File Attributes


File Attributes
9m 25s
ACLs Demo
6m 13s
8m 33s

The course is part of this learning path

Linux Security and Hardening
Start course
1h 13m

This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.

Learning Objectives

  • Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
  • Learn how to share data securely with groups and multiple users on a Linux system
  • Understand how special modes add extra security to file systems
  • Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
  • Learn how to secure files and directories using ACLs
  • Learn about rootkits and how to discover and remove them

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


In addition to the normal modes of read, write and execute and even in addition to the special modes of Setuid, Setgid and Sticky Bit, some file systems support file attributes sometimes called extended attributes. The most commonly used file systems on Linux systems support file attributes, the ext series of file system supported, for example, ext2, ext3 and ext4 all have support. Also XFS has support The B-tree file system, ReiserFS and JFS have support as well. For those of you who work in HPC or high performance computing environments, OCFS2, OrangeFS and Lustre all have extended attributes support. Even some file systems designed to be used on embedded systems, such as SquashFS and FSF2 have extended attributes support. Let's talk about the two attributes that you all use most often. The first one is the i or immutable attribute. When a file has this attribute, it is immutable, meaning that it can't be modified. A file where the i attribute can not be deleted, renamed, upended to, truncated, or even hard linked to. Use this attribute on a file when you want to ensure that it cannot be deleted by accident, even root can not delete a file with the immutable attributes set. The attribute has to be removed before the file can be deleted. A file with the a or append only attribute can only be opened in append mode for writing. The existing contents of the file cannot be altered or removed. This also means a file with the a attribute can not be deleted. I recommend using this setting on log files, this could potentially some attackers from covering their tracks. For an example, if an attacker gains access to a system account like a web server account they could remove the log entries from the web server logs that might hide their tracks unless this append only attribute was set. Only root can set or remove these attributes, so as long as the attacker is not root or doesn't know about file attributes, they provide an extra layer of protection. There are several other file attributes but not all file attributes are supported on all file systems. To find out what attributes are supported for your file system, refer to the documentation or built-in man pages. When a file that has the s attribute is deleted, its blocks are supposed to be filled with zeros and written back to the disc. However, if you're using ext4 or XFS, for example this will not happen when the file is deleted because those file systems do not support that particular attribute. Okay, so, how do we view and set these file attributes? Well, to view file attributes, use the lsattr or L-S-A-T-T-R command followed by the file or directory you want to examine. The lsattr command we'll list the attributes or flags set on a given file just like the ls command uses dashes to represent that a permission is not set, lsattr uses a dash to represent that an attribute is not set. In this first example, the etc/motd file doesn't have any attributes set, so the output from lsattr is made up entirely of dashes. In this second example, the var/log messages file has the a attribute set, which we know is the append only attribute. The lowercase a will always appear in that position if it's set. I wouldn't spend any time learning what each and every one of those fields represents like you do with ls output. You can always look up the attribute in the C-H-A-T-T-R man page. So that brings us to setting or clearing attributes and to do that, use the C-H-A-T-T-R command. To add or set an attribute, run chattr followed by the plus sign followed by the attribute or attributes you wish to set. To remove or clear an attribute run chattr followed by the minus sign, followed by the attribute or attributes you wish to remove. If you want to explicitly set the attributes to be only what you specify, run chattr followed by the equal sign, followed by the attribute or attributes. If there are any existing attributes that weren't specified following the equal sign, they will be cleared. So to clear all attributes run chattr, space, equals and then the path to the file or directory, since no attributes were specified they will all be cleared. This example shows that the var/log messages file doesn't initially have any file attributes set on it. We run the chattr +a/var/log/message command to add the append only attribute. And we check to see that it got applied by running lsattr. If we want to clearly a flag, then we run chattr -a followed by the path to the file. This example shows that the a attribute was set. Then the chattr -a command was executed and the final lsattr output shows that the attribute was indeed removed. Let's use the chattr command in combination with the equal sign. Here we use the lsattr command to show that no attributes are set on the /etc/ host file. Next we run chattr =is /etc/hosts. The next lsattr command shows that both the immutable and secure delete attributes were set. This is meant to be an example on how they use this command, but remember your file system probably doesn't support secure delete. To remove all attributes on a file, you can run chattr = without specifying any attributes and then a path to the file. This will clear all the attributes as the example on your screen demonstrates.

About the Author
Jason Cannon
Founder, Linux Training Academy
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.