1. Introduction
In Linux-based systems, user permissions and file attributes control the access to files in the file system.
In this tutorial, we’ll apply those basic concepts to make files unmodifiable. First, we’ll refresh on permissions and attributes. After that, we’ll see how to control file access with these tools.
2. Permissions
To begin with, let’s create a file and inspect its permissions:
$ echo "hello world" > permissions.txt
$ stat permissions.txt
File: permissions.txt
Size: 12 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 5906746 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ naresh) Gid: ( 1000/ naresh)
Access: 2023-02-17 22:26:43.366548920 +0530
Modify: 2023-02-17 22:26:43.366548920 +0530
Change: 2023-02-17 22:26:43.366548920 +0530
Birth: 2023-02-17 22:26:43.366548920 +0530
Firstly, we create a file, i.e., permissions.txt. Secondly, we inspect the status of the file using the stat command.
Consequently, stat* prints access permissions for the files as -rw-rw-r– for the user with Uid *1000, meaning that the user can read from and write to the file.
3. Attributes
Using the same file as above, we inspect its attributes:
$ lsattr -l permissions.txt
permissions.txt Extents
The lsattr command with the -l option prints a file’s attributes. In this case, it shows that our file is using the Extents feature of the file system to store its contents. This feature reduces fragmentation.
Of course, we can add more attributes to the file:
$ chattr +a permissions.txt
$ lsattr -l permissions.txt
permissions.txt Append_Only, Extents
For example, this chattr command adds the +a attribute to allow the file to be opened in append-only mode.
4. User-Based File Access Control
We’ll use the chmod command to disallow the user from modifying our file:
$ chmod -w permissions.txt
$ stat permissions.txt
File: permissions.txt
Size: 12 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 5906746 Links: 1
Access: (0444/-r--r--r--) Uid: ( 1000/ naresh) Gid: ( 1000/ naresh)
Access: 2023-02-17 22:26:43.366548920 +0530
Modify: 2023-02-17 22:26:43.366548920 +0530
Change: 2023-02-18 12:08:49.335801918 +0530
Birth: 2023-02-17 22:26:43.366548920 +0530
As shown above, the user identified by Uid 1000 should now only be able to read the file permissions.txt.
To verify, we’ll try to modify the file using the echo command:
$ echo "test" >> permissions.txt
bash: permissions.txt: Permission denied
As we can see from the above, attempts by the user to modify the file contents result in a Permission denied error.
5. Attribute-Based File Access Control
To apply attribute-based protection, we’ll use the chattr command to prevent the file from being deleted or modified:
$ chattr +i permissions.txt
$ lsattr -l permissions.txt
permissions.txt Immutable, Extents
At first**, we use the chattr command with the +i option to modify the attribute of the file and make it immutable**.
Now, we’ll attempt to modify the file:
$ echo "hello" >> permissions.txt
bash: permissions.txt: Operation not permitted
In this case, we observe the error message Operation not permitted on trying to append to the file.
This implies that the enforcement of the policy is independent of the user. In case the enforcement of the policy is per user, the error message is Permission denied as before.
6. Conclusion
In this article, we discussed two ways to prevent the modification of a file.
Firstly, we changed the permissions of the file, to prevent a specific user from modifying the file. Secondly, we switched the attributes of the file, to disallow write or delete operations. Finally, we also verified the behavior of the commands by inspecting the attributes of the file and trying to apply modifications.