Making Files Immutable
How Do I Do That?
# chattr +i foo # date >>foobash: foo: Permission denied # mv foo baz mv: cannot move \Qfoo' to \Qbaz': Operation not permitted # rm foo rm: cannot remove \Qfoo': Operation not permitted
# lsattr foo ----i-------- foo
The presence of the i in the output indicates that the file foo has been made immutable.
Removing the i attribute causes the file to act normally again:
# chattr -i foo # date >>foo # mv foo baz # rm baz # ls baz ls: baz: No such file or directory
How Does It Work?
The immutable capability is provided by the ext2/ext3 filesystems. Each file has an immutable flag that is part of the ext2/ext3 file attributes; when set, the ext2/ext3 code in the kernel will refuse to change the ownership, group, name, or permissions of the file, and will not permit writing, appending, or truncation of the file.
By making configuration files and programs immutable, you can provide a small measure of protection against change. This can be used to guard against accidental changes to configuration files. It can also prevent a program from being subverted to change files it should not; although SELinux provides similar protection, you may add software to your system that is not covered by the SELinux targeted policy.
...making an entire subtree immutable?
# chattr -R +i /etc
...other file attributes that might be useful?
Although a number of file attributes have been defined for ext2/ext3 filesystems, very few of the interesting ones have been implemented! For example, attributes have been defined to enable per-file automatic data compression, automatic zeroing (enhanced security erasure) of deleted files, and save-for-undeletion, but none of those features have been implemented so far.
But there is one other attribute that is occasionally useful: the append-only attribute, a. When applied to a file by chattr, this attribute provides all of the protection of the immutable attribute, except that it remains possible to append data to the file. This is ideal for logfiles, because it makes it impossible to alter or erase data that has been placed in the logfile.
Where Can I Learn More?