Set the right Linux extended attributes, enjoy better file security

Unlike permissions, Linux attributes apply to all users, even root. With Linux extended attributes, administrators can increase file security.

Linux extended attributes protect files from accidental or malicious changes, and the security features are easy to set with a few commands.

In Unix's early days, security was three permissions assigned to the user, group and other entities. As Linux replaced Unix and data security gained importance, Linux extended attributes were created.

The most important difference between permissions and attributes is that attributes don't depend on a user account. For that reason, changes made to them apply to all users, even root. You can use attributes to protect files from being deleted or modified by accident.

To work with extended attributes, you first need support in your Linux file system. On ext3 and ext4 file systems, check for support using the tune2fs –l command. Check the default mount options; if you don't see them listed, enable extended attributes support using tune2fs –o user_xattr /dev/yourfilesystem. Alternatively, use user_xattr as a mount option in fstab.

Once your file system is prepared for attributes, it's easy to set them with chattr. All you need is root permission. The following attributes are the most interesting for Linux security:

  • Append only (a): allows you to add to the contents of a file, but not to remove any of the current contents, or the file itself.
  • Immutable (i): disallows deletion or any modification.
  • Secure deletion (s): ensures that after deletion the contents of the file cannot be recovered.
  • Undeletable (u): ensures that the contents of the file can be modified, but it's not possible to delete the file.

For instance, if you want to apply the immutable permission to a file, use chattr +i file.

Check what attributes are applied with lsattr (see listing 1). With lsattr, you can see how attributes are applied and verified. With the immutable attribute set in the example above, even user root cannot remove the file.

[root@iad data]# chattr +i file1
[root@iad data]# lsattr file1
----i--------e-- file1
[root@iad data]# rm -f file1
rm: cannot remove 'file1': Operation not permitted

Listing 1. Checking and setting permissions with Linux extended attributes.

Linux extended attributes are a useful security addition to complement or counteract default functionality in the file system. To continue the example above, applying "i" extended attributes as an extra layer of protection to files in a user's home directory will prevent the user from removing all files from their home directory, even if the user has permission to delete these files by default.

Other extended attributes

On an ext4 file system, all files have the extents (e) attribute set by default, because ext4 uses these to store files. An extent has a default allocation size of 2 MB, whereas a traditional file system block is only 4 KB typically. This advanced file system feature is implemented via attributes.

On the main page of the chattr command, some attributes are listed that cannot actually be used. Every attribute needs supporting functionality in the underlying file system. If the file system doesn't offer this functionality, you can set the attribute, but to no effect.

About the author:

Sander van Vugt is an independent trainer and consultant based in the Netherlands. He is an expert in Linux high availability, virtualization and performance. He has authored many books on Linux topics, including Beginning the Linux Command LineBeginning Ubuntu LTS Server Administration and Pro Ubuntu Server Administration.

mail@sandervanvugt.nl

This was first published in August 2013

Dig deeper on Linux servers

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Sander van Vugt asks:

What challenges have you run into with Linux extended attributes?

0  Responses So Far

Join the Discussion

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseLinux

SearchServerVirtualization

SearchCloudComputing

Close