The chattr (character attribute) command allows you to set certain attributes by which you can secure files by accidental modification or deletion, even if you're root!
Yes, it can help you avoid encountering the "Oh! NO" moment.
So in this guide, I will share some practical examples of how you can use the chattr command on Linux.
chattr command in Linux
To use the chattr command, all you have to do is follow the simple command syntax:
chattr [operator] [flags] [filename]
Basically, you are given certain options in
[flags] by which you can tweak the behavior of the chattr command.
So let's have a look at the different options you get in each one starting.
In the chatter command, you are given the following operators:
|+||Adds an attribute to the file.|
|-||Removes an attribute from the file.|
|=||Will keep the selected attributes as the only attributes that the file has.|
Here are the flags that can be used to tweak the behavior of the chattr command:
|A||When used, the access time remains unchanged.|
|a||Enables the append-only mode, where you can modify the file only by appending the additional data, but the file content can't be overridden.|
|S||When used, the changes will be made to the disk synchronously.|
|i||Activates the immutable mode when you can't make any changes to the file unless you have superuser privileges.|
|j||When used, the changes are first made to the ext3 file journal before the file itself.|
|t||It disables tail-merging.|
|d||When used, it makes the dump utility ignore the specified file.|
|u||When a file with the u attribute is deleted, the copy file is generated and can be used to recover the data which was removed unintentionally.|
|e||Extent format attributes means file system is using extents to map file location of the disk. This attribute cannot be changed.|
Now, let's look at some practical examples of the chattr command.
Add read-only restriction to file using the chattr command
To set the read-only restriction, all you have to do is utilize the
i flag and the file becomes immutable and can not be removed (even by the root!).
For the example, I will be using a simple text file named
File.txt which has the following r/w/x permissions:
Now, let's execute the chattr command with the
i flag with the addition
sudo chattr +i File.txt
Once you do that, you can use the lsattr command to verify whether the attribute is set as intended:
As you can see in the screenshot above, the
i attribute has been set. Attribute
e is always set (as explained in the table earlier).
And now, if you try to remove the file (even as a root), it won't permit you to do that:
That's nice. But what if you actually want to delete the file? Well, for that, you will have to unset the attribute. Let me show you how.
Unset attributes using the chattr command
To unset the attribute, you will have to execute the chattr command in the following manner:
chattr -[attribute] Filename
Here, you will have to append the attribute you want to unset with the
For example, earlier, I used the
i attribute to make it read-only, so if I have to unset that attribute, I will be using the following:
chattr -i File.txt
Once done, I can remove the file easily:
Set append-only restriction
So if you want to allow everyone to modify the file by appending the data only and restrict them from changing the existing data, here you go.
To set the append-only restriction, you will have to use the
a flag with the
sudo chattr +a File.txt
Once you do that, you won't be able to override the existing data of the file (
File.txt) in my case.
For example, here, I used the echoed string without any additional flags which means it should override the existing data by that new string:
Set attributes to directories
You can set any attributes to a directory by using one additional flag
-R flag will be applied recursively so that every content in the directory can take effect from a single command execution:
sudo chattr -R [attribute] Directory
For example, here, I have set the
i attribute to the
sudo chattr -R +i Test/
Now, if I try to remove the directory, it will throw an error:
And as always, you can unset the attribute as I mentioned earlier in the guide.
Master the file permissions
I assume that if your workflow requires the use of the chattr command, you must be handling various users.
And to manage users, there is no better way than using the chage command by which you can tinker with user account expiry itself:
I hope you will find this guide helpful.
And if you have any doubts or suggestions, let me know in the comments.