On Linux operating systems, the chattr command modifies the attributes of files, and lsattr lists (displays) them.

In Linux, file attributes are flags which affect how the file is stored and accessed by the filesystem. They are metadata stored in the file’s associated inode.

Description

chattr and lsattr are part of the e2fsprogs software package, available by that name in most package managers. The e2fsprogs homepage is located at https://e2fsprogs.sourceforge.net.

  • Description

  • Syntax: chattr

  • Mode strings

  • Syntax: lsattr

  • List of attributes

  • Examples

  • View attributes of files

  • View attributes of directories

  • Change attributes

  • Make files immutable

  • Make files append-only

  • Related commands

  • Linux commands help

  • Mode strings

  • View attributes of files

  • View attributes of directories

  • Change attributes

  • Make files immutable

  • Make files append-only

Syntax: chattr

chattr [-R] [-V] [-f] [-v version] [-p project] mode … file …

Options

chattr takes the following options:

Attributes are not the same as file permissions. For information about setting permissions, see chmod.

Mode strings

A mode string consists of an operator and one or more attributes. It takes the form:

{+|-|=}[aAcCdDeijsStTu]

One of the following operators must appear at the beginning of a mode string:

The remainder of the mode string is several characters, each representing an attribute. They are case-sensitive, cannot be separated by whitespace, and may appear in any order. For a list of attribute characters, see: Attributes, below.

Example mode strings are “+caS”, “-Asd”, and “=eAsS”.

Multiple mode strings may be specified to combine + and - operators in a single command, e.g., “+asD -c” and “-a +s +D -c” are both valid.

Syntax: lsattr

lsattr [-R] [-V] [-a] [-d] [-v] file …

List of attributes

The following characters represent attributes that can be modified by chattr or listed with lsattr.

Read-only attributes

The following attributes are read-only. They cannot be set or unset by chattr, but can be listed by lsattr.

Examples

View attributes of files

For this example, we create three empty files with touch:

touch file file2 .file

We can view their permissions with ls, using the -l option:

ls -l

total 8 -rw-rw-r– 1 hope hope 0 Jun 28 09:51 file -rw-rw-r– 1 hope hope 0 Jun 28 09:51 file2

File names starting with a dot (period) are not listed by ls unless the -a option is used:

ls -a

total 28 -rw-rw-r– 1 hope hope 0 Jun 28 09:51 file -rw-rw-r– 1 hope hope 0 Jun 28 09:51 .file -rw-rw-r– 1 hope hope 0 Jun 28 09:51 file2

Now let’s view attributes by running lsattr:

lsattr

————-e– ./file ————-e– ./file2

As with ls, we must use the -a option to view files whose name starts with a dot:

lsattr -a

————-e– ./file ————-e– ./file2 ————-e– ./.file ————-e– ./. ————-e– ./..

To view the attributes of a specific file or files, specify their names:

lsattr file

————-e– file

lsattr -a file file2 .file

————-e– file ————-e– file2 ————-e– .file

View attributes of directories

Now let’s create a directory and subdirectory with mkdir -p:

mkdir -p dir/subdir

And create some empty files in those directories:

touch dir/file3 dir/file4 dir/subdir/file5

By default, lsattr does not traverse directories:

————-e– ./file ————-e– ./file2 ————-e– ./dir

To recursively traverse and show the contents of directories, use -R:

lsattr -R

————-e– ./file ————-e– ./file2 ————-e– ./dir ./dir: ————-e– ./dir/file3 ————-e– ./dir/file4 ————-e– ./dir/subdir ./dir/subdir: ————-e– ./dir/subdir/file5

Change attributes

By default, the files and directories we created in the above examples (on Ubuntu 16.04) have the “block extents” attribute (e) set.

Let’s give them the d attribute (a legacy attribute, meaningless on our system), using +d.

chattr +d *

——d——e– ./file ——d——e– ./file2 ——d——e– ./dir

Some attributes, such as a (append-only), may only be modified by the root user:

sudo chattr +a file

—–ad——e– ./file ——d——e– ./file2 ——d——e– ./dir

Attributes which apply only to directories, such as D, are not set on regular files, successfully — no error will be returned. For example, if you try to run chattr +D on a regular file, chattr will do nothing to those files, and return a successful exit status.

Notice in the next command that we try to set the D attribute on both a regular file and a directory. The attribute is set on the directory, is not set on the regular file, and chattr returns successfully.

chattr +D file dir && lsattr

—–ad——e– ./file ——d——e– ./file2 —D–d——e– ./dir

(The && control operator runs the next command only if the previous command returns a successful exit status. For more information, see Shell grammar in bash.)

To unset an attribute, use the - operator before your list of attributes.

chattr -D dir && lsattr

—–ad——e– ./file ————-e– ./file2 ————-e– ./dir

Only one operator may be specified per mode string, but you can specify multiple attributes one after the other (without whitespace), in any order. You may specify multiple mode strings, each with its own operator.

chattr +sSc -d * && lsattr

s-S–a–c—–e—- ./file s-S—–c—–e—- ./file2 s-S—–c—–e—- ./dir

If an attribute requires root privileges, but you are not running the command as root, chattr will not change any attributes for that file. It will continue trying to operate on other files, and when it completes, it returns a failing exit status (an error).

To illustrate this, in the next command, we’ll try to set the a attribute on every file in the current directory without using sudo. This should fail (unless we are logged in as root), because setting a requires superuser privileges.

Also, note that in the next command we use echo to display the value of the bash special parameter ? (a question mark). The ? parameter contains the exit status of the previous command, so it will tell us if chattr succeeded (0) or failed (1). Like all bash parameters, we refer to its value by prefixing its name with $.

chattr -sS +a *; echo $?

chattr: Operation not permitted while setting flags on dir chattr: Operation not permitted while setting flags on file2 1

The exit status 1 indicates an error occurred.

Let’s look at how the attributes changed:

—–a–c—–e—- ./file s-S—–c—–e—- ./file2 s-S—–c—–e—- ./dir

Notice that file did not cause an error. It already had the a flag from a previous command, so it causes no error; and so the rest of the changes (-sS) completed. The other file and directory both caused an error, and were entirely unchanged.

To set every file to match an explicit set of attributes, use the = operator. Any listed attributes will be set, and any not listed will be unset.

sudo chattr -R =es * && lsattr -R

s———-e—- ./file s———-e—- ./file2 s———-e—- ./dir ./dir: s———-e—- ./dir/file3 s———-e—- ./dir/file4 s———-e—- ./dir/subdir ./dir/subdir: s———-e—- ./dir/subdir/file5

Make files immutable

If you set the i attribute, a file will be marked as “immutable”, meaning its data (and some vital metadata) cannot be changed, even by root, until the attribute is unset.

touch immutable && lsattr immutable

————–e—- immutable

sudo chattr +i immutable && lsattr immutable

—-i———e—- immutable

mv immutable newname

mv: cannot move ‘immutable’ to ’newname’: Operation not permitted

rm immutable

rm: cannot remove ‘immutable’: Operation not permitted

sudo rm -f immutable

You cannot create a hard link to an immutable file:

ln immutable hardlink

ln: failed to create hard link ‘hardlink’ => ‘immutable’: Operation not permitted

Symbolic links are OK, though:

ln -s immutable symlink && ls -l symlink

lrwxrwxrwx 1 hope hope 6 Jun 29 07:49 symlink -> immutable

This is a good time to note that symbolic links have no attributes:

lsattr symlink

lsattr: Operation not supported While reading flags on symlink

To make files mutable again, use -i:

sudo chattr -i immutable && mv immutable newname && lsattr newname

————–e—- newname

Make files append-only

The append-only attribute (a) makes a file immutable, except that data can be added to it.

touch appendonly && lsattr appendonly

————–e—- appendonly

sudo chattr +a appendonly && lsattr appendonly

—–a——–e—- appendonly

You cannot overwrite the file with redirection (>):

echo “Overwriting is not allowed.” > appendonly

bash: appendonly: Operation not permitted

But redirecting append-only (») is OK:

echo “Appending is allowed.” » appendonly && cat appendonly

Appending is allowed.

Appending is allowed. Appending is allowed.

Append-only files may not be moved, removed, renamed, or hard-linked.

sudo rm -f appendonly

rm: cannot remove ‘appendonly’: Operation not permitted

sudo ln appendonly hardlink

ln: failed to create hard link ‘hardlink’ => ‘appendonly’: Operation not permitted

For more information about redirection, see: Redirection in bash.

chown — Change the ownership of files or directories.chmod — Change the permissions of files and directories.ls — List the contents of a directory or directories.