Dec 182010
 

chattrYou are root on your system, you do a rm of a file and get a “rm: can not remove` test ‘: Operation not permitted” is this possible?
Yes, if there are any special extended attributes set on your filesystem.

The “interesting” thing is that also some rootkit use these attribute after have changed some binary (ps, netstat) so restoring the originals it’s a bit harder.

But don’t worry in this article i’ll present you the lsattr and chattr commands that will help you in list and manipulate the extended attribute on your Linux box



chattr and lsattr utilities on Linux and the attributes they manipulate are specific to the Second Extended Filesystem family (ext2, ext3), and are available as part of the e2fsprogs package. They don’t work on files residing on other filesystems, e.g. ReiserFS, FAT.

Chattr syntax

chattr [-RV] [-+=AacDdijsSu] [-v version] files

The operator `+’ causes the selected attributes to be added to the existing attributes of the files; `-’ causes them to be removed; and `=’ causes them to be the only attributes that the files have.

The letters `ASacDdijsu’ select the new attributes for the files

Some attributes include:

* don’t update atime (A)
* synchronous updates (S)
* synchronous directory updates (D)
* append only (a)
* compressed (c)
* no dump (d)
* immutable (i)
* data journalling (j)
* secure deletion (s)
* top of directory hierarchy (T)
* no tail-merging (t)
* undeletable (u)

Example of using it on my tmp (FS ext4)

root@laptop:/tmp/test-extended# ls -l
total 0
-rw-r--r-- 1 root root 0 2010-12-17 22:59 test
-rw-r--r-- 1 root root 0 2010-12-17 22:59 test2
-rw-r--r-- 1 root root 0 2010-12-17 22:59 test3
 
root@laptop:/tmp/test-extended# lsattr
-----------------e- ./test
-----------------e- ./test3
-----------------e- ./test2
 
root@laptop:/tmp/test-extended# chattr +u test
root@laptop:/tmp/test-extended# lsattr
-u---------------e- ./test
-----------------e- ./test3
-----------------e- ./test2
 
root@laptop:/tmp/test-extended# rm test
root@laptop:/tmp/test-extended# ls
test2  test3

Surprised?
In fact, the u flag was valid only in the original FS ext, but this feature (undelete) was lost from ext2, so the u flag is now totally useless.

But now let’s see something that work.

root@laptop:/tmp/test-extended# touch test4
root@laptop:/tmp/test-extended# chattr +i test4
root@laptop:/tmp/test-extended# lsattr
-----------------e- ./test3
-----------------e- ./test2
----i------------e- ./test4
 
root@laptop:/tmp/test-extended# rm test4
rm: cannot remove `test4': Operation not permitted
root@laptop:/tmp/test-extended# ls -l
total 0
-rw-r--r-- 1 root root 0 2010-12-17 22:59 test2
-rw-r--r-- 1 root root 0 2010-12-17 22:59 test3
-rw-r--r-- 1 root root 0 2010-12-17 23:24 test4

So the +i flag is working, and is to set the immutable bit to prevent even root from erasing or changing the contents of a file.

You can use this flag to set one or more files as immutable and be sure that no one will delete(or modify) them by mistake.

Another example with the append flag:

root@laptop:/tmp/test-extended# touch test5
root@laptop:/tmp/test-extended# chattr +a test5
root@laptop:/tmp/test-extended# echo "this is a test" > test5
-bash: test5: Operation not permitted
root@laptop:/tmp/test-extended# lsattr
-----------------e- ./test3
-----------------e- ./test2
-----a-----------e- ./test5
----i------------e- ./test4
 
root@laptop:/tmp/test-extended# echo "this is a test" >> test5
root@laptop:/tmp/test-extended# cat test5
this is a test
root@capecchi:/tmp/test-extended# rm test5
rm: cannot remove `test5': Operation not permitted

So with the a flag a file cannot be opened only in “append” mode, and it cannot be deleted. Logs are a good candidate for this to keep them from being tampered with.

Popular Posts:

flattr this!

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>