Filesystem attibutes can be used to enhance standard file security on ext4 and XFS filesystems by blocking users from being able to delete or override a file.
In order to get started you first must see if your filesystem supports the user_xattr mount option. To do this you can use the tune2fs command. Use the '-l' option to list options.
# tune2fs -l /dev/xvda1
As shown in the section below, the filesystem that I am working with on my virtual machine supports ext_attr and has been mounted with the user_xattr option (as well as the acl option)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags: signed_directory_hash
Default mount options: user_xattr acl
Alternatively, you can bypass mounting a filesystem with the user_xattr option by simply making user_xattr a default mounting option for the filesystem. You accompish this formidable task with the tune2fs command. For example.
[root@localhost ~]# tune2fs -o user_xattr /dev/sda1
tune2fs 1.42.8 (20-Jun-2013)
Now lets start messing around with a couple of the more common options. I have listed them below.
a | Append Only – sets the file to append only |
i | Immutable – prevents deletion |
d | Do not back up with the dump command |
To set the options show above you use the chattr command, and to view these options you use the lsattr command. Lets try it out. In this exmaple I am setting the immutable flag to that the file cannot be removed, renamed, or overwritten.
[root@localhost ~]# touch testfile
[root@localhost ~]# lsattr testfile
—————- testfile
[root@localhost ~]# chattr +i testfile
[root@localhost ~]# lsattr testfile
—-i———– testfile
Ok now lets remove the 'i' option..
[root@localhost ~]# chattr -i testfile
[root@localhost ~]# lsattr testfile
—————- testfile
See this is pretty simple stuff, however since these options are rarely set, not to many people know about them.