03-C.5: File Attributes
- Page ID
- 26829
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\( \newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\)
( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\id}{\mathrm{id}}\)
\( \newcommand{\Span}{\mathrm{span}}\)
\( \newcommand{\kernel}{\mathrm{null}\,}\)
\( \newcommand{\range}{\mathrm{range}\,}\)
\( \newcommand{\RealPart}{\mathrm{Re}}\)
\( \newcommand{\ImaginaryPart}{\mathrm{Im}}\)
\( \newcommand{\Argument}{\mathrm{Arg}}\)
\( \newcommand{\norm}[1]{\| #1 \|}\)
\( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\)
\( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\AA}{\unicode[.8,0]{x212B}}\)
\( \newcommand{\vectorA}[1]{\vec{#1}} % arrow\)
\( \newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow\)
\( \newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vectorC}[1]{\textbf{#1}} \)
\( \newcommand{\vectorD}[1]{\overrightarrow{#1}} \)
\( \newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}} \)
\( \newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}} \)
\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \)
\( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)
\(\newcommand{\avec}{\mathbf a}\) \(\newcommand{\bvec}{\mathbf b}\) \(\newcommand{\cvec}{\mathbf c}\) \(\newcommand{\dvec}{\mathbf d}\) \(\newcommand{\dtil}{\widetilde{\mathbf d}}\) \(\newcommand{\evec}{\mathbf e}\) \(\newcommand{\fvec}{\mathbf f}\) \(\newcommand{\nvec}{\mathbf n}\) \(\newcommand{\pvec}{\mathbf p}\) \(\newcommand{\qvec}{\mathbf q}\) \(\newcommand{\svec}{\mathbf s}\) \(\newcommand{\tvec}{\mathbf t}\) \(\newcommand{\uvec}{\mathbf u}\) \(\newcommand{\vvec}{\mathbf v}\) \(\newcommand{\wvec}{\mathbf w}\) \(\newcommand{\xvec}{\mathbf x}\) \(\newcommand{\yvec}{\mathbf y}\) \(\newcommand{\zvec}{\mathbf z}\) \(\newcommand{\rvec}{\mathbf r}\) \(\newcommand{\mvec}{\mathbf m}\) \(\newcommand{\zerovec}{\mathbf 0}\) \(\newcommand{\onevec}{\mathbf 1}\) \(\newcommand{\real}{\mathbb R}\) \(\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}\) \(\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}\) \(\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}\) \(\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}\) \(\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}\) \(\newcommand{\laspan}[1]{\text{Span}\{#1\}}\) \(\newcommand{\bcal}{\cal B}\) \(\newcommand{\ccal}{\cal C}\) \(\newcommand{\scal}{\cal S}\) \(\newcommand{\wcal}{\cal W}\) \(\newcommand{\ecal}{\cal E}\) \(\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}\) \(\newcommand{\gray}[1]{\color{gray}{#1}}\) \(\newcommand{\lgray}[1]{\color{lightgray}{#1}}\) \(\newcommand{\rank}{\operatorname{rank}}\) \(\newcommand{\row}{\text{Row}}\) \(\newcommand{\col}{\text{Col}}\) \(\renewcommand{\row}{\text{Row}}\) \(\newcommand{\nul}{\text{Nul}}\) \(\newcommand{\var}{\text{Var}}\) \(\newcommand{\corr}{\text{corr}}\) \(\newcommand{\len}[1]{\left|#1\right|}\) \(\newcommand{\bbar}{\overline{\bvec}}\) \(\newcommand{\bhat}{\widehat{\bvec}}\) \(\newcommand{\bperp}{\bvec^\perp}\) \(\newcommand{\xhat}{\widehat{\xvec}}\) \(\newcommand{\vhat}{\widehat{\vvec}}\) \(\newcommand{\uhat}{\widehat{\uvec}}\) \(\newcommand{\what}{\widehat{\wvec}}\) \(\newcommand{\Sighat}{\widehat{\Sigma}}\) \(\newcommand{\lt}{<}\) \(\newcommand{\gt}{>}\) \(\newcommand{\amp}{&}\) \(\definecolor{fillinmathshade}{gray}{0.9}\)EXAM OBJECTIVES COVERED
3.1 Given a scenario, apply or acquire the appropriate user and/or group permissions and ownership.
File Attributes
Apart from the file mode bits that control user and group read, write and execute permissions, several file systems support file attributes that enable further customization of allowable file operations. This section describes some of these attributes and how to work with them.
The chattr Command
The chattr command in Linux is a file system command which is used for changing the attributes of a file in a directory. The primary use of this command is to make several files unable to alter for users other than the superuser.
Synopsis:
chattr [ OPTIONS ] [ -v version ] [ mode ] files...
At the beginning of a mode string, one of the following operators must appear:
- ‘+‘ : Adds selected attributes to the existing attributes of the files.
- ‘–‘ : Causes selected attributes to be removed.
- ‘=‘ : Causes selected attributes to be the only attributes that the files have.
The format of symbolic mode is:
{+|-|=}[aAcCdDeijsStTu]
Command Options:
Options | Option Meaning |
---|---|
-R | It is used to display the list attributes of directories and their contents recursively. |
-a | Used to list all the files of a directory which also includes those whose name starts with a Period(‘.’). |
-d | This option will list the directories as regular files instead of listing their contents. |
File Attributes:
There is a detailed explanation of these attributes on the chattr manual page, but this is a brief listing of Linux file attributes.
File Attribute | Attribute Description |
---|---|
a - append only | This attribute allows a file to be added to, but not to be removed. It prevents accidental or malicious changes to files that record data, such as log files. |
c - compressed | This causes the kernel to compress data written to the file automatically and uncompress it when it’s read back. |
d - no dump | It makes sure the file is not backed up in backups where the dump utility is used. |
e - extent format | It indicates that the file is using extents for mapping the blocks on disk. |
i - immutable | It makes a file immutable, which goes a step beyond simply disabling write access to the file. The file can’t be deleted, links to it can’t be created, and the file can’t be renamed. |
j - data journaling | It ensures that on an Ext3 file system the file is first written to the journal and only after that to the data blocks on the hard disk. |
s - secure deletion | It makes sure that recovery of a file is not possible after it has been deleted. |
t - no tail-merging | Tail-merging is a process in which small data pieces at a file’s end that don’t fill a complete block are merged with similar pieces of data from other files. |
u - undeletable | When a file is deleted its contents are saved, which allows a utility to be developed that works with that information to salvage deleted files. |
A - no atime updates | Linux won’t update the access time stamp when you access a file. |
D - synchronous directory updates | It makes sure that changes to files are written to disk immediately, and not to cache first. |
S - synchronous updates | The changes on a file are written synchronously on the disk. |
T - and top of directory hierarchy | A directory will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator. |
Users can issue the chattr command to change a file's attributes on a Linux filesystem. A user can set or remove an attribute from the command line:
The file has the 'extent format' attribute set (see the list above)
pbmac@pbmac-server $ lsattr PersonnelFile-1.txt
--------------e--- PersonnelFile-1.txt
Only root can set the immutable flag - The command here made the file named file.txt immutable, hence now no operations
are possible on this file until the attributes of the file are changed again.
pbmac@pbmac-server $ chattr +i PersonnelFile-1.txt
chattr: Operation not permitted while setting flags on PersonnelFile-1.txt
Only root can set an immutable flag
pbmac@pbmac-server $ sudo chattr +i PersonnelFile-1.txt
[sudo] password for pbmac:
Now, we see the immutable attribute set with 'chattr +i filename'
pbmac@pbmac-server $ lsattr PersonnelFile-1.txt
----i---------e--- PersonnelFile-1.txt
Remove the immutable attribute
pbmac@pbmac-server $ sudo chattr -i PersonnelFile-1.txt
pbmac@pbmac-server $ lsattr PersonnelFile-1.txt
--------------e--- PersonnelFile-1.txt
NOTE: The concept of immutable is important. If a file or directory has the immutable attribute set NO ONE - no, not even root - can change that file/directory. It is possible to mix mutable and immutable files and directories. A mutable directory MAY have immutable files in it - but new files or sub-directories may not be created in an immutable directory.
The lsattr Command
The lsattr command lists the file attributes on a second extended file system. See chattr explanation above for a description of the command options, the file attributes and what they mean.
Access Control Lists(ACL) in Linux
What is an ACL ?
Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems. ACLs are often used for situations where the traditional file permission concept does not quite offer enough options. ACLs enable you to assign permissions to individual users or groups even when the user or group does not correspond to the Linux owner or group.
Use of ACL:
Think of a scenario in which a particular user is not a member of a group created by you, but you still want to give some read or write access. How can you do it without making that user a member of a group? ACLs will help us make this happen. Linux gives us two commands to administer ACLs: the setfacl command to set ACLs, and the getfacl command, to get the current settings for a file or directory.
The setfacl Command
The setfacl command is used to set Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files.
Syntax: (the syntax can be confusing)
setfacl [ OPTIONS ] [{-m|-x} acl_spec] [{-M|-X} acl_file] file
Command Options:
Options | Option Meaning |
---|---|
-b, --remove-all | Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained. |
-m | Modify the existing ACL of an object. |
-R, --recursive | Apply operations to all files and directories recursively. This option cannot be mixed with "--restore." |
-x | Remove entries from an existing ACL. |
-v, --version | Print the version of setfacl, and exit. |
The getfacl Command
The getfacl command displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs.
Syntax:
getfacl [-aceEsRLPtpndvh] file
Command Options:
Options | Option Meaning |
---|---|
-a, --access | Display the file access control list. |
-d, --default | Display the default access control list. |
-c, --omit-header | Do not display the comment header (the first three lines of each file's output). |
-e, --all-effective | Print all effective rights comments, even if identical to the rights defined by the ACL entry. |
-E, --no-effective | Do not print effective rights comments. |
-s, --skip-base | Skip files that only have the base ACL entries (owner, group, others). |
-R, --recursive | List the ACLs of all files and directories recursively. |
-L, --logical | Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments, and skip symbolic links encountered in subdirectories. Only effective in combination with -R. |
-P, --physical | Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only effective in combination with -R. |
-t, --tabular | Use an alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions that are ineffective due to the ACL mask entry are displayed capitalized. The entry tag names for the ACL_USER_OBJ and ACL_GROUP_OBJ entries are also displayed in capital letters, which helps in spotting those entries. |
-p, --absolute-names | Do not strip leading slash characters ('/'). The default behavior is to strip leading slash characters. |
-n, --numeric | List numeric user and group IDs |
The getfacl command also has several options, and you can view them in the getfacl man page. Probably the most useful is the -R, which is the recursive option that walks through the specified directory looking at all files and subdirectories.
Below is a short example of using setfacl and getfacl:
pbmac@pbmac-server $ ls -l PersonnelFile-1.txt -rw-r--r-- 1 pbmac pbmac 0 Jun 4 17:51 PersonnelFile-1.txt getfacl shows the normal Linux permission settings shown in the line above pbmac@pbmac-server $ getfacl PersonnelFile-1.txt # file: PersonnelFile-1.txt # owner: pbmac # group: pbmac user::rw- group::r-- other::r-- Allow user santiago to have user lever rwx permissions on the specified file pbmac@pbmac-server $ setfacl -m u:santiago:rwx PersonnelFile-1.txt pbmac@pbmac-server $ ls -l PersonnelFile-1.txt -rw-rwxr--+ 1 pbmac pbmac 0 Jun 4 17:51 PersonnelFile-1.txt Notice the output on the line above - there is a '+' after the permissions signifying ACLs are set on this file getfacl shows that santiago does indeed have user priveleges. pbmac@pbmac-server $ getfacl PersonnelFile-1.txt # file: PersonnelFile-1.txt # owner: pbmac # group: pbmac user::rw- user:santiago:rwx group::r-- mask::rwx other::r-- We can remove a specific ACL entry with the -X argument pbmac@pbmac-server $ setfacl -x u:santiago PersonnelFile-1.txt pbmac@pbmac-server $ ls -l PersonnelFile-1.txt -rw-r--r--+ 1 pbmac pbmac 0 Jun 4 17:51 PersonnelFile-1.txt Notice in the line above that even though we removed the entry the '+' is still presen. To remove the ACL altogether we need to use the -b option, notice on the last line - the '+' is gone pbmac@pbmac-server $ setfacl -b PersonnelFile-1.txt pbmac@pbmac-server $ ls -l PersonnelFile-1.txt -rw-r--r-- 1 pbmac pbmac 0 Jun 4 17:51 PersonnelFile-1.txt
Adapted from:
"chattr command in Linux with examples" by atharvakango, Geeks for Geeks is licensed under CC BY-SA 4.0
"Access Control Lists(ACL) in Linux" by msdeep14, Geeks for Geeks is licensed under CC BY-SA 4.0