chattr Command
Change file attributes on ext2/ext3/ext4 filesystems to set special properties like immutable, append-only, and other extended attributes.
Syntax
chattr [OPTIONS] [+-=ATTRIBUTES] FILES...
chattr +i file.txt
chattr -R +a directory/
The chattr command modifies file attributes on ext2/ext3/ext4 filesystems, providing additional security and control over file operations.
Common Attributes
| Attribute | Description |
|---|---|
i |
Immutable - file cannot be modified, deleted, or renamed |
a |
Append-only - file can only be opened for appending |
c |
Compressed - file is compressed on disk |
d |
No dump - file is not backed up by dump program |
e |
Extent format - file uses extents for mapping blocks |
j |
Data journaling - file data is journaled |
s |
Secure deletion - blocks are zeroed when deleted |
u |
Undeletable - file is saved for undelete |
A |
No atime updates - access time is not updated |
S |
Synchronous updates - changes are written synchronously |
Basic Usage
Set immutable attribute
# Make file immutable (cannot be modified or deleted)
sudo chattr +i important.txt
sudo chattr +i /etc/passwd
# Try to modify (will fail)
echo "test" >> important.txt # Permission denied
rm important.txt # Operation not permitted
# Remove immutable attribute
sudo chattr -i important.txt
# Check attributes
lsattr important.txt
Make files immutable for protection
Set append-only attribute
# Make file append-only (can only add data)
sudo chattr +a logfile.txt
# This works (appending)
echo "New log entry" >> logfile.txt
# This fails (overwriting)
echo "Overwrite" > logfile.txt # Permission denied
# Remove append-only attribute
sudo chattr -a logfile.txt
# View attributes
lsattr logfile.txt
Set files to append-only mode
Multiple attributes
# Set multiple attributes
sudo chattr +ia file.txt # Immutable and append-only
sudo chattr +Aj file.txt # No atime, data journaling
# Remove specific attributes
sudo chattr -i file.txt # Remove immutable
sudo chattr -a file.txt # Remove append-only
# Set exact attributes (replace all)
sudo chattr =i file.txt # Only immutable
sudo chattr =ia file.txt # Only immutable and append-only
# Remove all attributes
sudo chattr = file.txt
Work with multiple file attributes
Advanced Usage
Recursive operations
# Apply to directory and all contents recursively
sudo chattr -R +i /important/directory/
# Make all log files append-only
sudo chattr -R +a /var/log/myapp/
# Remove attributes recursively
sudo chattr -R -i /important/directory/
# Set no-atime for entire directory tree
sudo chattr -R +A /large/dataset/
Apply attributes recursively to directories
Performance attributes
# Disable access time updates (performance)
sudo chattr +A /var/cache/
sudo chattr +A /tmp/
# Enable synchronous writes (reliability)
sudo chattr +S /critical/data/
# Enable data journaling
sudo chattr +j /important/files/
# Combine performance attributes
sudo chattr +AS /fast/access/files/
Use attributes for performance optimization
Security attributes
# Secure deletion (overwrite with zeros)
sudo chattr +s /sensitive/data/
# Undeletable (save for recovery)
sudo chattr +u /important/backup/
# No dump (exclude from backups)
sudo chattr +d /temp/cache/
# Combine security attributes
sudo chattr +su /classified/documents/
Security-focused attribute settings
Practical Examples
System file protection
# Protect critical system files
sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow
sudo chattr +i /etc/group
sudo chattr +i /etc/fstab
sudo chattr +i /boot/grub/grub.cfg
# Protect configuration files
sudo chattr +i /etc/ssh/sshd_config
sudo chattr +i /etc/sudoers
# Make log files append-only
sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/syslog
# Check protection status
lsattr /etc/passwd /etc/shadow /var/log/auth.log
Protect critical system files from modification
Application security
# Protect web application files
sudo chattr +i /var/www/html/index.html
sudo chattr +i /var/www/html/config.php
# Make application logs append-only
sudo chattr +a /var/log/apache2/access.log
sudo chattr +a /var/log/apache2/error.log
# Protect database configuration
sudo chattr +i /etc/mysql/my.cnf
sudo chattr +i /etc/postgresql/postgresql.conf
# Script to protect application
#!/bin/bash
APP_DIR="/var/www/myapp"
LOG_DIR="/var/log/myapp"
# Protect application files
find "$APP_DIR" -name "*.php" -exec sudo chattr +i {} \;
find "$APP_DIR" -name "*.html" -exec sudo chattr +i {} \;
# Make logs append-only
find "$LOG_DIR" -name "*.log" -exec sudo chattr +a {} \;
Secure web applications and services
Backup and archival
# Exclude temporary files from backups
sudo chattr +d /tmp/
sudo chattr +d /var/cache/
sudo chattr +d /var/tmp/
# Mark files as undeletable for recovery
sudo chattr +u /important/documents/
sudo chattr +u /critical/databases/
# Secure deletion for sensitive data
sudo chattr +s /confidential/
# Archive management script
#!/bin/bash
ARCHIVE_DIR="/archive/$(date +%Y/%m)"
# Create archive directory
mkdir -p "$ARCHIVE_DIR"
# Move files to archive
mv /data/old/* "$ARCHIVE_DIR/"
# Make archive immutable
sudo chattr -R +i "$ARCHIVE_DIR"
# Set no-dump for large archives
sudo chattr -R +d "$ARCHIVE_DIR"
echo "Archive created and protected: $ARCHIVE_DIR"
Manage backups and archives with attributes
Performance optimization
# Optimize frequently accessed directories
sudo chattr +A /var/cache/nginx/
sudo chattr +A /var/cache/apache2/
sudo chattr +A /tmp/
# Synchronous writes for critical data
sudo chattr +S /database/transactions/
sudo chattr +S /financial/records/
# Performance monitoring script
#!/bin/bash
optimize_directory() {
local dir=$1
local attrs=$2
if [ -d "$dir" ]; then
echo "Optimizing $dir with attributes: $attrs"
sudo chattr -R +"$attrs" "$dir"
echo "Applied attributes to $(find "$dir" -type f | wc -l) files"
else
echo "Directory not found: $dir"
fi
}
# Apply optimizations
optimize_directory "/var/cache" "A"
optimize_directory "/tmp" "A"
optimize_directory "/critical/data" "S"
Optimize system performance with attributes
Best Practices
chattr Usage Best Practices
- Use immutable attribute for critical system files
- Set append-only for log files to prevent tampering
- Document which files have special attributes
- Test attribute effects before applying to production
- Use lsattr to verify current attribute settings
- Consider filesystem support before using attributes
- Plan for maintenance when files are immutable
Important Considerations
- Filesystem support - Only works on ext2/ext3/ext4 filesystems
- Root privileges - Most operations require sudo/root access
- Backup implications - Some attributes affect backup behavior
- Maintenance access - Remember to remove attributes for updates
- Performance impact - Some attributes may affect performance