{"id":2219,"date":"2015-09-09T16:11:41","date_gmt":"2015-09-09T15:11:41","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=2219"},"modified":"2015-09-09T16:11:41","modified_gmt":"2015-09-09T15:11:41","slug":"using-and-finding-the-attribute-of-i-immutable-assigned-to-a-file","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/using-and-finding-the-attribute-of-i-immutable-assigned-to-a-file\/","title":{"rendered":"Using and finding the attribute of i assigned to a file with chattr and lsattr"},"content":{"rendered":"
<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Ever had a situation where you could not recursively remove some directories due to one or more files having a permission that even root could not take control of? Did you ever find out why?<\/span><\/p>\n

I have had this scenario on a backup drive, with Windows files having an attribute set from being copied from a compressed Win file system, which would not then allow root to remove it when the external drive was attached to a linux box. <\/span><\/p>\n

Infuriating - as it meant I could not delete the whole directory with this file under it. I ended up re-attaching the drive to a Win PC, then taking ownership that way, before I could delete the file with the special attribute, and then returning the drive to a linux system for full control short of just formatting the drive completely in linux and losing everything of course.<\/span><\/p>\n

In a similar vein for special file attributes, linux can prevent file deletion to all users, including root, using the chattr command.<\/span><\/p>\n

man chattr<\/span><\/p>\n

A file with the `i' attribute cannot be modified: it cannot be deleted<\/span><\/p>\n

or renamed, no link can be created to this file and no data can be<\/span><\/p>\n

written to the file. Only the superuser or a process possessing the<\/span><\/p>\n

CAP_LINUX_IMMUTABLE capability can set or clear this attribute.<\/span><\/p>\n

The letters `acdeijstuACDST' select the new attributes for the files:<\/span><\/p>\n

append only (a), compressed (c), no dump (d), extent format (e),<\/span><\/p>\n

immutable (i), data journalling (j), secure deletion (s), no tail-merg<\/span><\/p>\n

ing (t), undeletable (u), no atime updates (A), no copy on write (C),<\/span><\/p>\n

synchronous directory updates (D), synchronous updates (S), and top of<\/span><\/p>\n

directory hierarchy (T).<\/span><\/p>\n

The following attributes are read-only, and may be listed by lsattr(1)<\/span><\/p>\n

but not modified by chattr: huge file (h), compression error (E),<\/span><\/p>\n

indexed directory (I),<\/b> compression raw access (X), and compressed dirty<\/span><\/p>\n

file (Z).<\/span><\/p>\n

This is an interesting way to prevent any changes to a file being made except by root.<\/span><\/p>\n

Create a testfile:<\/span><\/p>\n

MintServer stevee # touch testfile.txt<\/span><\/span><\/p>\n

MintServer stevee # ls -als testfile.txt <\/span><\/span><\/p>\n

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt<\/span><\/p>\n

Now add the i attribute:<\/span><\/p>\n

MintServer stevee # chattr +i testfile.txt <\/span><\/span><\/p>\n

MintServer stevee # ls -als testfile.txt <\/span><\/span><\/p>\n

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt<\/span><\/p>\n

You can view this attribute with:<\/span><\/p>\n

MintServer stevee # lsattr testfile.txt <\/span><\/span><\/p>\n

----i--------e-- testfile.txt<\/span><\/p>\n

Now, as root the owner - try to delete the file:<\/span><\/p>\n

MintServer stevee # <\/span>rm -v testfile.txt <\/span><\/span><\/p>\n

rm: cannot remove \u02dctestfile.txt,: Operation not permitted<\/span><\/p>\n

Only root can remove the attribute before being able to delete the file.<\/span><\/p>\n

MintServer stevee # chattr -i testfile.txt<\/span><\/span><\/p>\n

MintServer stevee # ls -als testfile.txt<\/span> <\/span><\/p>\n

0 -rw-r--r-- 1 root root 0 Sep 9 14:31 testfile.txt<\/span><\/p>\n

MintServer stevee # lsattr testfile.txt <\/span><\/span><\/p>\n

-------------e-- testfile.txt<\/span><\/p>\n

How do you search for other such files in the system?<\/span><\/p>\n

As ls -al does not show this attribute, it can't be used to search for it simply, say in conjunction with grep, as only lsattr shows this character in the 5th<\/sup> field of the files attributes.<\/span><\/p>\n

MintServer stevee # lsattr testfile.txt <\/span><\/span><\/p>\n

----i<\/b><\/span>--------e-- testfile.txt<\/span> <\/span><\/p>\n

Can that be used recursively with grep? Yes, as it has a -R switch, though many directories will not be searchable it seems, due to the way the ioctrl reads files flags, depending on what the file does or is doing within the OS:<\/span><\/p>\n

MintServer stevee # lsattr -R \/ | grep ^----i <\/span><\/span><\/p>\n

lsattr: Operation not supported While reading flags on \/dev\/vga_arbiter<\/span><\/p>\n

----i<\/span>--------e-- \/home\/stevee\/testfile.txt<\/span><\/span><\/p>\n

It did still find my test file after searching under the root dir. <\/span><\/p>\n

If you experiment with this command on Windows files you may find the I indexed type files, or others, with extent format e mentioned above that chattr cannot change and may be listed by lsattr(1) but not modified by chattr:<\/b><\/i><\/span><\/p>\n

I found some in the 11th<\/sup> column in my tftpboot directory for Win installs:<\/span><\/p>\n

MintServer stevee # lsattr -R | grep ^----------I<\/span><\/span><\/p>\n

----------I--e-- .\/tftpboot\/XP\/I386<\/span><\/p>\n

----------I--e-- .\/tftpboot\/XP\/I386\/COMPDATA<\/span><\/p>\n

----------I--e-- .\/tftpboot\/Win7Home\/sources\/dlmanifests<\/span><\/p>\n

----------I--e-- .\/tftpboot\/WinPE_amd64\/setup\/sources\/dlmanifests<\/span><\/p>\n

----------I--e-- .\/tftpboot\/WinPE_amd64\/setup\/sources\/replacementmanifests<\/span><\/span><\/p>\n

This means there are at least 15 further attributes of a file, as well as the listing of ls, of only 10 fields - rwx and file type field - at least for the letters:<\/span><\/p>\n

The format of a symbolic mode is +-=[acdeijstuACDST]<\/b><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Ever had a situation where you could not recursively remove some directories due to one or more files having a permission that even root could not take control of? Did you ever find out why? I have had this scenario on a backup drive, with Windows files having an attribute set from being copied from ...\u00a0 Using and finding the attribute of i assigned to a file with chattr and lsattr<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2219","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"a3_pvc":{"activated":true,"total_views":2,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/2219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=2219"}],"version-history":[{"count":0,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/2219\/revisions"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=2219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=2219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=2219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}