2008-04-06

Sysadmin Sunday: Linux and BSD Filesystem attributes

Most sysadmins are familiar with the concept of file ownership and permissions. Read, Write, and Execute are ingrained in our memories from the start. Sometimes, though, that's not enough. Here are some extended attributes for files in Linux and *BSD:

BSD:
To set file flags in BSD, use chflags. To view them, use ls -lO. Flags are as follows (from the chflags(1) man page):


arch, archived
set the archived flag (super-user only)

opaque set the opaque flag (owner or super-user only). [Directory
is opaque when viewed through a union mount]

nodump set the nodump flag (owner or super-user only)

sappnd, sappend
set the system append-only flag (super-user only)

schg, schange, simmutable
set the system immutable flag (super-user only)

uappnd, uappend
set the user append-only flag (owner or super-user only)

uchg, uchange, uimmutable
set the user immutable flag (owner or super-user only)

hidden set the hidden flag [Hide item from GUI]

As discussed in chflags(2), the sappnd and schg flags may only be unset
when the system is in single-user mode.

Putting the letters ``no'' before or removing the letters ``no'' from a
keyword causes the flag to be cleared. For example:

nouchg clear the user immutable flag (owner or super-user only)
dump clear the nodump flag (owner or super-user only)
schg and sappnd are particularly useful. As described, they place files in an append-only or immutable state, where nothing, not even root can break the rules without first going into single-user mode and disabling the flag. uchg will keep you from accidentally clobbering an important file as well, but can still be un-set by you.

Example viewing, setting, and demonstrating the uchg flag:

Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff - 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc

Chimera:Documents axon$ chflags uchg description.html

Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff uchg 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc

Chimera:Documents axon$ rm description.html
override rw-r--r-- axon/staff uchg for description.html? y
rm: description.html: Operation not permitted

Chimera:Documents axon$ chflags nouchg description.html

Chimera:Documents axon$ rm description.html

Chimera:Documents axon$ ls -lO
total 8
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc


Linux:
Use chattr to set attributes and lsattr to view them.

From the chattr(1) man page:

The format of a symbolic mode is +-=[ASacDdIijsTtu].

The operator ‘+’ causes the selected attributes to be added to the
existing attributes of the files; ‘-’ causes them to be removed; and
‘=’ causes them to be the only attributes that the files have.

The letters ‘acdijsuADST’ select the new attributes for the files:
append only (a), compressed (c), no dump (d), immutable (i), data jour‐
nalling (j), secure deletion (s), no tail-merging (t), undeletable (u),
no atime updates (A), synchronous directory updates (D), synchronous
updates (S), and top of directory hierarchy (T).


As you can see, most of these attributes are similar to the BSD flags. We'll do the same thing on Linux with the immutable attribute.

axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
------------------ ./mail.sql

axon@hosting:~/hir-test$ chattr +i mail.sql

axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
----i------------- ./mail.sql

axon@hosting:~/hir-test$ rm mail.sql
rm: remove write-protected regular file `mail.sql'? y
rm: cannot remove `mail.sql': Operation not permitted

blog comments powered by Disqus