Tip

Set the right Linux extended attributes, enjoy better file security

Linux extended attributes protect files from accidental or malicious changes, and the security features are easy to set with a few commands.

In Unix's early days, security was three permissions assigned to the user, group and other entities. As Linux replaced Unix

    Requires Free Membership to View

and data security gained importance, Linux extended attributes were created.

The most important difference between permissions and attributes is that attributes don't depend on a user account. For that reason, changes made to them apply to all users, even root. You can use attributes to protect files from being deleted or modified by accident.

To work with extended attributes, you first need support in your Linux file system. On ext3 and ext4 file systems, check for support using the tune2fs –l command. Check the default mount options; if you don't see them listed, enable extended attributes support using tune2fs –o user_xattr /dev/yourfilesystem. Alternatively, use user_xattr as a mount option in fstab.

Once your file system is prepared for attributes, it's easy to set them with chattr. All you need is root permission. The following attributes are the most interesting for Linux security:

  • Append only (a): allows you to add to the contents of a file, but not to remove any of the current contents, or the file itself.
  • Immutable (i): disallows deletion or any modification.
  • Secure deletion (s): ensures that after deletion the contents of the file cannot be recovered.
  • Undeletable (u): ensures that the contents of the file can be modified, but it's not possible to delete the file.

For instance, if you want to apply the immutable permission to a file, use chattr +i file.

Check what attributes are applied with lsattr (see listing 1). With lsattr, you can see how attributes are applied and verified. With the immutable attribute set in the example above, even user root cannot remove the file.

[root@iad data]# chattr +i file1
[root@iad data]# lsattr file1
----i--------e-- file1
[root@iad data]# rm -f file1
rm: cannot remove 'file1': Operation not permitted

Listing 1. Checking and setting permissions with Linux extended attributes.

Linux extended attributes are a useful security addition to complement or counteract default functionality in the file system. To continue the example above, applying "i" extended attributes as an extra layer of protection to files in a user's home directory will prevent the user from removing all files from their home directory, even if the user has permission to delete these files by default.

Other extended attributes

On an ext4 file system, all files have the extents (e) attribute set by default, because ext4 uses these to store files. An extent has a default allocation size of 2 MB, whereas a traditional file system block is only 4 KB typically. This advanced file system feature is implemented via attributes.

On the main page of the chattr command, some attributes are listed that cannot actually be used. Every attribute needs supporting functionality in the underlying file system. If the file system doesn't offer this functionality, you can set the attribute, but to no effect.

About the author:

Sander van Vugt is an independent trainer and consultant based in the Netherlands. He is an expert in Linux high availability, virtualization and performance. He has authored many books on Linux topics, including Beginning the Linux Command LineBeginning Ubuntu LTS Server Administration and Pro Ubuntu Server Administration.

mail@sandervanvugt.nl

This was first published in August 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.