linux,

Protect files from being deleted in Linux

Sep 22, 2021 · 4 mins read · Post a comment
Protect files from being deleted in Linux

I’m gonna start by saying we have all heard of these sudo rm -rf / horror stories on the Internet. There are a bunch of ways we could protect our servers from such accidents, which might be writing about in a near future, so let’s keep things short and clear. Today, we are going to find out how to initially protect files from being deleted.

Prerequisites

  • Access to Linux bash environment

Protect files

Step 1. Open a terminal console, and let’s create a test file:

$ touch importantdontdelete.txt

Step 2. List the permissions and the attributes on this file:

$ ls importantdontdelete.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 21 17:00 importantdontdelete.txt

$ lsattr
---------------- importantdontdelete.txt

Note: The file has the default 644 permissions, and running lsattr will display the file attributes. There are 15 of them including:

  • a - append only.
  • c - compress the file.
  • d - no file dumping.
  • e - extend format.
  • i - immutable, which we’ll be using it in the following steps.
  • j - data journaling stuff.
  • s - secure delete the file if supported.
  • t - prevents tail merging.
  • u - undeletion feature.
  • A - no access time updates.
  • C - disable copy on write.
  • D - write synchronous directory updates.
  • S - write synchronous updates.
  • T - related to top of directory hierarchy.

Step 3. Now, we are going to use the command line utility called chattr (change attribute), to make this file immutable:

$ sudo chattr +i importantdontdelete.txt

Step 4. List the file attributes again:

$ lsattr importantdontdelete.txt
----i----------- importantdontdelete.txt

Note: Notice the i flag.

Step 5. Try to remove, move or update the file:

$ sudo rm importantdontdelete.txt
rm: cannot remove ‘importantdontdelete.txt’: Operation not permitted

$ sudo mv importantdontdelete.txt notsoimportant.txt
mv: cannot move ‘importantdontdelete.txt’ to ‘notsoimportant.txt’: Operation not permitted

$ sudo echo "add sample test" >> importantdontdelete.txt 
-bash: importantdontdelete.txt: Operation not permitted

Step 6. Remove the immutable flag and list file attributes again:

$ sudo chattr -i importantdontdelete.txt
$ lsattr importantdontdelete.txt
---------------- ./importantdontdelete.txt

Note: The i flag is gone.

Step 7. Now you can remove the file:

$ rm importantdontdelete.txt

Protect directories

Step 1. First, let’s create a directory with test files:

$ mkdir sampledir
$ touch sampledir/{test1,test,test3}.txt

Step 2. Next, list the files and files attributes:

$ ls -lah sampledir/
total 0
drwxrwxr-x 2 ec2-user ec2-user  57 Sep 22 11:12 .
drwx------ 4 ec2-user ec2-user 112 Sep 22 11:11 ..
-rw-rw-r-- 1 ec2-user ec2-user   0 Sep 22 11:12 test1.txt
-rw-rw-r-- 1 ec2-user ec2-user   0 Sep 22 11:12 test2.txt
-rw-rw-r-- 1 ec2-user ec2-user   0 Sep 22 11:12 test3.txt

$ lsattrs sampledir/
---------------- sampledir/test1.txt
---------------- sampledir/test2.txt
---------------- sampledir/test3.txt

Step 3. Let’s add the immutable flag, but this time for directories:

$ sudo chattr -R +i sampledir/

Step 4. List the file attributes under sampledir again:

$ lsattrs sampledir/
----i----------- sampledir/test1.txt
----i----------- sampledir/test2.txt
----i----------- sampledir/test3.txt

Step 5. Try to remove the directory:

$ rm -r sampledir/
rm: cannot remove ‘sampledir/’: Operation not permitted

Site 6. Remove the immutable flag:

$ sudo chattr -R -i sampledir/

Step 7. Remove the directory recursively:

$ rm -r sampledir/

There are plenty of ways you could mess around with chattr, for example adding flag a if you want to append information only.

Conclusion

Protecting files with chattr would probably be the first line of defense against accidental sudo rm -rf / executions and more imporantly, protecting against ransomware.
Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on telegram.