Shulou(Shulou.com)06/03 Report--

PS: sometimes you find that you cannot modify a file with root permissions, mostly because you used the chattr command to lock the file. The chattr command is very useful, some of which are supported by the Linux kernel version, but most of the linux systems that run today are kernel 2.6 +. Modifying properties through the chattr command can improve the security of the system, but it is not suitable for all directories. The chattr command cannot protect the /, / dev, / tmp, / var directories. The lsattr command is a file property that displays the settings of the chattr command.

These two commands are used to view and change the attributes of files and directories. Compared with chmod, chmod only changes the read, write and execute permissions of files, and the lower attribute control is changed by chattr.

The usage of the chattr command: chattr [- RVf] [- v version] [mode] files...

The most important thing is that in the [mode] part, the [mode] part is composed of characters such as +-= and [ASacDdIijsTtu], which is used to control the file.

Property.

Append parameters on the basis of the original parameter settings. Remove parameters on the basis of the original parameter settings.

=: update to the specified parameter settings.

A: the atime (access time) of a file or directory cannot be modified (modified), which can effectively prevent the occurrence of errors such as laptop disk I and O errors.

S: hard disk Imax O synchronization option, function similar to sync.

A: that is, append. After setting this parameter, you can only add data to the file, not delete it. It is mostly used for server log file security. Only root can set this attribute.

C: that is, compresse, sets whether the file is compressed and then saved. Automatic decompression is required when reading.

D: namely no dump, the setting file cannot be the backup target of the dump program.

I: settings files cannot be deleted, renamed, set link relationships, and cannot be written or added. The I parameter is of great help to the security settings of the file system.

J: that is, journal, set this parameter so that when a file system is mounted through the mount parameter: data=ordered or data=writeback, the file will be recorded first when it is written (in journal). If the parameter filesystem is set to data=journal, the parameter automatically expires.

S: delete files or directories secretly, that is, all hard disk space is reclaimed.

U: in contrast to s, when set to u, the data content is actually stored on disk and can be used for undeletion.

Among the parameter options, an and I are commonly used. The an option forces only non-removable additions and is mostly used for log system security settings. While I is a more stringent security setting, only superuser (root) or processes with CAP_LINUX_IMMUTABLE processing power (identification) can impose this option.

Application examples:

1. Use the chattr command to prevent a key file in the system from being modified:

Chattr + I / etc/resolv.conf

Then use mv / etc/resolv.conf and other commands to operate on the file, all get the result of Operation not permitted. Vim prompts for a W10: Warning: Changing a readonly file error when editing the file. To modify this file, you need to remove the I attribute: chattr-I / etc/resolv.conf

Lsattr / etc/resolv.conf

The following properties are displayed

-I-/ etc/resolv.conf

2. Let a file only append data to it, but it cannot be deleted. It is applicable to various log files:

Chattr + a / var/log/messages

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.