Tuesday, January 20, 2009

Filesystem attributes.

As a Linux administrator, you may be called upon to set up a control system for file access. You probably already know how to set read, write, and execute permissions on files, and you will need to make extensive use of that knowledge. But, sometimes, you'll need more than just these permissions settings to get the job done. That's where filesystem attributes will come in handy. You can set different attributes on files in order to gain more control over how they are accessed.

There are two slight catches, though. You can only set file attributes on machines with hard drives that are formatted with either the ext2 or ext3 filesystems. That's not a problem for machines that are running a Red Hat-type operating system, since ext3 is your only choice with them. But, if you're setting up a machine with, say, Ubuntu Server, you'll have other filesystems to choose from. Just be sure to choose ext3 if you want to set file attributes.

Also, if you're accessing files on another computer via NFS, the attributes will still be in effect, but you won't be able to view or change the attributes.

To view file attributes, you'd use the lsattr command. Entering just the command by itself will show a list of all files in the current directory.

[sylesh@centos5 ~]$ lsattr
------------- ./mytext.txt
------------- ./Duron_backup
------------- ./iptables-L.txt
------------- ./New_error.txt
------------- ./Desktop
------------- ./moodle-2007-8-25
------------- ./test_dir
------------- ./BOINC
------------- ./ts2_client_rc2_2032.tar.bz2
------------- ./OOo_2.3.0_LinuxIntel_install_wJRE_en-US.tar.gz
------------- ./ifconfig_output.txt
------------- ./dmesg
------------- ./BOINC.tar.bz2
------------- ./ts2_client_rc2_2032
------------- ./tls_handshake_error.txt
[sylesh@centos5 ~]$ lsattr mytext.txt
------------- mytext.txt
[sylesh@centos5 ~]$
[sylesh@centos5 ~]$ chattr +A mytext.txt
[sylesh@centos5 ~]$ lsattr mytext.txt
s-S----A----- mytext.txt
[sylesh@centos5 ~]$

Of course, you'll seldom want to use the "A" attribute. If you need to turn off atime updates, you're better off mounting the filesystem with the "noatime" parameter, instead.

So far, we've performed all attribute changes with only normal user privileges, and on the user's own files. There are still two other attributes that can only be set with root privileges. Even if the file belongs to you, you'll receive an error if you try to change them with only your normal user privileges.

[sylesh@centos5 ~]$ chattr +a mytext.txt
chattr: Operation not permitted while setting flags on mytext.txt
[sylesh@centos5 ~]$

The "a" attribute will allow a file to be opened only in append mode. This will allow you to add more text or data to a file, but will not allow you to overwrite it.

[sylesh@centos5 ~]$ sudo chattr +a mytext.txt
[sylesh@centos5 ~]$ lsattr mytext.txt
s-S--a-A----- mytext.txt
[sylesh@centos5 ~]$ echo "This is a test of the a attribute." > mytext.txt
bash: mytext.txt: Operation not permitted
[sylesh@centos5 ~]$ echo "This is a test of the a attribute." >> mytext.txt
[sylesh@centos5 ~]$

The final attribute we'll cover, which also requires root privileges, is the "i" attribute. This make a file immutable. In other words, it can't be changed, renamed, or deleted. And, no links can be created to it.

[sylesh@centos5 ~]$ sudo chattr +i mytext.txt
[sylesh@centos5 ~]$ lsattr mytext.txt
s-S-ia-A----- mytext.txt
[sylesh@centos5 ~]$ rm mytext.txt
rm: remove write-protected regular file `mytext.txt'? y
rm: cannot remove `mytext.txt': Operation not permitted
[sylesh@centos5 ~]$

Finally, if you need to add or delete more than one attribute, you can combine the operations into one single command.

[sylesh@centos5 ~]$ sudo chattr -AaisS mytext.txt
[sylesh@centos5 ~]$ lsattr mytext.txt
------------- mytext.txt
[sylesh@centos5 ~]$

There are a few other attributes that we haven't covered. But they either have operational bugs, or they're attributes that are set by the system, and not by the user.

For more information, enter "man chattr" at the command-line.


No comments: