Abstract
The same way that FAT has file attributes (archive, system file, invisible, read-only), a GNU/Linux file system has its own, but they are different. We will briefly go over them here for the sake of completeness, but they are very seldom used. However, if you really want a secure system, read on.
There are two commands for manipulating file attributes: lsattr and chattr. You probably guessed it, lsattr “LiSts” attributes, whereas chattr “CHanges” them. These attributes can only be set on directories and regular files. The following are some of the attributes possible, for a complete list please refer to chattr(1):
A
(“no Access time”): if a file or
directory has this attribute set, whenever it is accessed, either for
reading or for writing, its last access time won't be updated. This
can be useful, for example, on files or directories which are often
accessed for reading, especially since this parameter is the only one
which changes on an inode when it is open read-only.
a
(“append only”): if a file
has this attribute set and is open for writing, the only
operation possible will be to append data to its previous
contents. For a directory, this means that you can only add
files to it, but not rename or delete any existing file. Only
root
can set or clear this attribute.
d
(“no dump”):
dump is the standard UNIX® utility for
backups. It dumps any file system for which the dump counter
is 1 in /etc/fstab
(see chapter Chapter 6, File Systems and Mount Points). But if a file or directory has
this attribute set, unlike others, it will not be taken into
account when a dump is in progress. Note that for directories,
this also includes all sub-directories and files under
it.
i
(“immutable”): a file or directory
with this attribute set can not be modified at all: it cannot be
renamed, no further link can be created to it[6] and it cannot be removed. Only root
can set
or clear this attribute. Note that this also prevents changes to
access time, therefore you don't need to set the A
attribute when i
is set.
s
(“secure deletion”): when a file or
directory with this attribute is deleted, the blocks it was occupying
on disk are overwritten with zeroes.
S
(“Synchronous mode”): when a file or
directory has this attribute set, all modifications on it are
synchronous and written to the disk immediately.
For example, you may want to set the
i
attribute on essential system files in order
to avoid bad surprises. Also, consider the A
attribute on man pages: this prevents a lot of disk operations
and, in particular, can save some battery life on laptops.