digg

Facebook Connect Join Digg About

Make your files immutable in Linux which even root can't delete

linuxhelp.blogspot.com Root account in Linux is considered all powerful. You can make or break the system if you have root access to a Linux box. Here is a cool tip to make your files immutable even by root.

Who dugg this? Made popular Nov 13, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

34 Comments

show profanity settings
expand all
  • Smokezz, on 10/12/2007, -2/+6Its not supposed to be "hack-proof". Its there to help you not mistakenly delete a file. Did you even read the whole article, or just part of it, enough to find a reason to bitch in the comments section of Digg, just like it seems every other post on Digg gets these days?
  • gbm85, on 10/12/2007, -0/+2Exactly, jester. All root has to do is type "chattr -i filename" before deleting it. Wow, real hack-proof there... /sarcasm
  • kidlinux, on 10/12/2007, -1/+3Wow, yet another improperly titled digg article.

    Y'know, this kind of BS is borderline sensationalist journalism. You'd think a site like this would prevent that kind of thing, but everyone that submits an article wants to "digg" whore.
  • Bimmer, on 10/12/2007, -0/+2You wanna make the immutable bit un-changeable? Look up a little tool called 'lcap'. You may wall have to install it, my FC4 boxen don't seem to include it.

    Here's a script I used back when to 'lock down' my boxen. It was more of a pain in the ass in the long run and there are other, more manageable methods to achieve similar goals:

    #!/bin/bash
    # Files with i bit set can't be altered - even by root.
    #
    chattr -R +i /bin /boot /etc /lib /sbin /usr/bin /usr/include /usr/lib /usr/sbin /root/fw
    # chattr +a /var/log/mysqld.*.* /var/log/boot*.* /var/log/cron*.* /var/log/messages*.* /var/log/secure*.*
    #
    # This following will make it so not even root can change the i bits.
    # Once set - this can not be undone without re-booting!!
    #
    # You *must* reboot the system from the console to restore
    # the capability to use chattr to place and remove a or i bits.
    #
    lcap CAP_LINUX_IMMUTABLE
    #
    # The following will prevent raw I/O access to change a or i bits, but
    # will break a few things - not suggested.
    #
    # lcap CAP_SYS_RAWIO
    #
    echo "Done - system lock down complete"

    Some background:
    http://lists.debian.org/debian-security/2003/03/msg00283.html
    http://shearer.org/en/tipsandcomments/capabilities.html

    If you use that 2nd lcap line - it will prevent raw I/O operations from changing the a or i bits. But, it'll also make such things - like X - inoperable.
  • vann, on 10/12/2007, -0/+2On BSD (and hence OS X) there are two types of immutable bits: system and user. User immutable is the one described in this article, while system immutable can only be removed while in single user mode. Of course, both these flags require root to be set in the first place.

    You use chflags rather than chattr to set these flags.
  • zagi1, on 10/12/2007, -0/+1Yes, this command seems inpractical since you still need to be root to change the +i file attribute and therefore it defeats the pupropse of trying to make files immutable by root
  • aristotle1990, on 10/12/2007, -0/+1Unfortunately, OS X doesn't come with chattr...too bad...
  • anethema, on 10/12/2007, -0/+1Keep in mind this only works on ext2 or 3 file systems, it wont work on the seemingly more common reiserfs (no extended attr support)
  • Hoohoonick, on 10/12/2007, -0/+0nice, but what use is it?
  • antiTRACE, on 10/12/2007, -0/+0When the malicious code is written, after you sudo/su can't you just issue the # chattr -i test_file before rm command? ---- dugg none-the-less because I didn't know.
  • aoe2bug, on 10/12/2007, -0/+0indeed- this is neither new nor exciting. interesting blog though.
  • zagi1, on 10/12/2007, -0/+0Ravi has a good site, lets all give him some credit, good job.
  • jestershinra, on 10/12/2007, -0/+0Yeah, but can't root just change the sysimmu flag?
  • echimu, on 10/12/2007, -0/+0Not very new try this on password file
    http://www.cyberciti.biz/nixcraft/vivek/blogger/2004/04/linux-password-trick.php
    and under bsd http://www.cyberciti.biz/nixcraft/vivek/blogger/2005/06/freebsd-how-to-write-protect-important
  • vann, on 10/12/2007, -0/+0The idea behind making a file immutable is that you never want it deleted unless you delete it explicitly. For example, let's say you're clearing out some directories in /etc. You're not going to be doing something absurd like rm -rf /, but you might delete some files with a wildcard that includes a file you absolutely did not want to be deleted.

    It's just an extra level of protection against accidental deletition. In effect, it places immutable files in a blacklist which will never be changed unless you do so explicitly by first removing the immutable bit.
  • ahmerhussain, on 10/12/2007, -0/+0I know of a very simple workaround.
  • Inconceivable, on 10/12/2007, -0/+0I know I'm late to this party, but I've got to speak up in defense of chattr.

    I've been using this on important system files for about 8 years now and it works great. The submitter just forgot to include the next step. I replace chattr with a script that simulates chattr output that sends a flood of emails out to admins if someone runs it. Everybody in my shop knows the "real" chattr command.

    The first thing someone is going to do is run chattr when they see they can't change a file. How many people actually look at the chattr program before typing it in once?
  • BT-Wang, on 10/12/2007, -0/+0immutable isn't the only flag you can use, you can set append only, for instance on a log file so that if the service doing the logging gets compromised it can't erase log entries.

    the whole thing is much more useful in freebsd and such things as it has security levels, in which nobody, even root, can change these flags. additional steps can be taken to ensure that an administrator must have physical access or authenticate in some other way to change security levels.

    on top of that, not all filesystems support these flags, most notably, no version of reiserfs supports them.
    these attributes also have many more uses, but they don't really make sense most of the time. the things just aren't very useful on linux. other unix based operating systems found better uses for such things, but on linux you'll mostly have to use other means to secure your system.
  • rk_cr, on 10/12/2007, -0/+0Excuse my ignorance, but I am still not sure of why you'd want to make a file immutable to root when it's already immutable to everything else... I'm not going around typing "rm -rf /" all the time or anything.
  • deut, on 10/12/2007, -0/+0Nice Blog
  • echimu, on 10/12/2007, -0/+0And oh yah here are more tips over 200+ tips original tipshttp://souptonuts.sourceforge.net/how_to_linux_and_open_source.htm

    sorry my bad i hit comment button
  • chrislouden, on 10/12/2007, -0/+0Linux 101 with this story duder.
  • jestershinra, on 10/12/2007, -0/+0"Unfortunately, OS X doesn't come with chattr...too bad..."

    No, but it does have chflags which will work similarly, but has the same drawbacks.
  • MonkeyFit, on 10/12/2007, -0/+0I think the real point behind this is how much fun you can have with it. Imagine your friend is just getting into linux and doesn't know all the commands. Now imagine loading a certain files (porn, stanic verses, take your pick) onto his comp and making them immutable.
  • V-Spec, on 10/12/2007, -0/+0i was going to say what the person above me did
  • rjarow, on 10/12/2007, -0/+0to me this just seems like common sense, so i'm like... a whole post devoted to chattr +i, kind of a waste.

    but if people didnt know about it, i guess it's beneficial.
  • thecoolestcow, on 10/12/2007, -0/+0"Wow, yet another improperly titled digg article."

    Uh, not really dude. While it's immutable, it cannot be deleted. So, because of this, root can't delete it. In the end, the title makes perfect sense.
  • MonkeyFit, on 10/12/2007, -0/+0sorry, I meant "satanic verses". Not stanic verses.
  • turgiddahlia, on 10/12/2007, -0/+0Three hurrahs for the dumbest headline ever!
  • comrademikhail, on 10/12/2007, -0/+0I never knew this.. This will really help me from deleting files that I don't want to.
  • inactive, on 10/12/2007, -0/+0wanna make a file thats impossible to delete on windows? try alternate data streams.

    echo "file contents" > temp.txt
    type temp.txt > C::hiddenfile.txt
    del temp.txt

    type C::hiddenfile.txt

    now try getting rid of that without wiping the drive :)
  • Forse, on 10/12/2007, -0/+0OMG this is like basic *nix command...why is it on digg? What is next? "how to list hidden files" -_-
    no digg
  • ph33d, on 10/12/2007, -0/+0This happened once to me under OS X 10.2. Some file somehow ended up in my Trash that I absolutely could not get rid of, even under OS 9. Finally I discovered chflags which could only be run from Single User Mode. Awesome...
  • raoulsland, on 10/12/2007, -0/+0Excellent tip and a very nice blog too.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.