Some Extended Attributes:-
lsattr and chattr
chattr - changes the file attributes on a Linux file system.
The format of a symbolic mode is +-=[acdeijstuADST].
Linux file systems support three permission attributes: Read, write and execute for three different levels: Owner, owning group, and everyone else. Extended attributes, abbreviated xattr, add some more permissions or restrictions to the original three attributes. chattr can be used to keep important system files secure.
The operator '+' causes the selected attributes to be added to the existing attributes of the files; '-' causes them to be removed; and '=' causes them to be the only attributes that the files have.
The letters 'acdeijstuACDST' select the new attributes for the files:
a :- append only
c :- compressed
d :- no dump
e :- extent format
i :- immutable
j :- data journalling
s :- secure deletion
t :- no tail-merging
u :- undeletable
A :- no atime updates
C :- no copy on write
D :- synchronous directory updates
S :- synchronous updates
T :- top of directory hierarchy
The following attributes are read-only, and may be listed by lsattr but not modified by chattr:
h :- huge file
E :- compression error
I :- indexed directory
X :- compression raw access
Z :- compressed dirty file
Options
R :- Recursively change attributes of directories and their contents.
V :- Be verbose with chattr's output and print the program version.
f :- Suppress most error messages.
v :- version, Set the file's version/generation number.
Detail,
When
'A' attribute is set, its atime record is not modified.
'a' attribute is set, only be open in append mode for writing.
'c' attribute is set, it automatically compressed on the disk by the kernel.
Note:
A read from this file returns uncompressed data.
A write to this file compresses data before storing them on the disk.
'D' attribute is set, the changes are written synchronously on the disk; this is equivalent to the 'dirsync' mount option applied to a subset of the files.
'd' attribute is set, there is no backup when the dump program is run.
'e' attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr.
'I' attribute is used by the htree code to indicate that a directory is being indexed using hashed trees.
'h' attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors.
'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file.
'j' attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is already journalled and this attribute has no effect.
a file with the 's' attribute set is deleted, its blocks are zeroed and written back to the disk.
When a file with the 'u' attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion.
Changing attributes can be done with:
+ – set attribute
- – remove attribute
= – force these attributes
Thus to add the append attribute to test.txt:
# chattr +a test.txt
Using the = to set attributes will force only those attributes to be applied. If there are already attributes that are applied to the file those will be removed if not specified by in the chattr command.
Trying to set or remove the h attribute will fail as this can only be set by the file system not with chattr.
A file or directories attributes can be viewed with the lsattr command.
There are four extended attribute classes: security, system, trusted and user.
Note: extended attributes are not preserved by cp, rsync, and probably others.
$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb" foo.bar
$ getfattr -d file1
# file: file1
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb3"
$ lsattr file1
-------------e- file1
Who Permission Numbers
------ ----------- ---------
u - owning user r - read 4 - read
g - group w - write 2 - write
o - others x - execute/search 1 - execute
a - all
Note:
The 'j', 'a' and 'i' options are only available to the superuser.
Please make sure to read the bugs and limitations section at the end of this document.
Even root can't delete a file that is immutable or append-only without first explicitly removing that attribute.
Using this flag on /etc/passwd or /etc/shadow files keeps them safe from an accidental rm -f and also ensures no new accounts can be added in the event of an exploit.
Keeping other files append-only means once they are written, that data can't be changed. Logs are a good candidate for this to keep them from being tampered with.
$ cd /var/tmp; $ mkdir test
$ cd test
$ touch file1 file2
$ lsattr
-------------e- ./file2
-------------e- ./file1
$ ls
file1 file2
$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb3" file1
$ lsattr
-------------e- ./file2
-------------e- ./file1
$ getfattr -d file1
# file: file1
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb3"
$ getfattr -d file2
$ man chattr
$ lsattr file1
-------------e- file1
$ ls
file1 file2
$ cat >file2
This is a test file
cool !!!
$ ls -l file2
-rw-rw-r--. 1 dev dev 29 Oct 14 21:19 file2
$ lsattr file2
-------------e- file2
$ chmod 777 file2
$ lsattr file2
-------------e- file2
$ ls -l file2
-rwxrwxrwx. 1 dev dev 29 Oct 14 21:19 file2
$ chattr +i file2
chattr: Operation not permitted while setting flags on file2
$ su -
Password:
# cd /var/tmp/test
# ls
file1 file2
# chattr +i file2
# lsattr
----i--------e- ./file2
-------------e- ./file1
# cat file2
This is a test file
cool !!!
# cat >test2
This is cool too
# cat test2
This is cool too
# cat >>test2
I am just testing it
# rm test2
rm: remove regular file `test2'? y
# ls -l
total 8
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
-rwxrwxrwx. 1 dev dev 29 Oct 14 21:19 file2
# mv file2 file3
mv: cannot move `file2' to `file3': Operation not permitted
# chattr -i file2
# lsattr file2
-------------e- file2
# rm file2
rm: remove regular file `file2'? y
# ls -l
total 4
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
# cp file1 file2
# cat >>test2
I am just testing file again
# cat test2
I am just testing file again
# chattr +a test2
# rm test2
rm: remove regular file `test2'? y
rm: cannot remove `test2': Operation not permitted
# ls -l
total 8
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
-rw-r--r--. 1 root root 0 Oct 14 21:23 file2
-rw-r--r--. 1 root root 29 Oct 14 21:23 test2
# cat >test2
-bash: test2: Operation not permitted
# cat >>test2
THis is added content
# cat test2
I am just testing file again
THis is added content
#
# chattr -i test
# lsattr test
-----a-------e- test/test2
-------------e- test/file2
-------------e- test/file1
# chattr -R -i test
# lsattr test
-----a-------e- test/test2
-------------e- test/file2
-------------e- test/file1
# rm -rf test
rm: cannot remove `test/test2': Operation not permitted
http://www.linuxintheshell.org/2013/04/23/episode-028-extended-attributes-lsattr-and-chattr/
http://en.wikipedia.org/wiki/Extended_file_attributes
http://linux.die.net/man/1/chattr - linux man page.
http://www.linuxhowtos.org/Tips%20and%20Tricks/chattr.htm
lsattr and chattr
chattr - changes the file attributes on a Linux file system.
The format of a symbolic mode is +-=[acdeijstuADST].
Linux file systems support three permission attributes: Read, write and execute for three different levels: Owner, owning group, and everyone else. Extended attributes, abbreviated xattr, add some more permissions or restrictions to the original three attributes. chattr can be used to keep important system files secure.
The operator '+' causes the selected attributes to be added to the existing attributes of the files; '-' causes them to be removed; and '=' causes them to be the only attributes that the files have.
The letters 'acdeijstuACDST' select the new attributes for the files:
a :- append only
c :- compressed
d :- no dump
e :- extent format
i :- immutable
j :- data journalling
s :- secure deletion
t :- no tail-merging
u :- undeletable
A :- no atime updates
C :- no copy on write
D :- synchronous directory updates
S :- synchronous updates
T :- top of directory hierarchy
The following attributes are read-only, and may be listed by lsattr but not modified by chattr:
h :- huge file
E :- compression error
I :- indexed directory
X :- compression raw access
Z :- compressed dirty file
Options
R :- Recursively change attributes of directories and their contents.
V :- Be verbose with chattr's output and print the program version.
f :- Suppress most error messages.
v :- version, Set the file's version/generation number.
Detail,
When
'A' attribute is set, its atime record is not modified.
'a' attribute is set, only be open in append mode for writing.
'c' attribute is set, it automatically compressed on the disk by the kernel.
Note:
A read from this file returns uncompressed data.
A write to this file compresses data before storing them on the disk.
'D' attribute is set, the changes are written synchronously on the disk; this is equivalent to the 'dirsync' mount option applied to a subset of the files.
'd' attribute is set, there is no backup when the dump program is run.
'e' attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr.
'I' attribute is used by the htree code to indicate that a directory is being indexed using hashed trees.
'h' attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors.
'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file.
'j' attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is already journalled and this attribute has no effect.
a file with the 's' attribute set is deleted, its blocks are zeroed and written back to the disk.
When a file with the 'u' attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion.
Changing attributes can be done with:
+ – set attribute
- – remove attribute
= – force these attributes
Thus to add the append attribute to test.txt:
# chattr +a test.txt
Using the = to set attributes will force only those attributes to be applied. If there are already attributes that are applied to the file those will be removed if not specified by in the chattr command.
Trying to set or remove the h attribute will fail as this can only be set by the file system not with chattr.
A file or directories attributes can be viewed with the lsattr command.
There are four extended attribute classes: security, system, trusted and user.
Note: extended attributes are not preserved by cp, rsync, and probably others.
$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb" foo.bar
$ getfattr -d file1
# file: file1
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb3"
$ lsattr file1
-------------e- file1
Who Permission Numbers
------ ----------- ---------
u - owning user r - read 4 - read
g - group w - write 2 - write
o - others x - execute/search 1 - execute
a - all
Note:
The 'j', 'a' and 'i' options are only available to the superuser.
Please make sure to read the bugs and limitations section at the end of this document.
Even root can't delete a file that is immutable or append-only without first explicitly removing that attribute.
Using this flag on /etc/passwd or /etc/shadow files keeps them safe from an accidental rm -f and also ensures no new accounts can be added in the event of an exploit.
Keeping other files append-only means once they are written, that data can't be changed. Logs are a good candidate for this to keep them from being tampered with.
$ cd /var/tmp; $ mkdir test
$ cd test
$ touch file1 file2
$ lsattr
-------------e- ./file2
-------------e- ./file1
$ ls
file1 file2
$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb3" file1
$ lsattr
-------------e- ./file2
-------------e- ./file1
$ getfattr -d file1
# file: file1
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb3"
$ getfattr -d file2
$ man chattr
$ lsattr file1
-------------e- file1
$ ls
file1 file2
$ cat >file2
This is a test file
cool !!!
$ ls -l file2
-rw-rw-r--. 1 dev dev 29 Oct 14 21:19 file2
$ lsattr file2
-------------e- file2
$ chmod 777 file2
$ lsattr file2
-------------e- file2
$ ls -l file2
-rwxrwxrwx. 1 dev dev 29 Oct 14 21:19 file2
$ chattr +i file2
chattr: Operation not permitted while setting flags on file2
$ su -
Password:
# cd /var/tmp/test
# ls
file1 file2
# chattr +i file2
# lsattr
----i--------e- ./file2
-------------e- ./file1
# cat file2
This is a test file
cool !!!
# cat >test2
This is cool too
# cat test2
This is cool too
# cat >>test2
I am just testing it
# rm test2
rm: remove regular file `test2'? y
# ls -l
total 8
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
-rwxrwxrwx. 1 dev dev 29 Oct 14 21:19 file2
# mv file2 file3
mv: cannot move `file2' to `file3': Operation not permitted
# chattr -i file2
# lsattr file2
-------------e- file2
# rm file2
rm: remove regular file `file2'? y
# ls -l
total 4
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
# cp file1 file2
# cat >>test2
I am just testing file again
# cat test2
I am just testing file again
# chattr +a test2
# rm test2
rm: remove regular file `test2'? y
rm: cannot remove `test2': Operation not permitted
# ls -l
total 8
-rw-rw-r--. 1 dev dev 0 Oct 14 19:14 file1
-rw-r--r--. 1 root root 0 Oct 14 21:23 file2
-rw-r--r--. 1 root root 29 Oct 14 21:23 test2
# cat >test2
-bash: test2: Operation not permitted
# cat >>test2
THis is added content
# cat test2
I am just testing file again
THis is added content
#
# chattr -i test
# lsattr test
-----a-------e- test/test2
-------------e- test/file2
-------------e- test/file1
# chattr -R -i test
# lsattr test
-----a-------e- test/test2
-------------e- test/file2
-------------e- test/file1
# rm -rf test
rm: cannot remove `test/test2': Operation not permitted
http://www.linuxintheshell.org/2013/04/23/episode-028-extended-attributes-lsattr-and-chattr/
http://en.wikipedia.org/wiki/Extended_file_attributes
http://linux.die.net/man/1/chattr - linux man page.
http://www.linuxhowtos.org/Tips%20and%20Tricks/chattr.htm
No comments:
Post a Comment