这两个命令是用来查看和改变文件、目录属性的,与chmod这个命令相比,chmod只是改变文件的读写、执行权限,更底层的属性控制是由chattr来改变的。
chattr命令的用法:chattr [ -RVf ] [ -v version ] [ mode ] files…
最关键的是在[mode]部分,[mode]部分是由+-=和[ASacDdIijsTtu]这些字符组合的,这部分是用来控制文件的
属性。
(备注:命令帮助中提示的参数与此不完全一致,见下图
得出的结果也明显不是属性的全部
)
+ :在原有参数设定基础上,追加参数。
- :在原有参数设定基础上,移除参数。
= :更新为指定参数设定。
A:文件或目录的 atime (access time)不可被修改(modified), 可以有效预防例如手提电脑磁盘I/O错误的发生。
S:硬盘I/O同步选项,功能类似sync。
a:即append,设定该参数后,只能向文件中添加数据,而不能删除,多用于服务器日志文件安全,只有root才能设定这个属性。
c:即compresse,设定文件是否经压缩后再存储。读取时需要经过自动解压操作。
d:即no dump,设定文件不能成为dump程序的备份目标。
i:设定文件不能被删除、改名、设定链接关系,同时不能写入或新增内容。i参数对于文件 系统的安全设置有很大帮助。
j:即journal,设定此参数使得当通过mount参数:data=ordered 或者 data=writeback 挂 载的文件系统,文件在写入时会先被记录(在journal中)。如果filesystem被设定参数为 data=journal,则该参数自动失效。
s:保密性地删除文件或目录,即硬盘空间被全部收回。
u:与s相反,当设定为u时,数据内容其实还存在磁盘中,可以用于undeletion。
各参数选项中常用到的是a和i。a选项强制只可添加不可删除,多用于日志系统的安全设定。而i是更为严格的安全设定,只有superuser (root) 或具有CAP_LINUX_IMMUTABLE处理能力(标识)的进程能够施加该选项。
应用举例:
1、用chattr命令防止系统中某个关键文件被修改:# chattr +i /etc/resolv.conf
然后用mv /etc/resolv.conf等命令操作于该文件,都是得到Operation not permitted 的结果。vim编辑该文件时会提示W10: Warning: Changing a readonly file错误。要想修改此文件就要把i属性去掉: chattr -i /etc/resolv.conf
# lsattr /etc/resolv.conf
会显示如下属性----i-------- /etc/resolv.conf
2、让某个文件只能往里面追加数据,但不能删除,适用于各种日志文件:# chattr +a /var/log/messages
---------------------------------以下是关于此命令的另一个版本的介绍---------------------------------
linux lsattr命令: 显示文件属性介绍:
文件属性在文件系统的安全管理方面起很重要的作用,linux下lsattr命令用于查看文件属性信息。
语法:
lsattr [-adRvV] [文件或目录...]选项介绍:
-a: 显示所有文件和目录,包括隐藏文件;
-d: 显示目录名称,而非其内容;
-R: 递归处理,将指定目录下的所有文件及子目录一并处理;
-v: 显示文件或目录版本;
-V: 显示版本信息;
执行范例:
1 $ chattr +ai text
2 $ lsattr
3 ----ia------- text
扩展阅读:
chattr命令用于修改文件属性,chattr命令需要root权限。
文件属性:
a: append only; 系统只允许在这个文件之后追加数据,不允许任何进程覆盖或截断这个文件。如果目录具有这个属性,系统将只允许在这个目录下建立和修改文件,而不允许删除任何文件。
c: compressed; 系统以透明的方式压缩这个文件。从这个文件读取时,返回的是解压之后的数据;而向这个文件中写入数据时,数据首先被压缩之后才写入磁盘。
d: no dump; 在进行文件系统备份时,dump程序将忽略这个文件。
i: immutable; 系统不允许对这个文件进行任何的修改。如果目录具有这个属性,那么任何的进程只能修改目录之下的文件,不允许建立和删除文件。
j: data journalling; 如果一个文件设置了该属性,那么它所有的数据在写入文件本身之前,写入到ext3文件系统日志中,如果该文件系统挂载的时候使用了”data=ordered” 或”data=writeback”选项。当文件系统采用”data=journal”选项挂载时,所有文件数据已经记录日志,因此这个属性不起作用。仅仅超级用户或者拥有CAP_SYS_RESOURCE能力的进程可以设置和删除该属性。
s: secure deletion; 让系统在删除这个文件时,使用0填充文件所在的区域。
t: no tail-merging; 和其他文件合并时,该文件的末尾不会有部分块碎片(为支持尾部合并的文件系统使用)。
u: undeletable; 当一个应用程序请求删除这个文件,系统会保留其数据块以便以后能够恢复删除这个文件。
A: no atime updates; 告诉系统不要修改对这个文件的最后访问时间
D: synchronous directory updates; 任何改变将同步到磁盘;这等价于mount命令中的dirsync选项:
S: synchronous updates; 一旦应用程序对这个文件执行了写操作,使系统立刻把修改的结果写到磁盘。
T: top of directory hierarchy; 如果一个目录设置了该属性,它将被视为目录结构的顶极目录
--------以下是man chattr 的说明信息,以上没有提到的参数在这里可以找到,比如 e 的属性--------
DESCRIPTION
chattr changes the file attributes on a Linux file system.
The format of a symbolic mode is +-=[acdeijstuADST].
ATTRIBUTES
When a file with the ’A’ attribute set is accessed, its atime record is
not modified. This avoids a certain amount of disk I/O for laptop sys-
tems.
writing. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
disk by the kernel. A read from this file returns uncompressed data.
A write to this file compresses data before storing them on the disk.
Note: please make sure to read the bugs and limitations section at the
end of this document.
are written synchronously on the disk; this is equivalent to the
‘dirsync’ mount option applied to a subset of the files.
dump(8) program is run.
indicate that a compressed file has a compression error. It may not be
set or reset using chattr(1), although it can be displayed by
lsattr(1).
the blocks on disk. It may not be removed using chattr(1).
tory is being indexed using hashed trees. It may not be set or reset
using chattr(1), although it can be displayed by lsattr(1).
the filesystem blocksize instead of in units of sectors, and means that
the file is (or at one time was) larger than 2TB. It may not be set or
reset using chattr(1), although it can be displayed by lsattr(1).
or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
journal before being written to the file itself, if the filesystem is
mounted with the "data=ordered" or "data=writeback" options. When the
filesystem is mounted with the "data=journal" option all file data is
already journalled and this attribute has no effect. Only the supe-
ruser or a process possessing the CAP_SYS_RESOURCE capability can set
or clear this attribute.
zeroed and written back to the disk. Note: please make sure to read
the bugs and limitations section at the end of this document.
written synchronously on the disk; this is equivalent to the ‘sync’
mount option applied to a subset of the files.
directory hierarchies for the purposes of the Orlov block allocator.
This is a hint to the block allocator used by ext3 and ext4 that the
subdirectories under this directory are not related, and thus should be
spread apart for allocation purposes. For example it is a very good
idea to set the ’T’ attribute on the /home directory, so that
/home/john and /home/mary are placed into separate block groups. For
directories where this attribute is not set, the Orlov block allocator
will try to group subdirectories closer together where possible.
the end of the file merged with other files (for those filesystems
which support tail-merging). This is necessary for applications such
as LILO which read the filesystem directly, and which don’t understand
tail-merged files. Note: As of this writing, the ext2 or ext3 filesys-
tems do not (yet, except in very experimental patches) support tail-
merging.
saved. This allows the user to ask for its undeletion. Note: please
make sure to read the bugs and limitations section at the end of this
document.
indicate that a raw contents of a compressed file can be accessed
directly. It currently may not be set or reset using chattr(1),
although it can be displayed by lsattr(1).
indicate a compressed file is dirty. It may not be set or reset using
chattr(1), although it can be displayed by lsattr(1).
chattr was written by Remy Card <Remy.Card@linux.org>. It is currently
being maintained by Theodore Ts’o <tytso@alum.mit.edu>.
The ‘c’, ’s’, and ‘u’ attributes are not honored by the ext2 and ext3
filesystems as implemented in the current mainline Linux kernels.
These attributes may be implemented in future versions of the ext2 and
ext3 filesystems.
chattr is part of the e2fsprogs package and is available from
http://e2fsprogs.sourceforge.net.
