Marking files so that the root user cannot change them

I was having a discussion with one of the SysAdmins at work yesterday and we were talking about a system we use called puppet. I wanted to know if there was a way of making changes to one of the files currently under the control of puppet for testing purposes without stopping the puppet daemon. He pointed me in the direction of of the chattr and lsattr binaries.

These binaries allow you to mark any file on the machine as immutable or list the immutable status. If a file becomes immutable it means that not even root can delete or modify the file unless it removes the immutable flag first.

To make a file immutable:

chattr +i /path/to/filename

Note: you can only use chattr as root. The +i is the option which sets the immutable bit for the file. Once set this file cannot be change or delete the file. If you later decide that you want to change or delete the file then you need to remove the immutable flag.

To remove the immutable flag:

chattr -i /path/to/filename

You can check the status of the immutable status of a file with lsattr:

lsattr /path/to/filename
----i--------  /path/to/filename

If the immutable flag is set on a file then it will show the ‘i’ in the result from lsattr. Using the immutable flag means that you can prevent the accidental change or delete of a critical file, or stop puppet in my case from undoing changes I want to test.

Leave a Reply

Your email address will not be published. Required fields are marked *