stevepedwards.com/DebianAdmin linux mint IT admin tips info

Using and finding the attribute of “i” assigned to a file with chattr and lsattr

Ever had a situation where you could not recursively remove some directories due to one or more files having a permission that even root could not take control of? Did you ever find out why?

I have had this scenario on a backup drive, with Windows files having an attribute set from being copied from a compressed Win file system, which would not then allow root to remove it when the external drive was attached to a linux box.

Infuriating - as it meant I could not delete the whole directory with this file under it. I ended up re-attaching the drive to a Win PC, then taking ownership that way, before I could delete the file with the “special” attribute, and then returning the drive to a linux system for full control – short of just formatting the drive completely in linux and losing everything of course.

In a similar vein for “special” file attributes, linux can prevent file deletion to all users, including root, using the chattr command.

man chattr

A file with the `i' attribute cannot be modified: it cannot be deleted

or renamed, no link can be created to this file and no data can be

written to the file. Only the superuser or a process possessing the

CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

The letters `acdeijstuACDST' select the new attributes for the files:

append only (a), compressed (c), no dump (d), extent format (e),

immutable (i), data journalling (j), secure deletion (s), no tail-merg‐

ing (t), undeletable (u), no atime updates (A), no copy on write (C),

synchronous directory updates (D), synchronous updates (S), and top of

directory hierarchy (T).

The following attributes are read-only, and may be listed by lsattr(1)

but not modified by chattr: huge file (h), compression error (E),

indexed directory (I), compression raw access (X), and compressed dirty

file (Z).

This is an interesting way to prevent any changes to a file being made except by root.

Create a testfile:

MintServer stevee # touch testfile.txt

MintServer stevee # ls -als testfile.txt

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt

Now add the “i” attribute:

MintServer stevee # chattr +i testfile.txt

MintServer stevee # ls -als testfile.txt

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt

You can view this attribute with:

MintServer stevee # lsattr testfile.txt

----i--------e-- testfile.txt

Now, as root – the owner - try to delete the file:

MintServer stevee # rm -v testfile.txt

rm: cannot remove ‘testfile.txt’: Operation not permitted

Only root can remove the attribute before being able to delete the file.

MintServer stevee # chattr -i testfile.txt

MintServer stevee # ls -als testfile.txt

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt

MintServer stevee # lsattr testfile.txt

-------------e-- testfile.txt

How do you search for other such files in the system?

As ls -al does not show this attribute, it can't be used to search for it simply, say in conjunction with grep, as only lsattr shows this character in the 5th field of the files attributes.

MintServer stevee # lsattr testfile.txt

----i--------e-- testfile.txt

Can that be used recursively with grep? Yes, as it has a -R switch, though many directories will not be searchable it seems, due to the way the ioctrl reads files flags, depending on what the file does or is doing within the OS:

MintServer stevee # lsattr -R / | grep ^----i

lsattr: Operation not supported While reading flags on /dev/vga_arbiter

----i--------e-- /home/stevee/testfile.txt

It did still find my test file after searching under the root dir.

If you experiment with this command on Windows files you may find the “I” indexed type files, or others, with extent format “e” mentioned above that chattr cannot change “and may be listed by lsattr(1) but not modified by chattr:”

I found some in the 11th column in my tftpboot directory for Win installs:

MintServer stevee # lsattr -R | grep ^----------I

----------I--e-- ./tftpboot/XP/I386

----------I--e-- ./tftpboot/XP/I386/COMPDATA

----------I--e-- ./tftpboot/Win7Home/sources/dlmanifests

----------I--e-- ./tftpboot/WinPE_amd64/setup/sources/dlmanifests

----------I--e-- ./tftpboot/WinPE_amd64/setup/sources/replacementmanifests

This means there are at least 15 further attributes of a file, as well as the listing of ls, of only 10 fields - rwx and file type field - at least for the letters:

The format of a symbolic mode is +-=[acdeijstuACDST]

Comments are closed.

Post Navigation