Skip to main content
Engineering LibreTexts

03-C.5: File Attributes

  • Page ID
    3.1 Given a scenario, apply or acquire the appropriate user and/or group permissions and ownership.

    File Attributes

    Apart from the file mode bits that control user and group read, write and execute permissions, several file systems support file attributes that enable further customization of allowable file operations. This section describes some of these attributes and how to work with them.

    The chattr Command

    The chattr command in Linux is a file system command which is used for changing the attributes of a file in a directory. The primary use of this command is to make several files unable to alter for users other than the superuser.


    chattr [ OPTIONS ] [ -v version ] [ mode ] files...

    At the beginning of a mode string, one of the following operators must appear:

    • +‘ : Adds selected attributes to the existing attributes of the files.
    • ‘ : Causes selected attributes to be removed.
    • =‘ : Causes selected attributes to be the only attributes that the files have.

    The format of symbolic mode is:


    Command Options:

    Options Option Meaning
    -R It is used to display the list attributes of directories and their contents recursively.
    -a Used to list all the files of a directory which also includes those whose name starts with a Period(‘.’).
    -d This option will list the directories as regular files instead of listing their contents.

    File Attributes:

    There is a detailed explanation of these attributes on the chattr manual page, but this is a brief listing of Linux file attributes.

    File Attribute Attribute Description
    a - append only This attribute allows a file to be added to, but not to be removed. It prevents accidental or malicious changes to files that record data, such as log files.
    c - compressed This causes the kernel to compress data written to the file automatically and uncompress it when it’s read back.
    d - no dump It makes sure the file is not backed up in backups where the dump utility is used.
    e - extent format It indicates that the file is using extents for mapping the blocks on disk.
    i - immutable It makes a file immutable, which goes a step beyond simply disabling write access to the file. The file can’t be deleted, links to it can’t be created, and the file can’t be renamed.
    j - data journaling It ensures that on an Ext3 file system the file is first written to the journal and only after that to the data blocks on the hard disk.
    s - secure deletion It makes sure that recovery of a file is not possible after it has been deleted.
    t - no tail-merging Tail-merging is a process in which small data pieces at a file’s end that don’t fill a complete block are merged with similar pieces of data from other files.
    u - undeletable When a file is deleted its contents are saved, which allows a utility to be developed that works with that information to salvage deleted files.
    A - no atime updates Linux won’t update the access time stamp when you access a file.
    D - synchronous directory updates It makes sure that changes to files are written to disk immediately, and not to cache first.
    S - synchronous updates The changes on a file are written synchronously on the disk.
    T - and top of directory hierarchy A directory will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator.

    Users can issue the chattr command to change a file's attributes on a Linux filesystem. A user can set or remove an attribute from the command line:

    The file has the 'extent format' attribute set (see the list above)
    pbmac@pbmac-server $ lsattr PersonnelFile-1.txt 
    --------------e--- PersonnelFile-1.txt
    Only root can set the immutable flag - The command here made the file named file.txt immutable, hence now no operations 
    are possible on this file until the attributes of the file are changed again.
    pbmac@pbmac-server $ chattr +i PersonnelFile-1.txt 
    chattr: Operation not permitted while setting flags on PersonnelFile-1.txt
    Only root can set an immutable flag
    pbmac@pbmac-server $ sudo chattr +i PersonnelFile-1.txt 
    [sudo] password for pbmac: 
    Now, we see the immutable attribute set with 'chattr +i filename'
    pbmac@pbmac-server $ lsattr PersonnelFile-1.txt 
    ----i---------e--- PersonnelFile-1.txt
    Remove the immutable attribute
    pbmac@pbmac-server $ sudo chattr -i PersonnelFile-1.txt 
    pbmac@pbmac-server $ lsattr PersonnelFile-1.txt 
    --------------e--- PersonnelFile-1.txt

    NOTE: The concept of immutable is important. If a file or directory has the immutable attribute set NO ONE - no, not even root - can change that file/directory. It is possible to mix mutable and immutable files and directories. A mutable directory MAY have immutable files in it - but new files or sub-directories may not be created in an immutable directory.

    The lsattr Command

    The lsattr command lists the file attributes on a second extended file system. See chattr explanation above for a description of the command options, the file attributes and what they mean.

    Access Control Lists(ACL) in Linux

    What is an ACL ?
    Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems. ACLs are often used for situations where the traditional file permission concept does not quite offer enough options. ACLs enable you to assign permissions to individual users or groups even when the user or group does not correspond to the Linux owner or group.

    Use of ACL:
    Think of a scenario in which a particular user is not a member of a group created by you, but you still want to give some read or write access. How can you do it without making that user a member of a group? ACLs will help us make this happen. Linux gives us two commands to administer ACLs: the setfacl command to set ACLs, and the getfacl command, to get the current settings for a file or directory.

    The setfacl Command

    The setfacl command is used to set Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files.

    Syntax: (the syntax can be confusing)

    setfacl [ OPTIONS ] [{-m|-x} acl_spec] [{-M|-X} acl_file] file

    Command Options:

    Options Option Meaning
    -b, --remove-all Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained.
    -m Modify the existing ACL of an object.
    -R, --recursive Apply operations to all files and directories recursively. This option cannot be mixed with "--restore."
    -x Remove entries from an existing ACL.
    -v, --version Print the version of setfacl, and exit.

    The getfacl Command

    The getfacl command displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs.


    getfacl [-aceEsRLPtpndvh] file

    Command Options:

    Options Option Meaning
    -a, --access Display the file access control list.
    -d, --default Display the default access control list.
    -c, --omit-header Do not display the comment header (the first three lines of each file's output).
    -e, --all-effective Print all effective rights comments, even if identical to the rights defined by the ACL entry.
    -E, --no-effective Do not print effective rights comments.
    -s, --skip-base Skip files that only have the base ACL entries (owner, group, others).
    -R, --recursive List the ACLs of all files and directories recursively.
    -L, --logical Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments, and skip symbolic links encountered in subdirectories. Only effective in combination with -R.
    -P, --physical Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only effective in combination with -R.
    -t, --tabular Use an alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions that are ineffective due to the ACL mask entry are displayed capitalized. The entry tag names for the ACL_USER_OBJ and ACL_GROUP_OBJ entries are also displayed in capital letters, which helps in spotting those entries.
    -p, --absolute-names Do not strip leading slash characters ('/'). The default behavior is to strip leading slash characters.
    -n, --numeric List numeric user and group IDs

    The getfacl command also has several options, and you can view them in the getfacl man page. Probably the most useful is the -R, which is the recursive option that walks through the specified directory looking at all files and subdirectories.

    Below is a short example of using setfacl and getfacl:

    pbmac@pbmac-server $ ls -l PersonnelFile-1.txt
    -rw-r--r-- 1 pbmac pbmac 0 Jun  4 17:51 PersonnelFile-1.txt
    getfacl shows the normal Linux permission settings shown in the line above
    pbmac@pbmac-server $ getfacl PersonnelFile-1.txt 
    # file: PersonnelFile-1.txt
    # owner: pbmac
    # group: pbmac
    Allow user santiago to have user lever rwx permissions on the specified file
    pbmac@pbmac-server $ setfacl -m u:santiago:rwx PersonnelFile-1.txt 
    pbmac@pbmac-server $ ls -l PersonnelFile-1.txt 
    -rw-rwxr--+ 1 pbmac pbmac 0 Jun  4 17:51 PersonnelFile-1.txt
    Notice the output on the line above - there is a '+' after the permissions signifying ACLs are set on this file
    getfacl shows that santiago does indeed have user priveleges.
    pbmac@pbmac-server $ getfacl PersonnelFile-1.txt 
    # file: PersonnelFile-1.txt
    # owner: pbmac
    # group: pbmac
    We can remove a specific ACL entry with the -X argument
    pbmac@pbmac-server $ setfacl -x u:santiago PersonnelFile-1.txt 
    pbmac@pbmac-server $ ls -l PersonnelFile-1.txt 
    -rw-r--r--+ 1 pbmac pbmac 0 Jun  4 17:51 PersonnelFile-1.txt
    Notice in the line above that even though we removed the entry the '+' is still presen.
    To remove the ACL altogether we need to use the -b option, notice on the last line - the '+' is gone
    pbmac@pbmac-server $ setfacl -b PersonnelFile-1.txt 
    pbmac@pbmac-server $ ls -l PersonnelFile-1.txt 
    -rw-r--r-- 1 pbmac pbmac 0 Jun  4 17:51 PersonnelFile-1.txt

    Adapted from:
    "chattr command in Linux with examples" by atharvakango, Geeks for Geeks is licensed under CC BY-SA 4.0
    "Access Control Lists(ACL) in Linux" by msdeep14, Geeks for Geeks is licensed under CC BY-SA 4.0

    • Was this article helpful?