How To Make Important Files IMMUTABLE ?

To make the files immutable, “chattr” command can be used. The filesystems in Linux ext2, ext3, ext4, btrfs supports all the flags, however all the flags won’t support all non-native FS. One cannot delete or modify file/folder once attributes are sets with chattr command, even though you have full permission.

Chattr – Syntax

chattr [operator] [flags] [filename]

• How to set attributes on files to secure from deletion

The first step is to check if the existing files have any attributes by using the command
“ls -l”.

[root@admin ~]# ls -l
total 0
drwxr-xr-x. 2 root root 6 Mar 25 18:02 demo
-rwxrwxrwx. 1 root root 0 Mar 25 17:42 important_file.conf

To set the attribute we can use “+ “sign and for unset use “-” sign with the “chattr” command. Now we are going to set immutable bit on the files with “+i” flags to prevent anyone from deleting a file, even a root user don’t have permission to delete it.

[root@admin ~]# chattr +i demo/
[root@admin ~]# chattr +i important_file.conf

The root user or user with sudo privileges need to set the immutable bit “+i”. After setting the immutable bit we can verify it by the command lsattr.

[root@hashroot ~]# lsattr
—-i———– ./demo
—-i———– ./important_file.conf

Now, try to change the permissions, delete forcefully or rename, we will get an error of “Operation not permitted“.

[root@admin ~]# rm -rf demo/
rm: cannot remove âdemo/â: Operation not permitted

[root@admin ~]# mv demo/ demo_alter
mv: cannot move âdemo/â to âdemo_alterâ: Operation not permitted

[root@admin ~]# chmod 755 important_file.conf
chmod: changing permissions of âimportant_file.confâ: Operation not permitted

• How to unset the attributes

To unset the assigned attributes by using the “-i” flag with the “chattr” command use the command below.

[root@admin ~]# chattr -i demo/ important_file.conf

To verify the attribute after unsetting by using the command “lsattr” we can use below command.

[root@admin ~]# lsattr
—————- ./demo
—————- ./important_file.conf

• How to Secure /etc/passwd and /etc/shadow files

We can set immutable attributes to /etc/shadow or /etc/passwd to make them more secure and protect it from accidental deletion and also to disable user account creation.

[root@admin ~]# chattr +i /etc/passwd
[root@admin ~]# chattr +i /etc/shadow

Now we try to create a new user, will get an error message saying ‘cannot open /etc/passwd‘.

[root@admin ~]# useradd hashroot
useradd: cannot open /etc/passwd

This method is more secure to save your important files and configuration files from deletion.

• Append data without Modifying existing data on a File

If you only want to allow append data to a file without modifying or deleting existing data, we can use “a” with “chattr” command. This can be performed using “+a” flag.

[root@admin ~]# chattr +a example.txt
[root@admin ~]# lsattr example.txt
—–a———- example.txt

By using the append data, it is only opened for writing. We can use “-a” flag with “chattr” to unset the append mode.

[root@admin ~]# chattr -a example.txt

Now when we try to change the existing data on file, we will get an error message saying “Operation not permitted”.

[root@admin ~]# echo “replace contain on file.” > example.txt
-bash: example.txt: Operation not permitted

and also try to add data to the file, it will also display error.

[root@admin ~]# echo “replace contain on file.” >> example.txt

[root@admin ~]# cat example.txt
Here is the example to test ‘a’ attribute mean append-only.

• How to Secure Directories

To secure a directory with all its files use “-R” (Recursively) with”+i” flag and with the full path of the directory.

[root@admin ~]# chattr -R +i myfolder

Now try to delete this recursively set directory, It will display an error message.

[root@admin ~]# rm -rf myfolder/
rm: cannot remove ‘myfolder/’: Operation not permitted

To unset the attributte of the directory with all its files use “-R” (Recursively) with “-i” flag and with its full path.

[root@admin ~]# chattr -R -i myfolder