Saturday, August 14, 2010

Immutable Files in Linux

Recently I came across a situation.  I was trying to delete a configuration file in Linux and got error “rm: cannot remove `path/filename’: Operation not permitted”.  I was logged in as root but even though I was neither able to change the contents of file nor able to delete it.   I checked the ownership and permissions on the file and found that the file is owned by root user and permissions are 644 which are the default permission when you create a new file.
[root@vcsnode1 ~]# ls -l /etc/configfile
-rw-r–r– 1 root root 0 Jan 26 08:45 /etc/configfile
[root@vcsnode1 ~]#
After little troubleshooting, I found that Immutable Flag was set on the file.
What is Immutable Flag :
Immutable flag is an additional file attribute which can be set on file so that anyone should not be able to delete/tamper with the file.  It is very useful to setup this flag on Production Servers where changes to configuration files are rare.  This attribute can be set on a Linux second extended file system only.
Who can set immutable flag on a file:
Either root user or any process having CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
How to check whether immutable flag is set on a file
lsattr command can be used to check whether an immutable flag is set on a file.
Syntax : lsattr filename
Example :
[root@vcsnode1 ~]# lsattr /etc/configfile
—-i——– /etc/configfile
[root@vcsnode1 ~]#
How to Set/Unset Immutable Flag
Immutable flag can be set/unset  using the chattr command.
To set the flag use the + sign with chattr command and to unset use the – sign with chattr command
Syntax : chattr +or- i filename
[root@vcsnode1 ~]# chattr +i /etc/configfile
[root@vcsnode1 ~]# lsattr /etc/configfile
—-i——– /etc/configfile
[root@vcsnode1 ~]# chattr -i /etc/configfile
[root@vcsnode1 ~]# lsattr /etc/configfile
————- /etc/configfile
[root@vcsnode1 ~]#
There are many other  file attributes which can be set on a file on Linux second extended file system.  A couple of attributes are mentioned below :
  1. append only (a)  : – File with this attribute can be opened in append mode only.  One has to be root or a process having CAP_LINUX_Immutable capability to set/unset this flat.
  2. compressed (c) : -  File with this attribute keep the file in compressed state on the disk by the kernel.  A read to this file always
  3. no dump (d)  :- File with this attribute set, would not be a candidate for backup when the dump program executes.
  4. data journalling (j)   :-  File with this attribute set writes all it’s data to journal before writing the data to the file if the file system is mounted with ordered or writeback  journaling options.  If the file system is mounted with “journal” journaling option, this flag has no effect as the “journal” journaling option would  provide similar functionality for all the files stored on the file system.
  5. secure  deletion  (s)   :- If the file with this attribute set is deleted, all the data blocks for the file are zeroed and written back to the disk.
All the above attributes can be set/unset using the chattr command.
Syntax : chattr + or – flag filename.
To set an attribute use “+” sign with chattr command followed by the flag mentioned above in “()”.
To unset an attribute use “-” sign with chattr command followed by the flag mentioned above in “()”.
References : Man page for lsattr and chattr