You are root on your system, you do a rm of a file and get a “rm: can not remove` test ‘: Operation not permitted” is this possible?
Yes, if there are any special extended attributes set on your filesystem.
The “interesting” thing is that also some rootkit use these attribute after have changed some binary (ps, netstat) so restoring the originals it’s a bit harder.
But don’t worry in this article i’ll present you the lsattr and chattr commands that will help you in list and manipulate the extended attribute on your Linux box
chattr and lsattr utilities on Linux and the attributes they manipulate are specific to the Second Extended Filesystem family (ext2, ext3), and are available as part of the e2fsprogs package. They don’t work on files residing on other filesystems, e.g. ReiserFS, FAT.
Chattr syntax
chattr [-RV] [-+=AacDdijsSu] [-v version] files |
The operator `+’ causes the selected attributes to be added to the existing attributes of the files; `-‘ causes them to be removed; and `=’ causes them to be the only attributes that the files have.
The letters `ASacDdijsu’ select the new attributes for the files
Some attributes include:
* don’t update atime (A)
* synchronous updates (S)
* synchronous directory updates (D)
* append only (a)
* compressed (c)
* no dump (d)
* immutable (i)
* data journalling (j)
* secure deletion (s)
* top of directory hierarchy (T)
* no tail-merging (t)
* undeletable (u)
Example of using it on my tmp (FS ext4)
root@laptop:/tmp/test-extended# ls -l total 0 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test -rw-r--r-- 1 root root 0 2010-12-17 22:59 test2 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test3 root@laptop:/tmp/test-extended# lsattr -----------------e- ./test -----------------e- ./test3 -----------------e- ./test2 root@laptop:/tmp/test-extended# chattr +u test root@laptop:/tmp/test-extended# lsattr -u---------------e- ./test -----------------e- ./test3 -----------------e- ./test2 root@laptop:/tmp/test-extended# rm test root@laptop:/tmp/test-extended# ls test2 test3 |
Surprised?
In fact, the u flag was valid only in the original FS ext, but this feature (undelete) was lost from ext2, so the u flag is now totally useless.
But now let’s see something that work.
root@laptop:/tmp/test-extended# touch test4 root@laptop:/tmp/test-extended# chattr +i test4 root@laptop:/tmp/test-extended# lsattr -----------------e- ./test3 -----------------e- ./test2 ----i------------e- ./test4 root@laptop:/tmp/test-extended# rm test4 rm: cannot remove `test4': Operation not permitted root@laptop:/tmp/test-extended# ls -l total 0 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test2 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test3 -rw-r--r-- 1 root root 0 2010-12-17 23:24 test4 |
So the +i flag is working, and is to set the immutable bit to prevent even root from erasing or changing the contents of a file.
You can use this flag to set one or more files as immutable and be sure that no one will delete(or modify) them by mistake.
Another example with the append flag:
root@laptop:/tmp/test-extended# touch test5 root@laptop:/tmp/test-extended# chattr +a test5 root@laptop:/tmp/test-extended# echo "this is a test" > test5 -bash: test5: Operation not permitted root@laptop:/tmp/test-extended# lsattr -----------------e- ./test3 -----------------e- ./test2 -----a-----------e- ./test5 ----i------------e- ./test4 root@laptop:/tmp/test-extended# echo "this is a test" >> test5 root@laptop:/tmp/test-extended# cat test5 this is a test root@capecchi:/tmp/test-extended# rm test5 rm: cannot remove `test5': Operation not permitted |
So with the a flag a file cannot be opened only in “append” mode, and it cannot be deleted. Logs are a good candidate for this to keep them from being tampered with.
Popular Posts:
- None Found
These are not extended attributes but file system attributes.
File system attributes are predetermined flags that can be set on objects on certain file systems.
Extended attributes are arbitrary strings.