File Attributes; Root user cannot even delete this file after setting this permission.

One of the reason linux is taking up the corporate world is due to it level of security. There might be a sensitive file on your system you want no one to mess with. Like deleting, renaming or modifying the content of the file. As a system Administrator you are to make sure that file is not mishandled by other users. A user may have full permission(rwx) on the file but when an attribute is set on that file not even the root user can modify it.

chattr is the command for setting attribute on files and directories. It uses flags(A, a, S, i, u, d, t, j) and operators(=, +,  -). 

Command syntax

chattr [operator][flag] filename 

To list or show the attribute of a file, we use lsattr

Below is the descriptions of some attributes and it associate flags

Attribute	Flag	Description
No atime updates	A	file atime record is not modified This avoids a certain amount of disk I/O operation
append only	a	You can only append text to the file This attribute is very useful as a means  of keeping records. One can only add a text to the file but cannot delete a text
No copy-on-write(CoW)	C	File not be subject to copy-on-write updates Updates to these files may not be subject to atomic snapshots, and may lack some reliability information on some filesystems and kernels.
No dump	d	A file is not subject for backup when the dump program is run.
Immutable	i	When a file has "i" attribute it subject to not undergo any modification. The file cannot be deleted, rename, append a text or moved to a different location or link. This is the most used attribute to protect sensitive files.
Synchronous update	S	Changes to this file are written synchronously on the disk; this is equivalent to the sync mount option applied toa subsets of a file
Undelatable	u	When a file with u attribute is deleted, its contents are saved it allows the user to ask for its undeletion

Note: Not all flags are supported by all file systems. This tutorial focuses more on the "a" and "i" flags which support all file system types

For more info on flags and its attributes please click here 

Operators

• + to add or set and attribute
• - to remove an attribute
• = to remove all attributes on the file or maintains the existing attributes

Man page of chattr

# man chattr

How to use the chattr and lsattr command

Setting attributes;

We will learn how to use the a and i flags effectively.

"a" flag

This flag will set-append only attribute to the file. This means that no user can delete content of the file or re-arrange the content. The only option the user has is to append or add a new text to the file. This is very useful when you want to keep track of a certain data. The previous data can never be deleted but you can add a new line of data to the file.

This command sets the attribute

# chattr +a file

Use the command to list the attribute on the file

# lsattr file

The append only can be set on directory. This makes all files in the that directory inherit the attribute of the directory. No file in that directory can be deleted but rather new files can be created

# chattr -R +a dir/

"i" flag

This is the most used attribute as it really helps keep files save and secure. When the immutable attribute is set, the file cannot be deleted, rename, moved, linked or append content to the file.

One of the practical scenario of this attribute is setting it on /etc/passwd and /etc/shadow files to protect users information from unfortunate modification of the files.

This command sets the attribute

# chattr +i file

This attribute can also be set on directories to protect the content of the directory.

# chattr +i dir/

Removing attributes

In removing attribute on a file we the use "-" operator. This only removes a specific attribute. To remove all attribute on a file to have on original original attribute, we use the "=" operator.

Conclusion

I hope this tutorial has really helped you to understand how important the chattr command is. Setting attribute on file is a must know practice of every linux administrator. Assign this attributes to your files to protect them.