In Linux, there are many ways to secure your files. Among them are the file system attributes. In this article you'll learn how to apply them.
Before starting to do anything using file system attributes, you should be aware of a major difference that exists between file systems. In general, it comes down to the statement that there is XFS, and then there are other file systems. XFS has its own solution for managing attributes, and they are rather different from the options discussed here. In this article I'll talk about attributes as set on the ext file systems.
To use file system attributes, your file system needs to be enabled. Only recent file systems use file system attributes by default. To enable a file system attribute support, you need to specify a mount option while mounting the file system. This option is user_xattr. Before trying anything described in this article, make sure this attribute is on. You can verify this by using the mount command. In the output below, you can see that file system attributes on this computer are enabled on the root file system.
Verifying file system attribute support using mount
/dev/mapper/vg_flo-lv_root on / type ext4 (rw,noatime,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
/dev/mapper/luks-3e67401f-44c6-4a27-a1bf-cdf0dcf45f65 on /home type ext4
(rw,noatime,user_xattr)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
none on /proc/fs/vmblock/mountPoint type vmblock (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
gvfs-fuse-daemon on /home/sander/.gvfs type fuse.gvfs-fuse-daemon
If currently your file system doesn't support attributes, you can add the user_xattr option to a mounted file system in many cases. To do this on your root file system, you can use the following command:
mount -o remount,user_xattr /
The remount option makes sure the file system takes its new attributes, without completely dismounting the file system. If you want to make sure your file system has permanent support for file system attributes, you need to specify it as an option in /etc/fstab. The following line shows how file system attributes are enabled for the root logical volume on my Fedora system:
/dev/mapper/vg_flo-lv_root / ext4 noatime,user_xattr 1 1
Listing and changing attributes
There are two different kinds of file system attributes. Some attributes are used as default attributes, while others may be set to easy file system management. You'll notice that without changing file system attributes, the lsattr command shows some system attributes on files and directories on your computer. For example, you may find the I attribute on the /etc directory, which indicates that it is using an h-tree index to speed searches in this directory, and you'll find the e attribute on many files and directories on an ext4 file system to indicate that the file is using extents instead of blocks for more efficient storage. All of the system attributes indicate a status and they cannot be changed.
From the attributes that you can change as an administrator, you'll find that some of them have an experimental status. That means: the attribute may be implemented in a future version of either the kernel or the file system, but has no function yet. There are however a few attributes that are implemented and may be useful for you. These are the following:
|i||immutable: files that have this attribute set, cannot be changed at all. This attribute is perfect if you want to prevent important files from being deleted by accident.|
|j||journal: this attribute makes sure that the data blocks of the file are written to the journal before the meta data of the file are written. This attribute works in every journaling mode as set with the data= mount option and you can use it to add some extra protection to your files.|
|s||secure deletion: when using this attribute on files, it's blocks will be wiped before the delete action is committed. This attribute only works with recent kernel versions and file systems.|
|u||undelete: when using this attribute, a file can be revived using tools like extundelete. This attribute only works with recent kernel versions and file systems.|
To set a file system attribute, you'll use chattr. For example, the following command would make the /etc/hosts file immutable:
chattr +i /etc/hosts
To verify that you have succeeded, you can use lsattr. This command displays all attributes currently set to the specified file.
[root@flo ~]# chattr +i /etc/hosts
[root@flo ~]# lsattr /etc/hosts
Among the nice features of file system attributes is the fact that they'll be applied for all users. So no matter which user is logged in, the file system attribute is effective. This ensures that even root will face the limitations that you've set by using these attributes. But, root will be able to remove file system attributes.
On a modern Linux file system like ext4, file system attributes are used by default to implement advanced file system features, such as extents. On other file systems you may have to switch attribute support on before you can start using them. Using attributes, you can add an additional user of protection to your files, for which even the root user won't be immune. Therefore, file system attributes can provide a valuable addition to the way you ensure security on your server.
ABOUT THE AUTHOR:
This was first published in January 2011