If you have write permission, why can’t you modify the file?

Time:2021-11-29

1、 File non modifiable properties

1. What are immutable attributes

We know that read, write and execute permissions can be set for files in Linux system. However, when modifying some files in practice, it often appears that the current user has write permission to the file, but still cannot modify the file. This is usually because the file is setNon modifiable properties

Non modifiable propertiesYeschattrThe command sets the file as immutable, and once set, no user, including root, can delete the file unless its immutable attribute is revoked.

usechattrset upNon modifiable propertiesAfter, you can uselsattrCommand to view the property.

Among them, the most commonly used is+iAnd+aThese two properties.
+iAttribute can make a file unable to be added and modified, deleted and renamed.
+aProperty allows a file to be deleted and modified. Data can only beEcho 'string' > fileAppend data to the file in the form of.

The unmodifiable attribute is very important to the system, especially in the data security of the system, which can prevent important files from being tampered with.

howeverchattrInstructions can only beExt2/Ext3/Ext4The Linux traditional file system takes effect completely, and other file systems may not fully support this instruction, such asxfsOnly some parameters are supported.

2. View the file system

  • Method 1:df -T filenamecommand
[root~]# df -T .bash_history
Filesystem     Type 1K-blocks     Used Available Use% Mounted on
/dev/vda1      ext4  51473868 20461060  28689688  42% /

You can know from the type in the second column that the file system type is ext4.

  • Method 2: View/etc/mtabfile

By viewing/etc/mtabFile to determine the type of file system.

[root~]# cat /etc/mtab
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=930832k,nr_inodes=232708,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0
...
/dev/vda1 / ext4 rw,noatime,data=ordered 0 0
...

/etc/mtabThe first column of the file specifies the partition device path (for example/dev/vda1), the third column specifies the file system type (for exampleext4)。


2、 Chattr setting non modifiable properties

1. Chatr command

Chatr [+ - =] [options] [file or directory]
[+-=]

+: add permissions
-: delete permissions
=: set permissions

option

iInsert:

  • File: the file cannot be deleted or renamed, and the file data cannot be added or modified.
  • Directory: files cannot be created or deleted. You can modify the file data under the directory

aAppend:

  • File: data cannot be deleted or modified, only inEcho 'string' > fileAppend data to the file in the form of.
  • Directory: only files can be added and modified in the directory, and files cannot be deleted

2. Lsattr view file system properties

Lsattr [options] [filename]
option

-a: displays all files and directories
-d: if the target is a directory, only the attributes of the directory itself are listed, not the attributes of the sub files

3. Examples

File applicationioption
Files cannot be deleted or renamed, and file data cannot be added or modified.
  • Create file_ i. And write some content at will
[root/tmp/chattr]$ touch file_i

[root/tmp/chattr]$ date > file_i
[root/tmp/chattr]$ cat file_i
Friday, June 8, 2018 12:04:57 UTC
  • chattr +i file_i
[root/tmp/chattr]# chattr +i file_i

[root/tmp/chattr]# lsattr file_i
----i----------- file_i
  • Cannot delete
[root/tmp/chattr]# rm file_i
RM: cannot delete 'file_i': operation not allowed
  • You can’t change your name
[root/tmp/chattr]# mv file_i file
MV: cannot move 'file_i' to 'file': operation not allowed
  • Data cannot be added
[root/tmp/chattr]# date >> file_i
bash: file_ i: Insufficient permissions
  • Data cannot be modified
[root/tmp/chattr]# date > file_i
bash: file_ i: Insufficient permissions
Directory Applicationioption
You cannot create or delete files. You can modify the file data in the directory
  • Create directory dir_ i. And create a file in the directory
[root/tmp/chattr]# mkdir dir_i
[root/tmp/chattr]# touch dir_i/file

[root/tmp/chattr]# ll dir_i/
Total consumption 0
-Rw-r -- R -- 1 root 0 June 8 12:13 file
  • chattr +i file_i
[root/tmp/chattr]# chattr +i dir_i/

[root/tmp/chattr]# lsattr -d dir_i/
----i----------- dir_i/
  • Cannot create file
[root/tmp/chattr]# touch dir_i/file2
Touch: unable to create 'dir_i / File2': insufficient permissions
  • Cannot delete file
[root/tmp/chattr]# rm dir_i/file
RM: unable to delete 'dir_i / file': insufficient permissions
  • You can modify the file data in the directory
[root/tmp/chattr]# date > dir_i/file
[root/tmp/chattr]# cat dir_i/file
Friday, June 8, 2018 12:17:16 UTC

3、 Practical application

1. Manually set up DNS server

/etc/resolv.confThe file contains a list of DNS servers. The DNS server is responsible for converting domain names to IP addresses.
It is usually set to where you belongISP (Internet service provider)DNS server address for. But if you prefer to use a third-party DNS server, you can modify it/etc/resolv.conf, point it to the selected server.
But next time you connect toISPWhen,/etc/resolv.confIt will revert to the previous settings. To avoid this, you can/etc/resolv.confadd to+iProperty is set to non modifiable.

2. Prevent users from modifying historical command records

~/.bash_historyAll historical commands of user operation tasks are recorded in.
by.bash_historyFile add+aProperty, you can only append content, not delete files and modify content. This prevents the user from modifying the historical operation command record.

Chatr must be used with special care. Remember not to abuse it, otherwise it will cause great trouble.
For example, one day you have a whim and give it to me/etc/shadowThis important password record file has been added+iProperty, after a few days, you suddenly want to add users, but you can’t add them all the time, which will drive you crazy!