1. Introduction

In Linux-based systems, user permissions and file attributes control the access to files in the file system.

In this tutorial, we’ll apply those basic concepts to make files unmodifiable. First, we’ll refresh on permissions and attributes. After that, we’ll see how to control file access with these tools.

2. Permissions

To begin with, let’s create a file and inspect its permissions:

$ echo "hello world" > permissions.txt
$ stat permissions.txt
  File: permissions.txt
  Size: 12        	Blocks: 8          IO Block: 4096   regular file
Device: 803h/2051d	Inode: 5906746     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/  naresh)   Gid: ( 1000/  naresh)
Access: 2023-02-17 22:26:43.366548920 +0530
Modify: 2023-02-17 22:26:43.366548920 +0530
Change: 2023-02-17 22:26:43.366548920 +0530
Birth: 2023-02-17 22:26:43.366548920 +0530

Firstly, we create a file, i.e., permissions.txt. Secondly, we inspect the status of the file using the stat command.

Consequently, stat prints access permissions for the files as -rw-rw-r– for the user with Uid 1000, meaning that the user can read from and write to the file.

3. Attributes

Using the same file as above, we inspect its attributes:

$ lsattr -l permissions.txt 
permissions.txt     Extents

The lsattr command with the -l option prints a file’s attributes. In this case, it shows that our file is using the Extents feature of the file system to store its contents. This feature reduces fragmentation.

Of course, we can add more attributes to the file:

$ chattr +a permissions.txt
$ lsattr -l permissions.txt 
permissions.txt Append_Only, Extents

For example, this chattr command adds the +a attribute to allow the file to be opened in append-only mode.

4. User-Based File Access Control

We’ll use the chmod command to disallow the user from modifying our file:

$ chmod -w permissions.txt
$ stat permissions.txt 
File: permissions.txt
Size: 12        	Blocks: 8          IO Block: 4096   regular file
Device: 803h/2051d	Inode: 5906746     Links: 1
Access: (0444/-r--r--r--)  Uid: ( 1000/  naresh)   Gid: ( 1000/  naresh)
Access: 2023-02-17 22:26:43.366548920 +0530
Modify: 2023-02-17 22:26:43.366548920 +0530
Change: 2023-02-18 12:08:49.335801918 +0530
Birth: 2023-02-17 22:26:43.366548920 +0530

As shown above, the user identified by Uid 1000 should now only be able to read the file permissions.txt.

To verify, we’ll try to modify the file using the echo command:

$ echo "test" >> permissions.txt 
bash: permissions.txt: Permission denied

As we can see from the above, attempts by the user to modify the file contents result in a Permission denied error.

5. Attribute-Based File Access Control

To apply attribute-based protection, we’ll use the chattr command to prevent the file from being deleted or modified:

$ chattr +i permissions.txt 
$ lsattr -l permissions.txt 
permissions.txt              Immutable, Extents

At first, we use the chattr command with the +i option to modify the attribute of the file and make it immutable.

Now, we’ll attempt to modify the file:

$ echo "hello" >> permissions.txt 
bash: permissions.txt: Operation not permitted 

In this case, we observe the error message Operation not permitted on trying to append to the file.

This implies that the enforcement of the policy is independent of the user. In case the enforcement of the policy is per user, the error message is Permission denied as before.

6. Conclusion

In this article, we discussed two ways to prevent the modification of a file.

Firstly, we changed the permissions of the file, to prevent a specific user from modifying the file. Secondly, we switched the attributes of the file, to disallow write or delete operations. Finally, we also verified the behavior of the commands by inspecting the attributes of the file and trying to apply modifications.

Comments are closed on this article!