Securing Individual Files in Linux with Filesystem Attributes.

Permissions-Reset-IconFilesystem attibutes can be used to enhance standard file security on ext4 and XFS filesystems by blocking users from being able to delete or override a file. 

In order to get started you first must see if your filesystem supports the user_xattr mount option. To do this you can use the tune2fs command. Use the '-l' option to list options.

# tune2fs -l /dev/xvda1

 

As shown in the section below, the filesystem that I am working with on my virtual machine supports ext_attr and has been mounted with the user_xattr option (as well as the acl option)

Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags:         signed_directory_hash
Default mount options:    user_xattr acl

 

Alternatively, you can bypass mounting a filesystem with the user_xattr option by simply making user_xattr a default mounting option for the filesystem. You accompish this formidable task with the tune2fs command. For example.

[root@localhost ~]# tune2fs -o user_xattr /dev/sda1
tune2fs 1.42.8 (20-Jun-2013)

 

Now lets start messing around with a couple of the more common options. I have listed them below.

a Append Only – sets the file to append only
i Immutable – prevents deletion
d Do not back up with the dump command

 

To set the options show above you use the chattr command, and to view these options you use the lsattr command. Lets try it out. In this exmaple I am setting the immutable flag to that the file cannot be removed, renamed, or overwritten.

[root@localhost ~]# touch testfile
[root@localhost ~]# lsattr testfile
—————- testfile
[root@localhost ~]# chattr +i testfile
[root@localhost ~]# lsattr testfile
—-i———– testfile

 

Ok now lets remove the 'i' option..

[root@localhost ~]# chattr -i testfile
[root@localhost ~]# lsattr testfile
—————- testfile

 

See this is pretty simple stuff, however since these options are rarely set, not to many people know about them.