As we all know, in Linux there are 3 primary permissions - read, write, execute or 4, 2, 1 or r, w, x.
Having said that, as the example above, sometimes even if the file or directory you want to manage by some way has set permissions 777, it’s not possible. It just says you don’t have the right permissions, even though you are logged in as root. This is where this mini tutorial comes in play. We’ll talk about these so called hidden permissions or as they are more commonly known - File/Directory Attributes.
Apart from the file mode bits that control user and group read, write and execute permissions, several file systems support file attributes that enable further customization of allowable file operations :
a: append only
d: no dump
e: extent format
j: data journalling
s: secure deletion
t: no tail-merging
A: no atime updates
C: no copy on write
D: synchronous directory updates
S: synchronous updates
T: top of directory hierarchy
You can set any of it by using the command
chattr. To properly use it, we’ll need to execute it like that :
chattr +i /path/to/file
The above command will make the said fail have the
i attribute which is Immutable. If we want to remove the attribute, we’ll need to use the - symbol instead of the + :
chattr -i /path/to/file
There is a command to see all the attributes added to a file, it’s
lsattr. You can use it like so :
Let’s review a real life example:
You have a log file and some program is clearing it every 1 hour however you want the information in the log file to be kept and only new information to be saved to it. I know, I know, this is why log rotation has been invented but for the sake of the example let’s say we want to keep the logs forever. As this is a very specific case, using the basic 3 permissions in Linux will not be enough. You’ll need to use another method. This is where Attributes come in play, if we take a look at the list above, we’ll notice there is an attribute a which we can use -
a: append only.
To achieve our goal, we’ll need to run the following command
chattr +a /path/to/file
There it is, now the file can only have new text written to it!