I’m gonna start by saying we have all heard of these sudo rm -rf / horror stories on the Internet. There are a bunch of ways we could protect our servers from such accidents, which might be writing about in a near future, so let’s keep things short and clear. Today, we are going to find out how to initially protect files from being deleted.
Prerequisites
- Access to Linux bash environment
Protect files
Step 1. Open a terminal console, and let’s create a test file:
$ touch importantdontdelete.txt
Step 2. List the permissions and the attributes on this file:
$ ls importantdontdelete.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 21 17:00 importantdontdelete.txt
$ lsattr
---------------- importantdontdelete.txt
Note: The file has the default 644 permissions, and running lsattr will display the file attributes. There are 15 of them including:
- a - append only.
- c - compress the file.
- d - no file dumping.
- e - extend format.
- i - immutable, which we’ll be using it in the following steps.
- j - data journaling stuff.
- s - secure delete the file if supported.
- t - prevents tail merging.
- u - undeletion feature.
- A - no access time updates.
- C - disable copy on write.
- D - write synchronous directory updates.
- S - write synchronous updates.
- T - related to top of directory hierarchy.
Step 3. Now, we are going to use the command line utility called chattr (change attribute), to make this file immutable:
$ sudo chattr +i importantdontdelete.txt
Step 4. List the file attributes again:
$ lsattr importantdontdelete.txt
----i----------- importantdontdelete.txt
Note: Notice the i flag.
Step 5. Try to remove, move or update the file:
$ sudo rm importantdontdelete.txt
rm: cannot remove ‘importantdontdelete.txt’: Operation not permitted
$ sudo mv importantdontdelete.txt notsoimportant.txt
mv: cannot move ‘importantdontdelete.txt’ to ‘notsoimportant.txt’: Operation not permitted
$ sudo echo "add sample test" >> importantdontdelete.txt
-bash: importantdontdelete.txt: Operation not permitted
Step 6. Remove the immutable flag and list file attributes again:
$ sudo chattr -i importantdontdelete.txt
$ lsattr importantdontdelete.txt
---------------- ./importantdontdelete.txt
Note: The i flag is gone.
Step 7. Now you can remove the file:
$ rm importantdontdelete.txt
Protect directories
Step 1. First, let’s create a directory with test files:
$ mkdir sampledir
$ touch sampledir/{test1,test,test3}.txt
Step 2. Next, list the files and files attributes:
$ ls -lah sampledir/
total 0
drwxrwxr-x 2 ec2-user ec2-user 57 Sep 22 11:12 .
drwx------ 4 ec2-user ec2-user 112 Sep 22 11:11 ..
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test1.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test2.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test3.txt
$ lsattrs sampledir/
---------------- sampledir/test1.txt
---------------- sampledir/test2.txt
---------------- sampledir/test3.txt
Step 3. Let’s add the immutable flag, but this time for directories:
$ sudo chattr -R +i sampledir/
Step 4. List the file attributes under sampledir again:
$ lsattrs sampledir/
----i----------- sampledir/test1.txt
----i----------- sampledir/test2.txt
----i----------- sampledir/test3.txt
Step 5. Try to remove the directory:
$ rm -r sampledir/
rm: cannot remove ‘sampledir/’: Operation not permitted
Site 6. Remove the immutable flag:
$ sudo chattr -R -i sampledir/
Step 7. Remove the directory recursively:
$ rm -r sampledir/
There are plenty of ways you could mess around with chattr, for example adding flag a if you want to append information only.
Conclusion
Protecting files with chattr would probably be the first line of defense against accidental sudo rm -rf / executions and more imporantly, protecting against ransomware.
Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on telegram.
