mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-23 21:20:42 +08:00
[Translated] 20150123 How to make a file immutable on Linux.md
This commit is contained in:
Gore Liu
parent
4ab97cd2e6
commit
f240551dc0
@ -1,74 +0,0 @@
|
||||
Translating by goreliu ...
|
||||
|
||||
How to make a file immutable on Linux
|
||||
================================================================================
|
||||
Suppose you want to write-protect some important files on Linux, so that they cannot be deleted or tampered with by accident or otherwise. In other cases, you may want to prevent certain configuration files from being overwritten automatically by software. While changing their ownership or permission bits on the files by using chown or chmod is one way to deal with this situation, this is not a perfect solution as it cannot prevent any action done with root privilege. That is when chattr comes in handy.
|
||||
|
||||
chattr is a Linux command which allows one to set or unset attributes on a file, which are separate from the standard (read, write, execute) file permission. A related command is lsattr which shows which attributes are set on a file. While file attributes managed by chattr and lsattr are originally supported by EXT file systems (EXT2/3/4) only, this feature is now available on many other native Linux file systems such as XFS, Btrfs, ReiserFS, etc.
|
||||
|
||||
In this tutorial, I am going to demonstrate how to use chattr to make files immutable on Linux.
|
||||
|
||||
chattr and lsattr commands are a part of e2fsprogs package which comes pre-installed on all modern Linux distributions.
|
||||
|
||||
Basic syntax of chattr is as follows.
|
||||
|
||||
$ chattr [-RVf] [operator][attribute(s)] files...
|
||||
|
||||
The operator can be '+' (which adds selected attributes to attribute list), '-' (which removes selected attributes from attribute list), or '=' (which forces selected attributes only).
|
||||
|
||||
Some of available attributes are the following.
|
||||
|
||||
- **a**: can be opened in append mode only.
|
||||
- **A**: do not update atime (file access time).
|
||||
- **c**: automatically compressed when written to disk.
|
||||
- **C**: turn off copy-on-write.
|
||||
- **i**: set immutable.
|
||||
- **s**: securely deleted with automatic zeroing.
|
||||
|
||||
### Immutable Attribute ###
|
||||
|
||||
To make a file immutable, you can add "immutable" attribute to the file as follows. For example, to write-protect /etc/passwd file:
|
||||
|
||||
$ sudo chattr +i /etc/passwd
|
||||
|
||||
Note that you must use root privilege to set or unset "immutable" attribute on a file. Now verify that "immutable" attribute is added to the file successfully.
|
||||
|
||||
$ lsattr /etc/passwd
|
||||
|
||||
Once the file is set immutable, this file is impervious to change for any user. Even the root cannot modify, remove, overwrite, move or rename the file. You will need to unset the immutable attribute before you can tamper with the file again.
|
||||
|
||||
To unset the immutable attribute, use the following command:
|
||||
|
||||
$ sudo chattr -i /etc/passwd
|
||||
|
||||
|
||||
|
||||
If you want to make a whole directory (e.g., /etc) including all its content immutable at once recursively, use "-R" option:
|
||||
|
||||
$ sudo chattr -R +i /etc
|
||||
|
||||
### Append Only Attribute ###
|
||||
|
||||
Another useful attribute is "append-only" attribute which forces a file to grow only. You cannot overwrite or delete a file with "append-only" attribute set. This attribute can be useful when you want to prevent a log file from being cleared by accident.
|
||||
|
||||
Similar to immutable attribute, you can turn a file into "append-only" mode by:
|
||||
|
||||
$ sudo chattr +a /var/log/syslog
|
||||
|
||||
Note that when you copy an immutable or append-only file to another file, those attributes will not be preserved on the newly created file.
|
||||
|
||||
### Conclusion ###
|
||||
|
||||
In this tutorial, I showed how to use chattr and lsattr commands to manage additional file attributes to prevent (accidental or otherwise) file tampering. Beware that you cannot rely on chattr as a security measure as one can easily undo immutability. One possible way to address this limitation is to restrict the availability of chattr command itself, or drop kernel capability CAP_LINUX_IMMUTABLE. For more details on chattr and available attributes, refer to its man page.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://xmodulo.com/make-file-immutable-linux.html
|
||||
|
||||
作者:[Dan Nanni][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://xmodulo.com/author/nanni
|
||||
73
translated/tech/20150123 How to make a file immutable on Linux.md
Executable file
73
translated/tech/20150123 How to make a file immutable on Linux.md
Executable file
@ -0,0 +1,73 @@
|
||||
如何在Linux下创建一个不可变更的文件
|
||||
================================================================================
|
||||
|
||||
假如你想对Linux中的一些重要文件做写保护,这样它们就不能被删除或者被篡改成之前的版本或者其他东西。或者在其他情况,你可能想避免某些配置文件被软件自动修改。使用`chown`和`chmod`命令修改文件的归属关系或者权限位是处理这种情况的一个解决方法,但这并不完美,因为这样无法避免有root权限的操作。这时`chattr`就派上用场了。
|
||||
|
||||
`chattr`是一个可以设置或取消文件的标志位的Linux命令,它和标准的文件权限(读、写、执行)是分离的。与此相关的另一个命令是`lsattr`,它可以显示文件的哪些标志位被设置上了。最初只有EXT文件系统(EXT2/3/4)支持`chattr`和`lsattr`所管理的标志位,但现在很多其他的本地Linux文件系统都支持了,比如XFS、Btrfs、ReiserFS等等。
|
||||
|
||||
在这个教程中,我会示范如果使用`chattr`来让Linux中的文件不可变更。
|
||||
|
||||
`chattr`和`lsattr`命令是e2fsprogs包的一部分,它在所有现代Linux发行版都预装了。
|
||||
|
||||
下面是`chattr`的基本语法。
|
||||
|
||||
$ chattr [-RVf] [操作符][标志位] 文件...
|
||||
|
||||
其中操作符可以是“+”(把选定的标志位添加到标志位列表)、“-”(从标志位列表中移除选定的标志位)、或者“=”(强制使用选定的标志位)。
|
||||
|
||||
下面是一些可用的标志位。
|
||||
|
||||
- **a**: 只能以追加模式打开。
|
||||
- **A**: 不能更新atime(文件访问时间)。
|
||||
- **c**: 当被写入磁盘时被自动压缩。
|
||||
- **C**: 关掉“写时复制”。
|
||||
- **i**: 不可变更。
|
||||
- **s**: 通过自动归零来安全删除。(译注:一般情况文件被删后内容不会被修改,改标志位会使得文件被删后原有内容被0取代)
|
||||
|
||||
### “不可变更”标志位 ###
|
||||
|
||||
为了让一个文件不可变更,你需要按照如下方法为这个文件添加“不可变更”标志位。例如,对/etc/passwd文件做写保护:
|
||||
|
||||
$ sudo chattr +i /etc/passwd
|
||||
|
||||
注意设置或取消一个文件的“不可变更”标志位是需要根用户权限的。现在检查该文件“不可变更”标志位是否被添加上了。
|
||||
|
||||
$ lsattr /etc/passwd
|
||||
|
||||
一旦文件被设置为不可变更,任何用户都将无法修改该文件。即使是根用户也不可以修改、删除、覆盖、移动或者重命名这个文件。如果你想再次修改这个文件,需要先把“不可变更”标志位取消了。
|
||||
|
||||
用如下命令取消“不可变更”标志位:
|
||||
|
||||
$ sudo chattr -i /etc/passwd
|
||||
|
||||
|
||||
|
||||
如果你想让一个目录(比如/etc)连同它下边的所有内容不可变更,使用“-R”选项:
|
||||
|
||||
$ sudo chattr -R +i /etc
|
||||
|
||||
### “只可追加”标志位 ###
|
||||
|
||||
另一个有用的的标志位是“只可追加”,它只允许文件内容被追加的方式修改。你不能覆盖或者删除一个设置了“只可追加”标志位的文件。这个标志位在你想避免日志文件被意外清理掉的情况很有用。
|
||||
|
||||
和“不可变更”标志位类似,你可以使用如下命令让文件变成“只可追加”模式:
|
||||
|
||||
$ sudo chattr +a /var/log/syslog
|
||||
|
||||
注意当你复制一个“不可变更”或者“只可追加”的文件到其他地方后,新文件不会保留这些标志位。
|
||||
|
||||
### 结论 ###
|
||||
|
||||
在这个教程中,我展示了如何使用`chattr`和`lsattr`命令来管理额外的文件标志位,来避免文件被篡改(意外或者其他情况)的方法。注意你不能将`chattr`作为一个安全措施,因为“不可变更”标志位可以很容易被取消掉。解决这个问题的一个可能的方式是限制`chattr`命令自身的可用性,或者剥夺CAP_LINUX_IMMUTABLE内核权能标志。关于`chattr`以及可用的标志位的更多细节,请参考它的man手册。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://xmodulo.com/make-file-immutable-linux.html
|
||||
|
||||
作者:[Dan Nanni][a]
|
||||
译者:[goreliu](https://github.com/goreliu)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://xmodulo.com/author/nanni
|
||||
Loading…
Reference in New Issue
Block a user