I’m going to start by saying we have all heard of these sudo rm -rf / horror stories on the Internet. There are a bunch of ways we could protect our servers from such accidents, which might be writing about in a near future, so let’s keep things short and clear. Today, we are going to find out how to initially protect files from being deleted.
Prerequisites
- Linux bash environment
- sudo privileges
Protect files
Step 1. Open Terminal and create a test file.
touch importantdontdelete.txt
Step 2. List the permissions and the attributes on this file.
$ ls importantdontdelete.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 21 17:00 importantdontdelete.txt
$ lsattr
---------------- importantdontdelete.txt
Note(s): The file has the default 644 permissions, and running lsattr will display the file attributes. There are 15 of them including:
a: Append only.c: Compresses the file.d: No file dumping.e: Extend format.i: Immutable, which we’ll be using it in the following steps.j: Data journaling stuff.s: Secure delete the file if supported.t: Prevents tail merging.u: Undeletion feature.A: No access time updates.C: Disable copy on write.D: Write synchronous directory updates.S: Write synchronous updates.T: Related to top of directory hierarchy.
Step 3. Now, we are going to use the command line utility called chattr (change attribute), to make this file immutable.
sudo chattr +i importantdontdelete.txt
Step 4. List the file attributes again.
lsattr importantdontdelete.txt
## Output
----i----------- importantdontdelete.txt
Note(s): Notice the i flag.
Step 5. Try to remove, move or update the file.
$ sudo rm importantdontdelete.txt
rm: cannot remove ‘importantdontdelete.txt’: Operation not permitted
$ sudo mv importantdontdelete.txt notsoimportant.txt
mv: cannot move ‘importantdontdelete.txt’ to ‘notsoimportant.txt’: Operation not permitted
$ sudo echo "add sample test" >> importantdontdelete.txt
-bash: importantdontdelete.txt: Operation not permitted
Step 6. Remove the immutable flag and list file attributes again.
$ sudo chattr -i importantdontdelete.txt
$ lsattr importantdontdelete.txt
---------------- ./importantdontdelete.txt
Note(s): The i flag is gone.
Step 7. Now you can remove the file.
rm importantdontdelete.txt
Protect directories
Step 1. First, let’s create a directory with test files.
mkdir sampledir
touch sampledir/{test1,test,test3}.txt
Step 2. Next, list the files and files attributes.
$ ls -lah sampledir/
total 0
drwxrwxr-x 2 ec2-user ec2-user 57 Sep 22 11:12 .
drwx------ 4 ec2-user ec2-user 112 Sep 22 11:11 ..
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test1.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test2.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Sep 22 11:12 test3.txt
$ lsattrs sampledir/
---------------- sampledir/test1.txt
---------------- sampledir/test2.txt
---------------- sampledir/test3.txt
Step 3. Let’s add the immutable flag, but this time for directories.
sudo chattr -R +i sampledir/
Step 4. List the file attributes under sampledir again.
$ lsattrs sampledir/
----i----------- sampledir/test1.txt
----i----------- sampledir/test2.txt
----i----------- sampledir/test3.txt
Step 5. Try to remove the directory.
$ rm -r sampledir/
rm: cannot remove ‘sampledir/’: Operation not permitted
Site 6. Remove the immutable flag.
sudo chattr -R -i sampledir/
Step 7. Remove the directory recursively.
rm -r sampledir/
There are plenty of ways you could mess around with chattr, for example adding flag a if you want to append information only.
Conclusion
Protecting files with chattr would probably be the first line of defense against accidental sudo rm -rf / executions and more importantly, protecting against ransomware. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.
