Ext2-Ext3-Ext4 Attributes

Although the hype these days is primarily about journaling file systems, there's something to be said about the old ext2 file system. It  reimplemented BSD set of extended attributes that are useful for the security conscious or those concerned with file system safety.

There are two commands for manipulating file attributes:

• lsattr lists attributes
• chattr changes  them.

Extended attributes can only be set on directories and regular files. The following attributes are possible:

1. A (no Access time): if a file or directory has this attribute set, whenever it is accessed, either for reading of for writing, its last access time will not be updated. This can be useful, for example, on files or directories which are very often accessed for reading, especially since this parameter is the only one which changes on an inode when it's open read-only.
2. a (append only): if a file has this attribute set and is open for writing, the only operation possible will be to append data to its previous contents. For a directory, this means that you can only add files to it, but not rename or delete any existing file. Only root can set or clear this attribute.
3. d (no dump): dump (8) is the standard UNIX  utility for backups. It dumps any filesystem for which the dump counter is 1 in /etc/fstab (see chapter "Filesystems and Mount Points"). But if a file or directory has this attribute set, unlike others, it will not be taken into account when a dump is in progress. Note that for directories, this also includes all subdirectories and files under it.

4. i (immutable): a file or directory with this attribute set simply can not be modified at all: it can not be renamed, no further link can be created to it [1] and it cannot be removed. Only root can set or clear this attribute (which is a bogus idea, should be runlevel based ;-). Note that this also prevents changes to access time, therefore you do not need to set the A attribute when i is set.

5. s (secure deletion): when such a file or directory with this attribute set is deleted, the blocks it was occupying on disk are written back with zeroes.
6. S (Synchronous mode): when a file or directory has this attribute set, all modifications on it are synchronous and written back to disk immediately.

You may want, for example, to set the 'i' attribute on essential system files in order to avoid bad surprises. Also, consider the 'A' attribute on man pages for example: this prevents a lot of disk operations and, in particular, it saves some battery life on laptops.

There are a few extended attributes, such as "A", that tell the system not to update the file-access time. This is a useful feature for laptops. Another is the "S" attribute, which tells the system to always synchronize the file with the physical storage system. The benefit is a higher level of system integrity, but at the expense of system performance.

The "a" attribute makes a file append-only; in a directory, this means you can create or modify files, but you cannot remove them. Finally, the "i" attribute tells the system that the file cannot be modified; in a directory, files can be modified but not created or deleted.

These extended attributes are only a small set of attributes; however, they are very handy. To make use of them, you should use the chattr and lsattr utilities. The chattr utility sets or removes these extended attributes, while the lsattr utility (like the ls command) lists the attributes assigned to a particular file.

To make a file immutable (or unchangeable), even by the root user, set the "i" attribute in the following way:

chattr +i some_special_file

Performing a regular ls on this file won't reveal that it's immutable--only lsattr can tell you that. To remove any extended attributes, simply prefix the attribute with the minus symbol, like this:

chattr -S some_file

The Second Extended Filesystem
==============================

ext2 was originally released in January 1993.  Written by R\'emy Card,
Theodore Ts'o and Stephen Tweedie, it was a major rewrite of the
Extended Filesystem.  It is currently still (April 2001) the predominant
filesystem in use by Linux.  There are also implementations available
for NetBSD, FreeBSD, the GNU HURD, Windows 95/98/NT, OS/2 and RISC OS.

Options
=======

Most defaults are determined by the filesystem superblock, and can be
set using tune2fs(8). Kernel-determined defaults are indicated by (*).

bsddf			(*)	Makes `df' act like BSD.
minixdf				Makes `df' act like Minix.

check=none, nocheck	(*)	Don't do extra checking of bitmaps on mount
				(check=normal and check=strict options removed)

debug				Extra debugging information is sent to the
				kernel syslog.  Useful for developers.

errors=continue			Keep going on a filesystem error.
errors=remount-ro		Remount the filesystem read-only on an error.
errors=panic			Panic and halt the machine if an error occurs.

grpid, bsdgroups		Give objects the same group ID as their parent.
nogrpid, sysvgroups		New objects have the group ID of their creator.

nouid32				Use 16-bit UIDs and GIDs.

oldalloc			Enable the old block allocator. Orlov should
				have better performance, we'd like to get some
				feedback if it's the contrary for you.
orlov			(*)	Use the Orlov block allocator.
				(See http://lwn.net/Articles/14633/ and
				http://lwn.net/Articles/14446/.)

resuid=n			The user ID which may use the reserved blocks.
resgid=n			The group ID which may use the reserved blocks.

sb=n				Use alternate superblock at this location.

user_xattr			Enable "user." POSIX Extended Attributes
				(requires CONFIG_EXT2_FS_XATTR).
				See also http://acl.bestbits.at
nouser_xattr			Don't support "user." extended attributes.

acl				Enable POSIX Access Control Lists support
				(requires CONFIG_EXT2_FS_POSIX_ACL).
				See also http://acl.bestbits.at
noacl				Don't support POSIX ACLs.

nobh				Do not attach buffer_heads to file pagecache.

xip				Use execute in place (no caching) if possible

grpquota,noquota,quota,usrquota	Quota options are silently ignored by ext2.


Specification
=============

ext2 shares many properties with traditional Unix filesystems.  It has
the concepts of blocks, inodes and directories.  It has space in the
specification for Access Control Lists (ACLs), fragments, undeletion and
compression though these are not yet implemented (some are available as
separate patches).  There is also a versioning mechanism to allow new
features (such as journalling) to be added in a maximally compatible
manner.

Blocks
------

The space in the device or file is split up into blocks.  These are
a fixed size, of 1024, 2048 or 4096 bytes (8192 bytes on Alpha systems),
which is decided when the filesystem is created.  Smaller blocks mean
less wasted space per file, but require slightly more accounting overhead,
and also impose other limits on the size of files and the filesystem.

Block Groups
------------

Blocks are clustered into block groups in order to reduce fragmentation
and minimise the amount of head seeking when reading a large amount
of consecutive data.  Information about each block group is kept in a
descriptor table stored in the block(s) immediately after the superblock.
Two blocks near the start of each group are reserved for the block usage
bitmap and the inode usage bitmap which show which blocks and inodes
are in use.  Since each bitmap is limited to a single block, this means
that the maximum size of a block group is 8 times the size of a block.

The block(s) following the bitmaps in each block group are designated
as the inode table for that block group and the remainder are the data
blocks.  The block allocation algorithm attempts to allocate data blocks
in the same block group as the inode which contains them.

The Superblock
--------------

The superblock contains all the information about the configuration of
the filing system.  The primary copy of the superblock is stored at an
offset of 1024 bytes from the start of the device, and it is essential
to mounting the filesystem.  Since it is so important, backup copies of
the superblock are stored in block groups throughout the filesystem.
The first version of ext2 (revision 0) stores a copy at the start of
every block group, along with backups of the group descriptor block(s).
Because this can consume a considerable amount of space for large
filesystems, later revisions can optionally reduce the number of backup
copies by only putting backups in specific groups (this is the sparse
superblock feature).  The groups chosen are 0, 1 and powers of 3, 5 and 7.

The information in the superblock contains fields such as the total
number of inodes and blocks in the filesystem and how many are free,
how many inodes and blocks are in each block group, when the filesystem
was mounted (and if it was cleanly unmounted), when it was modified,
what version of the filesystem it is (see the Revisions section below)
and which OS created it.

If the filesystem is revision 1 or higher, then there are extra fields,
such as a volume name, a unique identification number, the inode size,
and space for optional filesystem features to store configuration info.

All fields in the superblock (as in all other ext2 structures) are stored
on the disc in little endian format, so a filesystem is portable between
machines without having to know what machine it was created on.

Inodes
------

The inode (index node) is a fundamental concept in the ext2 filesystem.
Each object in the filesystem is represented by an inode.  The inode
structure contains pointers to the filesystem blocks which contain the
data held in the object and all of the metadata about an object except
its name.  The metadata about an object includes the permissions, owner,
group, flags, size, number of blocks used, access time, change time,
modification time, deletion time, number of links, fragments, version
(for NFS) and extended attributes (EAs) and/or Access Control Lists (ACLs).

There are some reserved fields which are currently unused in the inode
structure and several which are overloaded.  One field is reserved for the
directory ACL if the inode is a directory and alternately for the top 32
bits of the file size if the inode is a regular file (allowing file sizes
larger than 2GB).  The translator field is unused under Linux, but is used
by the HURD to reference the inode of a program which will be used to
interpret this object.  Most of the remaining reserved fields have been
used up for both Linux and the HURD for larger owner and group fields,
The HURD also has a larger mode field so it uses another of the remaining
fields to store the extra more bits.

There are pointers to the first 12 blocks which contain the file's data
in the inode.  There is a pointer to an indirect block (which contains
pointers to the next set of blocks), a pointer to a doubly-indirect
block (which contains pointers to indirect blocks) and a pointer to a
trebly-indirect block (which contains pointers to doubly-indirect blocks).

The flags field contains some ext2-specific flags which aren't catered
for by the standard chmod flags.  These flags can be listed with lsattr
and changed with the chattr command, and allow specific filesystem
behaviour on a per-file basis.  There are flags for secure deletion,
undeletable, compression, synchronous updates, immutability, append-only,
dumpable, no-atime, indexed directories, and data-journaling.  Not all
of these are supported yet.

Directories
-----------

A directory is a filesystem object and has an inode just like a file.
It is a specially formatted file containing records which associate
each name with an inode number.  Later revisions of the filesystem also
encode the type of the object (file, directory, symlink, device, fifo,
socket) to avoid the need to check the inode itself for this information
(support for taking advantage of this feature does not yet exist in
Glibc 2.2).

The inode allocation code tries to assign inodes which are in the same
block group as the directory in which they are first created.

The current implementation of ext2 uses a singly-linked list to store
the filenames in the directory; a pending enhancement uses hashing of the
filenames to allow lookup without the need to scan the entire directory.

The current implementation never removes empty directory blocks once they
have been allocated to hold more files.

Special files
-------------

Symbolic links are also filesystem objects with inodes.  They deserve
special mention because the data for them is stored within the inode
itself if the symlink is less than 60 bytes long.  It uses the fields
which would normally be used to store the pointers to data blocks.
This is a worthwhile optimisation as it we avoid allocating a full
block for the symlink, and most symlinks are less than 60 characters long.

Character and block special devices never have data blocks assigned to
them.  Instead, their device number is stored in the inode, again reusing
the fields which would be used to point to the data blocks.

Reserved Space
--------------

In ext2, there is a mechanism for reserving a certain number of blocks
for a particular user (normally the super-user).  This is intended to
allow for the system to continue functioning even if non-privileged users
fill up all the space available to them (this is independent of filesystem
quotas).  It also keeps the filesystem from filling up entirely which
helps combat fragmentation.

Filesystem check
----------------

At boot time, most systems run a consistency check (e2fsck) on their
filesystems.  The superblock of the ext2 filesystem contains several
fields which indicate whether fsck should actually run (since checking
the filesystem at boot can take a long time if it is large).  fsck will
run if the filesystem was not cleanly unmounted, if the maximum mount
count has been exceeded or if the maximum time between checks has been
exceeded.

Feature Compatibility
---------------------

The compatibility feature mechanism used in ext2 is sophisticated.
It safely allows features to be added to the filesystem, without
unnecessarily sacrificing compatibility with older versions of the
filesystem code.  The feature compatibility mechanism is not supported by
the original revision 0 (EXT2_GOOD_OLD_REV) of ext2, but was introduced in
revision 1.  There are three 32-bit fields, one for compatible features
(COMPAT), one for read-only compatible (RO_COMPAT) features and one for
incompatible (INCOMPAT) features.

These feature flags have specific meanings for the kernel as follows:

A COMPAT flag indicates that a feature is present in the filesystem,
but the on-disk format is 100% compatible with older on-disk formats, so
a kernel which didn't know anything about this feature could read/write
the filesystem without any chance of corrupting the filesystem (or even
making it inconsistent).  This is essentially just a flag which says
"this filesystem has a (hidden) feature" that the kernel or e2fsck may
want to be aware of (more on e2fsck and feature flags later).  The ext3
HAS_JOURNAL feature is a COMPAT flag because the ext3 journal is simply
a regular file with data blocks in it so the kernel does not need to
take any special notice of it if it doesn't understand ext3 journaling.

An RO_COMPAT flag indicates that the on-disk format is 100% compatible
with older on-disk formats for reading (i.e. the feature does not change
the visible on-disk format).  However, an old kernel writing to such a
filesystem would/could corrupt the filesystem, so this is prevented. The
most common such feature, SPARSE_SUPER, is an RO_COMPAT feature because
sparse groups allow file data blocks where superblock/group descriptor
backups used to live, and ext2_free_blocks() refuses to free these blocks,
which would leading to inconsistent bitmaps.  An old kernel would also
get an error if it tried to free a series of blocks which crossed a group
boundary, but this is a legitimate layout in a SPARSE_SUPER filesystem.

An INCOMPAT flag indicates the on-disk format has changed in some
way that makes it unreadable by older kernels, or would otherwise
cause a problem if an old kernel tried to mount it.  FILETYPE is an
INCOMPAT flag because older kernels would think a filename was longer
than 256 characters, which would lead to corrupt directory listings.
The COMPRESSION flag is an obvious INCOMPAT flag - if the kernel
doesn't understand compression, you would just get garbage back from
read() instead of it automatically decompressing your data.  The ext3
RECOVER flag is needed to prevent a kernel which does not understand the
ext3 journal from mounting the filesystem without replaying the journal.

For e2fsck, it needs to be more strict with the handling of these
flags than the kernel.  If it doesn't understand ANY of the COMPAT,
RO_COMPAT, or INCOMPAT flags it will refuse to check the filesystem,
because it has no way of verifying whether a given feature is valid
or not.  Allowing e2fsck to succeed on a filesystem with an unknown
feature is a false sense of security for the user.  Refusing to check
a filesystem with unknown features is a good incentive for the user to
update to the latest e2fsck.  This also means that anyone adding feature
flags to ext2 also needs to update e2fsck to verify these features.

Metadata
--------

It is frequently claimed that the ext2 implementation of writing
asynchronous metadata is faster than the ffs synchronous metadata
scheme but less reliable.  Both methods are equally resolvable by their
respective fsck programs.

If you're exceptionally paranoid, there are 3 ways of making metadata
writes synchronous on ext2:

per-file if you have the program source: use the O_SYNC flag to open()
per-file if you don't have the source: use "chattr +S" on the file
per-filesystem: add the "sync" option to mount (or in /etc/fstab)

the first and last are not ext2 specific but do force the metadata to
be written synchronously.  See also Journaling below.

Limitations
-----------

There are various limits imposed by the on-disk layout of ext2.  Other
limits are imposed by the current implementation of the kernel code.
Many of the limits are determined at the time the filesystem is first
created, and depend upon the block size chosen.  The ratio of inodes to
data blocks is fixed at filesystem creation time, so the only way to
increase the number of inodes is to increase the size of the filesystem.
No tools currently exist which can change the ratio of inodes to blocks.

Most of these limits could be overcome with slight changes in the on-disk
format and using a compatibility flag to signal the format change (at
the expense of some compatibility).

Filesystem block size:     1kB        2kB        4kB        8kB

File size limit:          16GB      256GB     2048GB     2048GB
Filesystem size limit:  2047GB     8192GB    16384GB    32768GB

There is a 2.4 kernel limit of 2048GB for a single block device, so no
filesystem larger than that can be created at this time.  There is also
an upper limit on the block size imposed by the page size of the kernel,
so 8kB blocks are only allowed on Alpha systems (and other architectures
which support larger pages).

There is an upper limit of 32000 subdirectories in a single directory.

There is a "soft" upper limit of about 10-15k files in a single directory
with the current linear linked-list directory implementation.  This limit
stems from performance problems when creating and deleting (and also
finding) files in such large directories.  Using a hashed directory index
(under development) allows 100k-1M+ files in a single directory without
performance problems (although RAM size becomes an issue at this point).

The (meaningless) absolute upper limit of files in a single directory
(imposed by the file size, the realistic limit is obviously much less)
is over 130 trillion files.  It would be higher except there are not
enough 4-character names to make up unique directory entries, so they
have to be 8 character filenames, even then we are fairly close to
running out of unique filenames.

Journaling
----------

A journaling extension to the ext2 code has been developed by Stephen
Tweedie.  It avoids the risks of metadata corruption and the need to
wait for e2fsck to complete after a crash, without requiring a change
to the on-disk ext2 layout.  In a nutshell, the journal is a regular
file which stores whole metadata (and optionally data) blocks that have
been modified, prior to writing them into the filesystem.  This means
it is possible to add a journal to an existing ext2 filesystem without
the need for data conversion.

When changes to the filesystem (e.g. a file is renamed) they are stored in
a transaction in the journal and can either be complete or incomplete at
the time of a crash.  If a transaction is complete at the time of a crash
(or in the normal case where the system does not crash), then any blocks
in that transaction are guaranteed to represent a valid filesystem state,
and are copied into the filesystem.  If a transaction is incomplete at
the time of the crash, then there is no guarantee of consistency for
the blocks in that transaction so they are discarded (which means any
filesystem changes they represent are also lost).
Check Documentation/filesystems/ext3.txt if you want to read more about
ext3 and journaling.

References
==========

The kernel source	file:/usr/src/linux/fs/ext2/
e2fsprogs (e2fsck)	http://e2fsprogs.sourceforge.net/
Design & Implementation	http://e2fsprogs.sourceforge.net/ext2intro.html
Journaling (ext3)	ftp://ftp.uk.linux.org/pub/linux/sct/fs/jfs/
Filesystem Resizing	http://ext2resize.sourceforge.net/
Compression (*)		http://e2compr.sourceforge.net/

Implementations for:
Windows 95/98/NT/2000	http://www.chrysocome.net/explore2fs
Windows 95 (*)		http://www.yipton.net/content.html#FSDEXT2
DOS client (*)		ftp://metalab.unc.edu/pub/Linux/system/filesystems/ext2/
OS/2 (+)		ftp://metalab.unc.edu/pub/Linux/system/filesystems/ext2/
RISC OS client		http://www.esw-heim.tu-clausthal.de/~marco/smorbrod/IscaFS/

(*) no longer actively developed/supported (as of Apr 2001)
(+) no longer actively developed/supported (as of Mar 2009)

 

NEWS CONTENTS

• 200102 : Re: ext2 attribute immutable ( )
• 200102 : ext2-3-4 enable undeletable file attribute. [LWN.net] ( ext2-3-4 enable undeletable file attribute. [LWN.net], )
• 200102 : Securing Debian Manual - After installation ( Securing Debian Manual - After installation, )
• 200102 : Making Files Immutable -CodeIdol ( Making Files Immutable -CodeIdol, )
• 200102 : How Do I Do That? ( )
• 200102 : How Does It Work? ( )
• 200102 : What About... ( )
• 200102 : Where Can I Learn More? ( )

Old News ;-)

Re: ext2 attribute immutable

Stephen Robert Norris ([email protected])
Thu, 21 Mar 1996 22:11:43 +1000 (EST)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Arnt Gulbrandsen: "Re: Let's make ext2fs into lfs (Was: Is anyone using EXT FS)"
• Previous message: Mikael Abrahamsson: "high load in 1.3.76"
• In reply to: Ulrich Windl: "ext2 attribute immutable"
• Next in thread: Theodore Ts'o: "Re: ext2 attribute immutable"

>From the chattr man page from the latest e2fs tools:

A file with the `i' attribute cannot be modified: it can-not be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.

I guess this answers the question; you cannot link to an immutable file, (and by extension, can't unlink it, as this could delete it).

Stephen

ext2-3-4 enable undeletable file attribute. [LWN.net]

From:		James Hunt <[email protected]>
To:		[email protected]
Subject:		[PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.
Date:		Tue, 21 Nov 2006 22:16:32 +0000
Cc:		[email protected], [email protected]
Archive-link:		Article, Thread

Currently, although you can mark a file as undeletable with 'chattr'...

  > touch /tmp/wibble
  > ls -l /tmp/wibble
  -rw-rw-r-- 1 james james 0 Nov 16 20:00 /tmp/wibble
  > chattr +u /tmp/wibble      # mark file as undeletable
  > lsattr /tmp/wibble
  -u----------- /tmp/wibble

... it's not honoured by the kernel:

  > rm /tmp/wibble             # yikes! this should fail!!

This patch makes ext3 aware of the undeletable attribute such that
attempting to delete a file marked as undeltable works as expected:

  > chattr +u /tmp/wibble      # mark file as undeletable
  > lsattr /tmp/wibble
  -u----------- /tmp/wibble
  > rm /tmp/wibble
  rm: cannot remove `/tmp/wibble': Operation not permitted
  > chattr -u /tmp/wibble      # remove undeletable attribute
  > lsattr /tmp/wibble
  ------------- /tmp/wibble
  > rm /tmp/wibble             # works as expected this time

Tested with e2fsprogs-1.38-12 (FC5).

Signed-off-by: James Hunt <[email protected]>
---
 fs/ext3/inode.c    |    4 +++-
 fs/namei.c         |    6 +++---
 include/linux/fs.h |    3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c
index 03ba5bc..dd1428e 100644
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -2568,11 +2568,13 @@ void ext3_set_inode_flags(struct inode *
 {
 	unsigned int flags = EXT3_I(inode)->i_flags;
 
-	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC);
+	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC|S_UNRM);
 	if (flags & EXT3_SYNC_FL)
 		inode->i_flags |= S_SYNC;
 	if (flags & EXT3_APPEND_FL)
 		inode->i_flags |= S_APPEND;
+	if (flags & EXT3_UNRM_FL)
+		inode->i_flags |= S_UNRM;
 	if (flags & EXT3_IMMUTABLE_FL)
 		inode->i_flags |= S_IMMUTABLE;
 	if (flags & EXT3_NOATIME_FL)
diff --git a/fs/namei.c b/fs/namei.c
index 28d49b3..d845d4d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1376,8 +1376,8 @@ static inline int check_sticky(struct in
  *	a. be owner of dir, or
  *	b. be owner of victim, or
  *	c. have CAP_FOWNER capability
- *  6. If the victim is append-only or immutable we can't do antyhing with
- *     links pointing to it.
+ *	6. If the victim is append-only or immutable or undeletable, we can't do
+ *	   anthying with links pointing to it.
  *  7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
  *  8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
  *  9. We can't remove a root or mountpoint.
@@ -1400,7 +1400,7 @@ static int may_delete(struct inode *dir,
 	if (IS_APPEND(dir))
 		return -EPERM;
 	if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
-	    IS_IMMUTABLE(victim->d_inode))
+	    IS_IMMUTABLE(victim->d_inode)||IS_UNRM(victim->d_inode))
 		return -EPERM;
 	if (isdir) {
 		if (!S_ISDIR(victim->d_inode->i_mode))
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 2fe6e3f..725d35d 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -146,6 +146,8 @@ #define S_DIRSYNC	64	/* Directory modifi
 #define S_NOCMTIME	128	/* Do not update file c/mtime */
 #define S_SWAPFILE	256	/* Do not truncate: swapon got its bmaps */
 #define S_PRIVATE	512	/* Inode is fs-internal */
+#define S_UNRM		1024	/* Inode is undeletable */
+
 
 /*
  * Note that nosuid etc flags are inode-specific: setting some file-system
@@ -178,6 +180,7 @@ #define IS_DEADDIR(inode)	((inode)->i_fl
 #define IS_NOCMTIME(inode)	((inode)->i_flags & S_NOCMTIME)
 #define IS_SWAPFILE(inode)	((inode)->i_flags & S_SWAPFILE)
 #define IS_PRIVATE(inode)	((inode)->i_flags & S_PRIVATE)
+#define IS_UNRM(inode)		((inode)->i_flags & S_UNRM)
 
 /* the read-only stuff doesn't really belong here, but any other place is
    probably as bad and I don't want to create yet another include file. */
-- 
1.4.1

-- 
JaMeS

Securing Debian Manual - After installation

The ext2 filesystem specific attributes (chattr/lsattr)

In addition to the usual Unix permissions, the ext2 and ext3 filesystems offer a set of specific attributes that give you more control over the files on your system. Unlike the basic permissions, these attributes are not displayed by the usual ls -l command or changed using chmod, and you need two other utilities, lsattr and chattr (in package e2fsprogs) to manage them. Note that this means that these attributes will usually not be saved when you backup your system, so if you change any of them, it may be worth saving the successive chattr commands in a script so that you can set them again later if you have to restore a backup.

Among all available attributes, the two that are most important for increasing security are referenced by the letters 'i' and 'a', and they can only be set (or removed) by the superuser:

• The 'i' attribute ('immutable'): a file with this attribute can neither be modified nor deleted or renamed and no link can be created to it, even by the superuser.
<
• The 'a' attribute ('append'): this attribute has the same effect that the immutable attribute, except that you can still open the file in append mode. This means that you can still add more content to it but it is impossible to modify previous content. This attribute is especially useful for the log files stored in /var/log/, though you should consider that they get moved sometimes due to the log rotation scripts.

These attributes can also be set for directories, in which case everyone is denied the right to modify the contents of a directory list (e.g. rename or remove a file, ...). When applied to a directory, the append attribute only allows file creation.

It is easy to see how the 'a' attribute improves security, by giving to programs that are not running as the superuser the ability to add data to a file without modifying its previous content. On the other hand, the 'i' attribute seems less interesting: after all, the superuser can already use the basic Unix permissions to restrict access to a file, and an intruder that would get access to the superuser account could always use the chattr program to remove the attribute. Such an intruder may first be confused when he sees that he is not able to remove a file, but you should not assume that he is blind - after all, he got into your system! Some manuals (including a previous version of this document) suggest to simply remove the chattr and lsattr programs from the system to increase security, but this kind of strategy, also known as "security by obscurity", is to be absolutely avoided, since it provides a false sense of security.

A secure way to solve this problem is to use the capabilities of the Linux kernel, as described in Proactive defense, Section 10.4.2.1. The capability of interest here is called CAP_LINUX_IMMUTABLE: if you remove it from the capabilities bounding set (using for example the command lcap CAP_LINUX_IMMUTABLE) it won't be possible to change any 'a' or 'i' attribute on your system anymore, even by the superuser ! A complete strategy could be as follows:

1. Set the attributes 'a' and 'i' on any file you want;
2. Add the command lcap CAP_LINUX_IMMUTABLE (as well as lcap CAP_SYS_MODULE, as suggested in Proactive defense, Section 10.4.2.1) to one of the startup scripts;
3. Set the 'i' attribute on this script and other startup files, as well as on the lcap binary itself;
4. Execute the above command manually (or reboot your system to make sure everything works as planned).

Now that the capability has been removed from the system, an intruder cannot change any attribute on the protected files, and thus cannot change or remove the files. If he forces the machine to reboot (which is the only way to restore the capabilities bounding set), it will easily be detected, and the capability will be removed again as soon as the system restarts anyway. The only way to change a protected file would be to boot the system in single-user mode or using another bootdisk, two operations that require physical access to the machine !

Making Files Immutable -CodeIdol

Making Files Immutable

Because the root user can override permissions, file permissions alone are not enough to ensure that a file will not be changed. But when a file is made immutable, it cannot be changed by anyone.

How Do I Do That?

To make a file immutable, use the chattr (change attribute) command to add the i attribute to the file:

# chattr +i foo
# date >>foobash: foo: Permission denied
# mv foo baz
mv: cannot move \Qfoo' to \Qbaz': Operation not permitted
# rm foo
rm: cannot remove \Qfoo': Operation not permitted

You can find out if the i attribute has been set by using the lsattr (list-attribute) command:

# lsattr foo
----i-------- foo

The presence of the i in the output indicates that the file foo has been made immutable.

Removing the i attribute causes the file to act normally again:

# chattr -i foo
#
                   date >>foo
#
                   mv foo baz
#
                   rm baz
# ls baz
ls: baz: No such file or directory

How Does It Work?

The immutable capability is provided by the ext2/ext3 filesystems. Each file has an immutable flag that is part of the ext2/ext3 file attributes; when set, the ext2/ext3 code in the kernel will refuse to change the ownership, group, name, or permissions of the file, and will not permit writing, appending, or truncation of the file.

By making configuration files and programs immutable, you can provide a small measure of protection against change. This can be used to guard against accidental changes to configuration files. It can also prevent a program from being subverted to change files it should not; although SELinux provides similar protection, you may add software to your system that is not covered by the SELinux targeted policy.

Do not attempt to upgrade or remove software packages if you've made any of the files belonging to those packages immutable! Doing so may render your system unusable. Be particularly careful if you are using immutable files on a system that has automatic yum updates enabled.

What About...

...making an entire subtree immutable?

The -R option to chattr causes it to operate recursively over all of the files and subdirectories within a directory:

# chattr -R +i /etc

...other file attributes that might be useful?

Although a number of file attributes have been defined for ext2/ext3 filesystems, very few of the interesting ones have been implemented! For example, attributes have been defined to enable per-file automatic data compression, automatic zeroing (enhanced security erasure) of deleted files, and save-for-undeletion, but none of those features have been implemented so far.

But there is one other attribute that is occasionally useful: the append-only attribute, a. When applied to a file by chattr, this attribute provides all of the protection of the immutable attribute, except that it remains possible to append data to the file. This is ideal for logfiles, because it makes it impossible to alter or erase data that has been placed in the logfile.

Where Can I Learn More?

• The manpages for chattr and lsattr

Recommended Links

Softpanorama Recommended

Top articles

Sites

Linux Ext2fs Undeletion mini-HOWTO How not to delete files

Securing Debian Manual - After installation

The Second Extended File System

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019