Marking files so that the root user cannot change them

I was having a discussion with one of the SysAdmins at work yesterday and we were talking about a system we use called puppet. I wanted to know if there was a way of making changes to one of the files currently under the control of puppet for testing purposes without stopping the puppet daemon. He pointed me in the direction of of the chattr and lsattr binaries.

These binaries allow you to mark any file on the machine as immutable or list the immutable status. If a file becomes immutable it means that not even root can delete or modify the file unless it removes the immutable flag first.

Continue reading Marking files so that the root user cannot change them