~$ sudo chattr +i unixmen1

View the attributes of file unixmen1:

sk@sk:~$ sudo lsattr unixmen1
----i--------e-- unixmen1

Well, now the attributes has been set up to unixmen1 file. Next try to remove the file with root user privileges.

sk@sk:~$ sudo rm -f unixmen1
rm: cannot remove ‘unixmen1’: Operation not permitted

See, you can’t remove the file even if you have root privileges.

Try to append some contents to unixmen1 file:

sk@sk:~$ cat >> unixmen1
bash: unixmen1: Permission denied

sk@sk:~$ sudo cat >> unixmen1
bash: unixmen1: Permission denied

You can’t append any contents whether you are a super-user or normal user when the file is secured with chattr.

Remove the file attributes:

sk@sk:~$ sudo chattr -i unixmen1

Now add some contents to unixmen1 file:

sk@sk:~$ cat >> unixmen1
Welcome to Unixmen Network

Press CTRL+D to save and exit the file.

You will able to append contents without any restrictions now. Display the contents of the file using the following command:

sk@sk:~$ cat unixmen1
Welcome to Unixmen Network

Also now you will able to remove the file too. It doesn’t matter whether you are a super user or normal user:

sk@sk:~$ rm -f unixmen1

or:

sk@sk:~$ rm unixmen1

Note that I didn’t use sudo in the above example.

Example 2: chattr with ‘a’ switch

As I mentioned before, the main difference between ‘a’ and ‘i’ switch is you can append the contents to file with ‘a’ switch and you can’t append any contents to files which are setup with ‘i’ switch:

sk@sk:~$ sudo chattr +a unixmen2

Append some contents to unixmen2 file:

sk@sk:~$ cat >> unixmen2
Hello welcome to unixmen network

Press CTRL+D to save and exit the file. You will able to append contents now, but you can’t remove the file:

sk@sk:~$ rm -f unixmen2 
rm: cannot remove ‘unixmen2’: Operation not permitted

sk@sk:~$ sudo rm -f unixmen2 
rm: cannot remove ‘unixmen2’: Operation not permitted

Remove the attributes using the following command:

sk@sk:~$ sudo chattr -a unixmen2

Now try to delete the file:

sk@sk:~$ rm unixmen2

The file will be deleted without any restrictions.

Example 3: chattr with ‘R’ switch

Say for example I have a directory called unixmen. This folder contains some files called file1, file2 and file3:

sk@sk:~$ mkdir unixmen
sk@sk:~$ cd unixmen/
sk@sk:~/unixmen$ touch file1 file2 file3
sk@sk:~/unixmen$ cd ..
sk@sk:~$ ls unixmen/
file1  file2  file3

Set the attributes with ‘i’ switch to the unixmen folder and its contents:

sk@sk:~$ sudo chattr -R +i unixmen/

Here the ‘R’ switch the is used to change the attributes of directory unixmen and its contents recursively.

Try to delete the folder unixmen or its contents:

sk@sk:~$ rm -fr unixmen/
rm: cannot remove ‘unixmen/file1’: Permission denied
rm: cannot remove ‘unixmen/file2’: Permission denied
rm: cannot remove ‘unixmen/file3’: Permission denied
sk@sk:~$ sudo rm -fr unixmen/
rm: cannot remove ‘unixmen/file1’: Permission denied
rm: cannot remove ‘unixmen/file2’: Permission denied
rm: cannot remove ‘unixmen/file3’: Permission denied

See, you can’t remove the folder or its contents whether you are a root or a normal user. And you can’t append any contents to the files inside unixmen folder if you use ‘i’ switch:

sk@sk:~$ cat >> unixmen/file1
bash: unixmen/file1: Permission denied

To remove the attributes of unixmen folder and its contents, just execute the following command:

sk@sk:~$ sudo chattr -R -i unixmen/

Now you can change, delete and modify the folder and its contents as well.

As we seen in the Example 2, you can append contents to files only when you setup the folder attributes with ‘a’ switch:

sk@sk:~$ sudo chattr -R +a unixmen/

Append contents to files:

sk@sk:~$ cat >> unixmen/file1
Hello Welcome

Press CTRL+D to save and exit the file.

Display the contents of file1:

sk@sk:~$ cat unixmen/file1
Hello Welcome

However you can’t delete the folder nor the files too:

sk@sk:~$ rm -fr unixmen/
rm: cannot remove ‘unixmen/file1’: Operation not permitted
rm: cannot remove ‘unixmen/file2’: Operation not permitted
rm: cannot remove ‘unixmen/file3’: Operation not permitted

sk@sk:~$ sudo rm -fr unixmen/
rm: cannot remove ‘unixmen/file1’: Operation not permitted
rm: cannot remove ‘unixmen/file2’: Operation not permitted
rm: cannot remove ‘unixmen/file3’: Operation not permitted

Example 4: Prevent users from changing password

This example will help you to prevent users from changing the passwords also. As we all know the /etc/shadow file stores actual password in encrypted format for user’s account with additional properties related to user password. ie. It stores secure user account information. So let us make this file write protect in order to prevent the password change:

sk@sk:~$ sudo chattr +i /etc/shadow

Now change the current user password (eg. sk):

sk@sk:~$ sudo passwd sk
Enter new UNIX password: 
Retype new UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

Now logout and login again with user ‘sk’. You can’t able to login with new password, however you still need your old password to login.

View the attributes of /etc/shadow file using the following command:

sk@sk:~$ sudo lsattr /etc/shadow
----i--------e-- /etc/shadow

To restore the old attributes, just enter the following command:

sk@sk:~$ sudo chattr -i /etc/shadow

I hope you will enjoy and use this command to secure and prevent files from accidental deletion. For more information about chattr command refer the man pages.

sk@sk:~$ man chattr