How to Set Immutable Attribute in Linux to Prevent File Modifications (Even by Root)


2 views

When working with critical system files or sensitive data on Linux, sometimes chmod permissions aren't enough. The immutable attribute (also called the "append-only" attribute) is a filesystem-level protection that prevents all modifications - even by the root user.

# View current attributes
lsattr /path/to/file

# Set immutable flag
chattr +i /path/to/file

# Remove immutable flag 
chattr -i /path/to/file

This is particularly useful for:

  • Protecting configuration files from accidental edits
  • Securing log files against tampering
  • Maintaining system integrity in shared environments

The immutable attribute is part of the extended filesystem attributes (supported by ext2/3/4, xfs, btrfs and others). When set:

  • File cannot be modified, deleted, or renamed
  • No hard links can be created to the file
  • Even root can't bypass this without removing the attribute first

Here's how I secure my SSH configuration:

# Make sshd_config immutable
sudo chattr +i /etc/ssh/sshd_config

# Verify
lsattr /etc/ssh/sshd_config
----i---------e---- /etc/ssh/sshd_config

# Attempt to modify (will fail)
echo "Port 2222" >> /etc/ssh/sshd_config
-bash: /etc/ssh/sshd_config: Permission denied

# Temporarily disable for updates
sudo chattr -i /etc/ssh/sshd_config

For completeness, other approaches include:

  • ACLs: setfacl for more granular control
  • SELinux/AppArmor: Mandatory access control systems
  • Read-only mounts: mount -o remount,ro

However, the immutable attribute remains the simplest solution when you need absolute protection.

You can recursively apply this to entire directories:

# Make directory and all contents immutable
chattr -R +i /path/to/directory

# More selective approach:
find /path/to/directory -type f -exec chattr +i {} \;

While most Linux users are familiar with chmod for basic file permissions, the chattr command provides a deeper level of file system control. This powerful utility operates at the filesystem level to set attributes that even root cannot override without explicitly removing the attribute first.

Setting the immutable attribute (+i) makes a file:

  • Unmodifiable by any user (including root)
  • Undeletable
  • Unrenameable
  • Protected against creation of hard links

To make a file immutable:

sudo chattr +i /path/to/file

To verify the attribute is set:

lsattr /path/to/file

You should see an i in the attribute list.

Here are scenarios where immutable files are invaluable:

# Protect critical system files
sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow

# Secure configuration files
sudo chattr +i /etc/ssh/sshd_config

# Protect important documents
sudo chattr +i ~/legal_documents/contract.pdf

When you need to modify the file (as root):

sudo chattr -i /path/to/file

Other useful attributes to combine with immutability:

# Append-only (a) - can only add data
sudo chattr +a /var/log/secure.log

# No dump (d) - exclude from backups
sudo chattr +d /tmp/sensitive_data

Note that chattr works primarily with ext2/3/4 filesystems. For other filesystems like XFS or Btrfs, check their respective documentation for similar functionality.

If you encounter "Operation not supported" errors:

  1. Verify your filesystem type with df -Th
  2. Check if the filesystem was mounted with nouuid or other restrictive options
  3. Confirm you have root privileges