包阅导读总结
1. 关键词:Linux、chattr、文件权限、操作系统、属性控制
2. 总结:本文介绍了 Linux 系统中的 chattr 命令,用于控制文件属性,如设置文件为不可变或仅追加模式等,还列举了其他可用选项,以及如何检查文件属性。
3. 主要内容:
– Linux 内核以安全著称,文件权限控制精细,有 chmod、chown 和 chattr 等命令。
– chattr 可改变文件属性,如设置不可变和仅追加模式,比 chmod 和 chown 更具特色。
– 使文件不可变:`sudo chattr +i newstack.txt`,恢复:`sudo chattr -i newstack.txt`
– 设置为仅追加模式:`sudo chattr +a newstack.txt`,恢复:`sudo chattr -a newstack.txt`
– chattr 还有其他选项,如压缩、禁止更新访问时间等。
– 可使用 -R 选项对文件夹应用权限,用 lsattr 命令检查文件属性。
思维导图:
文章地址:https://thenewstack.io/linux-prevent-overwriting-files-with-chattr/
文章来源:thenewstack.io
作者:Jack Wallen
发布时间:2024/7/30 19:16
语言:英文
总字数:999字
预计阅读时间:4分钟
评分:85分
标签:Linux,文件权限,安全性,chattr,不可变文件
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
The Linux kernel is well-known for being the basis of one of the most secure operating systems on the market (or “distributions” in the language of Linux). One of the reasons this is so is because of the granular file permissions that are inherent to the OS. With a few commands, you can control who has access to what and how much access they have. There’s chmod to change basic permissions and there’s chown to change ownership. There’s also the chattr command.
Say what?
This command (that you’ve probably never heard of before) allows you to change file attributes on Linux systems. With chattr you can add certain restrictions to files that you don’t have with the usual tools (chmod and chown). With the addition of chattr, you have complete control over the permissions of your files and folders. You can quickly make a file immutable or even set the file such that it is in append-only mode (a feature you won’t find with chmod).
To make this even more appealing, chattr is just as easy to use as either chmod or chown. The one thing you cannot do with chattr is control group access. For that, you’ll still need to depend on chown. As well, chattr doesn’t give you control over execute access for files, which means you’ll need to keep using chmod. But with this trio of commands, you are in total control of file and folder access on Linux.
Let’s find out how to use chattr.
What You’ll Need
The chattr command is found on all Linux distributions, so you won’t have to install anything. You will, however, need a user with sudo privileges. There’s also another command we’ll add into the mix in a moment (one that is included as well).
With that said, let’s see how chattr works.
How to Make a File Immutable
The first thing we’ll do is make a file immutable (which means it’s in read-only mode). Before we do that, you can do this with chmod command. For example, you have the file newstack.txt with the current permissions of:
The above means the owner can read/write, the group can read/write, and others can only read. If you wanted to make that immutable across the board, you could do it with a command like:
At this point, the file is read-only for all groups. It’s immutable.
Change it back with:
How do we do this with chattr? It’s actually easier. If you want to make the newstack.txt file immutable, the command would be:
|
sudo chattr +i newstack.txt |
Everyone can open the file now, but they can write to it. If you want change it back, the command is:
|
sudo chattr –i newstack.txt |
How to Change File Permissions to append-only
This is probably the coolest feature of chattr. Let’s say that newstack.txt file is actually an important file that keeps track of, say, user information. You certainly wouldn’t want that information to be overwritten, right? To that end, you could set the file to append-only, which means new information can only be written after the current information.
How does this work?
Let’s say you already have the newstack.txt file created and it contains hundreds of lines of user information. Using chattr, you can set it to append mode with:
|
sudo chattr +a newstack.txt |
With the file in append mode, try to write a new line over the first line in the file with:
You see, the single > character means to write the new line to the top of the file. Since we’ve set the file to append mode, this command will fail. However, if we use >> (which means to append the new line), it will succeed. That command would be:
The new line has been successfully added.
Of course, you can remove the append mode with:
|
sudo chattr –a newstack.txt |
Another handy side-effect of placing a file in append mode is that the file in question can no longer be deleted. Even if you use sudo, you cannot delete a file in append mode. Place a file in append mode and it’s there. You can’t delete it, move it, or rename it (until you remove the append bit).
Other Options
The chattr command has more than just immutable and append options. you’ll find the following available:
- c – compressed – file is compressed on the drive and uncompressed when read.
- A – no atime updates (the time when a file was last updated).
- C – no copy-on-write.
- d – no dump (so the file isn’t written to backup media)
- D – synchronous directory updates (all changes are written to a directory at the same time).
- e – Extent format (uses extends to map the file location).
- s – secure deletion.
- S – synchronous updates (changes are written to the file at the same time).
- u – when a file is deleted a copy is made (for recovery purposes).
Like chmod and chown, you can also apply these permissions to folders, using the -R option, like so:
|
sudo chattr –R +a NEWSTACK |
The above command would apply the append bit to all files contained within the NEWSTACK directory.
Checking File Attributes
If you’re not sure what attributes a file has, you can check them with the lsattr command. This is as simple as running:
You’ll see a listing that looks something like this:
|
—–a——–e——- ./newstack.txt |
As you can see, the append bit has been added to the file.
The chattr command is one you should definitely learn if you want to really take control of file/folder permissions.
YOUTUBE.COM/THENEWSTACK
Tech moves fast, don’t miss an episode. Subscribe to our YouTubechannel to stream all our podcasts, interviews, demos, and more.
