Command documentation sourced from the linux-command project This comprehensive command reference is part of the linux-command documentation project.
chattr - Change File Attributes on Linux Extended Filesystems
The chattr command is a powerful Linux utility used to change file attributes on extended filesystems (ext2, ext3, ext4, and others). It provides low-level file attributes that go beyond traditional Unix permissions, offering enhanced file protection and control. These attributes are stored directly in the filesystem metadata and cannot be bypassed by regular file operations, making them essential for system security, data integrity, and administrative control. The most commonly used attribute is the immutable flag (+i), which prevents any modification to protected files, even by the root user.
Basic Syntax
chattr [OPERATORS][ATTRIBUTES] FILE...
chattr [OPTIONS] [OPERATORS][ATTRIBUTES] FILE...
Operators
+- Add attributes-- Remove attributes=- Set attributes exactly (remove all others)
File Attributes
Security and Protection Attributes
a- Append only (file can only be appended to)A- No atime updates (don't update access time)c- Compressed (file is stored compressed on disk)C- No copy-on-write (disable copy-on-write)d- No dump (exclude from backups withdumpcommand)e- Extents format (use extents for mapping file blocks)i- Immutable (cannot be modified, deleted, or renamed)j- Data journaling (write file data to journal)s- Secure deletion (zero blocks when file is deleted)S- Synchronous updates (write changes to disk immediately)t- No tail-merging (no tail-merging of partial blocks)T- Top of directory hierarchy (hierarchical directory top)u- Undeletable (allow file contents to be undeleted)
Extended Attributes
D- Synchronous directory updatesE- Compression error (indicates compression error)I- Indexed directory (use hashed B-trees)P- Project hierarchy (project quota inheritance)X- Compression raw access (direct compressed access)
Common Options
-R, --recursive- Recursively change attributes of directories and contents-V, --verbose- Verbose output showing changed attributes-v VERSION- Set/set the file's version/generation number-p PROJECT- Set the project ID for project quota control-f, --force- Suppress most error messages--help- Display help information--version- Show version information
Usage Examples
Basic File Protection
Making Files Immutable
# Make a file immutable (cannot be modified, deleted, or renamed)
sudo chattr +i /etc/hosts
sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow
# Protect important configuration files
sudo chattr +i /etc/resolv.conf
sudo chattr +i /etc/sudoers
sudo chattr +i /etc/ssh/sshd_config
# Remove immutable attribute
sudo chattr -i /etc/hosts
Append-Only Files
# Make log files append-only (can only add to, not modify existing content)
sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/secure
sudo chattr +a /var/log/audit/audit.log
# Remove append-only attribute
sudo chattr -a /var/log/auth.log
# Create append-only file for security logging
sudo touch /var/log/security.log
sudo chattr +a /var/log/security.log
sudo chmod 600 /var/log/security.log
System Administration
Backup and Archive Protection
# Prevent important backups from being modified
sudo chattr +i /backup/database_backup.sql
sudo chattr +i /backup/system_config.tar.gz
# Mark files to exclude from backups
sudo chattr +d /tmp/*
sudo chattr +d /var/tmp/*
# Secure deletion for sensitive files
sudo chattr +s /home/user/sensitive_document.pdf
sudo rm /home/user/sensitive_document.pdf
Directory Protection
# Recursively protect entire directories
sudo chattr -R +i /etc/cron.d/
sudo chattr -R +i /etc/cron.daily/
sudo chattr -R +i /etc/cron.weekly/
# Make critical system directories append-only
sudo chattr -R +a /var/log/
sudo chattr +a /var/log/journal/
Performance Optimization
Disable Access Time Updates
# Improve performance by disabling atime updates
sudo chattr -R +A /var/lib/mysql/
sudo chattr -R +A /var/www/cache/
sudo chattr -R +A /home/user/projects/
# No access time updates for web content
sudo chattr -R +A /var/www/html/
sudo chattr -R +A /srv/http/
Synchronous Updates
# Ensure immediate disk writes for critical data
sudo chattr +S /var/lib/postgresql/data/
sudo chattr +S /etc/passwd
sudo chattr +S /etc/shadow
# Database files with synchronous updates
sudo chattr +S /var/lib/mysql/ibdata1
sudo chattr +S /var/lib/mysql/ib_logfile0
Practical Examples
System Security
Protecting System Files
#!/bin/bash
# Secure critical system files
CRITICAL_FILES=(
"/etc/passwd"
"/etc/shadow"
"/etc/group"
"/etc/gshadow"
"/etc/sudoers"
"/etc/hosts"
"/etc/fstab"
"/etc/resolv.conf"
"/boot/grub/grub.cfg"
)
for file in "${CRITICAL_FILES[@]}"; do
if [ -f "$file" ]; then
echo "Securing $file..."
sudo chattr +i "$file"
fi
done
echo "Critical system files secured with immutable flag"
Log File Protection
#!/bin/bash
# Setup secure logging
LOG_FILES=(
"/var/log/auth.log"
"/var/log/secure"
"/var/log/audit/audit.log"
"/var/log/kern.log"
"/var/log/syslog"
)
for log in "${LOG_FILES[@]}"; do
if [ -f "$log" ]; then
echo "Setting append-only for $log..."
sudo chattr +a "$log"
sudo chmod 600 "$log"
fi
done
echo "Log files configured for append-only access"
Database and Application Security
Database File Protection
# Protect database files from accidental deletion
sudo chattr +i /var/lib/mysql/ibdata1
sudo chattr +i /var/lib/mysql/ib_logfile0
# Make database directory append-only
sudo chattr +a /var/lib/mysql/binlog.index
sudo chattr +a /var/lib/mysql/mysql.err
# Enable synchronous updates for data integrity
sudo chattr +S /var/lib/mysql/ibdata*
sudo chattr +S /var/lib/postgresql/data/pg_xlog/*
Application Configuration Protection
# Protect application configurations
sudo chattr +i /etc/nginx/nginx.conf
sudo chattr +i /etc/apache2/apache2.conf
sudo chattr +i /etc/php/php.ini
sudo chattr +i /etc/my.cnf
# Protect SSL certificates
sudo chattr -R +i /etc/ssl/certs/
sudo chattr -R +i /etc/ssl/private/
# Make configuration directories append-only
sudo chattr -R +a /etc/logrotate.d/
sudo chattr -R +a /etc/cron.d/
Data Management
Archive Protection
# Create and protect archives
tar -czf backup_$(date +%Y%m%d).tar.gz /important/data/
sudo chattr +i backup_$(date +%Y%m%d).tar.gz
# Mark old files for secure deletion
find /data/old_files/ -mtime +365 -exec sudo chattr +s {} \;
# Exclude temporary files from backups
sudo chattr -R +d /tmp/
sudo chattr -R +d /var/tmp/
sudo chattr -R +d /var/cache/
User Data Protection
# Protect user home directory structure
sudo chattr +i /home/user/.bashrc
sudo chattr +i /home/user/.profile
sudo chattr +i /home/user/.ssh/authorized_keys
# Make user documents immutable after completion
sudo chattr +i /home/user/documents/final_report.pdf
sudo chattr +i /home/user/documents/contract_signed.docx
Advanced Usage
Combined Attributes
Multi-Attribute Configuration
# Combine multiple attributes for maximum protection
sudo chattr +iAS /etc/passwd # immutable, no atime, synchronous
sudo chattr +aD /var/log/auth.log # append-only, sync directory updates
sudo chattr +id /tmp/tempfile # immutable, no dump
sudo chattr +cj /var/lib/mysql/data # compressed, data journaling
# Set multiple attributes at once
sudo chattr +iAcS /critical/system/files/*
sudo chattr +adij /backup/archives/
Version Control
# Set file version numbers
sudo chattr -v 1 /etc/hosts
sudo chattr -v 2 /etc/passwd.backup
# Check file versions
lsattr -v /etc/hosts
lsattr -v /etc/passwd.backup
Recursive Operations
Directory Tree Protection
# Recursively make entire directory structure immutable
sudo chattr -R +i /etc/critical_configs/
sudo chattr -R +a /var/log/secure_logs/
# Apply attributes to specific file types
find /data/documents/ -name "*.conf" -exec sudo chattr +i {} \;
find /var/log/ -name "*.log" -exec sudo chattr +a {} \;
find /backup/ -name "*.tar.gz" -exec sudo chattr +i {} \;
Selective Attribute Management
# Apply attributes based on file permissions
find /etc/ -perm 644 -exec sudo chattr +i {} \;
find /var/log/ -perm 600 -exec sudo chattr +a {} \;
# Protect files owned by specific users
find /home/ -user root -exec sudo chattr +i {} \;
find /home/ -user backup -exec sudo chattr +d {} \;
Integration and Automation
Shell Scripts
System Hardening Script
#!/bin/bash
# Comprehensive system hardening with chattr
set -e
# Configuration
LOG_FILE="/var/log/system_hardening.log"
BACKUP_DIR="/root/security_backup"
# Create backup directory
mkdir -p "$BACKUP_DIR"
# Function to log actions
log_action() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}
# Function to backup and secure file
secure_file() {
local file="$1"
if [ -f "$file" ]; then
cp "$file" "$BACKUP_DIR/" 2>/dev/null || true
sudo chattr +i "$file"
log_action "Secured: $file"
fi
}
# Critical system files
CRITICAL_FILES=(
"/etc/passwd"
"/etc/shadow"
"/etc/group"
"/etc/gshadow"
"/etc/sudoers"
"/etc/hosts"
"/etc/fstab"
"/etc/resolv.conf"
"/boot/grub/grub.cfg"
)
log_action "Starting system hardening"
# Secure critical files
for file in "${CRITICAL_FILES[@]}"; do
secure_file "$file"
done
# Protect log files with append-only
LOG_DIRS=(
"/var/log"
"/var/log/audit"
)
for dir in "${LOG_DIRS[@]}"; do
if [ -d "$dir" ]; then
find "$dir" -type f -name "*.log" -exec sudo chattr +a {} \;
log_action "Protected log files in: $dir"
fi
done
# Exclude temporary directories from dumps
TEMP_DIRS=(
"/tmp"
"/var/tmp"
"/var/cache"
)
for dir in "${TEMP_DIRS[@]}"; do
if [ -d "$dir" ]; then
sudo chattr -R +d "$dir"
log_action "Excluded from dumps: $dir"
fi
done
log_action "System hardening completed"
echo "Backup location: $BACKUP_DIR"
File Integrity Monitoring
#!/bin/bash
# Monitor file attributes for security
MONITOR_FILES=(
"/etc/passwd"
"/etc/shadow"
"/etc/sudoers"
"/etc/hosts"
)
ALERT_EMAIL="admin@example.com"
LOG_FILE="/var/log/chattr_monitor.log"
check_attributes() {
local changes=false
for file in "${MONITOR_FILES[@]}"; do
if [ -f "$file" ]; then
current_attrs=$(lsattr "$file" | cut -d' ' -f1)
expected_attrs=$(cat "/var/tmp/attrs_$(basename $file)" 2>/dev/null || echo "")
if [ "$current_attrs" != "$expected_attrs" ]; then
echo "$(date): Attribute change detected in $file: $current_attrs" | tee -a "$LOG_FILE"
changes=true
# Send alert (requires mail setup)
echo "File $file attributes changed to $current_attrs" | mail -s "Security Alert: chattr change" "$ALERT_EMAIL"
fi
# Update stored attributes
echo "$current_attrs" > "/var/tmp/attrs_$(basename $file)"
fi
done
if [ "$changes" = true ]; then
echo "$(date): Security alert sent" >> "$LOG_FILE"
fi
}
# Run the check
check_attributes
Troubleshooting
Common Issues
Permission Denied Errors
# Need root privileges for most operations
sudo chattr +i /etc/critical_file
# Check if filesystem supports extended attributes
sudo tune2fs -l /dev/sda1 | grep "Filesystem features"
# Some filesystems don't support all attributes
# ext2, ext3, ext4 support most attributes
# XFS, Btrfs have limited support
Files Cannot Be Modified
# Check file attributes if you can't modify a file
lsattr /etc/hosts
# Remove immutable attribute to allow modifications
sudo chattr -i /etc/hosts
# Check if append-only is preventing modifications
sudo chattr -a /var/log/file.log
# Remove multiple attributes
sudo chattr -ai /file/with/multiple/attrs
Recursion Issues
# Be careful with recursive operations
# First test with lsattr to see current state
sudo lsattr -R /directory/
# Use verbose mode to see what's being changed
sudo chattr -Rv +i /directory/
# Exclude certain files from recursive operations
find /directory/ -type f ! -name "*.tmp" -exec sudo chattr +i {} \;
Filesystem Compatibility
# Check filesystem type
df -T
# Check supported features
sudo tune2fs -l /dev/sda1
# Enable extended attributes if needed
sudo tune2fs -o user_xattr /dev/sda1
Related Commands
lsattr- List file attributes on extended filesystemschmod- Change file permissionschown- Change file owner and groupchgrp- Change group ownershipgetfattr- Get extended attributessetfattr- Set extended attributesattr- Extended attribute utilitiestune2fs- Tune ext2/ext3/ext4 filesystem parametersfsck- Filesystem consistency check
Best Practices
- Test before applying - Always test chattr operations on non-production files first
- Document changes - Keep a record of files with special attributes
- Use with caution - Immutable files cannot be modified even by root
- Backup first - Always backup files before applying restrictive attributes
- Regular monitoring - Monitor file attributes for security purposes
- Combine with permissions - Use chattr as additional security layer, not replacement
- Consider recovery - Plan how to remove attributes in emergencies
- Use verbose mode - Use
-Vflag to track changes during operations - Limit recursion - Be careful with recursive operations on large directory trees
- Check compatibility - Verify filesystem supports needed attributes
Performance Tips
- Disable atime for static content with
+Ato reduce disk I/O - Use append-only for log files rather than synchronous updates
- Avoid extensive use of immutable attributes on frequently modified files
- Batch operations to minimize filesystem metadata updates
- Consider file size when using compression attributes
- Test performance impact before widespread deployment
- Use selective protection rather than directory-wide when possible
- Monitor filesystem performance after applying extensive attributes
- Combine with journaling options for data integrity vs. performance balance
- Use project quotas with
+Pfor better resource management
The chattr command provides essential filesystem-level protection that complements traditional Unix permissions. When used properly, it significantly enhances system security and data integrity, making it a crucial tool for Linux system administrators managing critical infrastructure and sensitive data.
Security Note: The immutable attribute (+i) provides strong protection but requires careful planning, as it cannot be bypassed even by the root user without explicitly removing the attribute. Always ensure you have recovery procedures in place before applying restrictive attributes to critical system files.