目录
在Linux系统中,文件属性决定了文件的可见性、可读性、可写性等特性。chattr和lsattr是两个用于管理文件系统属性的重要工具。
它们可以帮助用户保护重要的文件和目录,防止未授权的修改或删除。
在实际中,很多针对linux的攻击,也可能会设置这一类属性,若不清楚这两个命令,将无法删除或修改文件(例如病毒、挖矿等)。
chattr命令
chattr(change attributes)命令用于改变文件或目录的扩展属性。它允许用户设置或清除文件的隐藏属性,这些属性在标准的ls -l命令中是不可见的。
常用参数
+:添加指定的属性。-:移除指定的属性。=:设置指定的属性,清除其他所有属性。
属性选项
a:只能追加内容,不能删除或修改。i:文件不能被删除、重命名、修改或链接。b:不更新文件或目录的最后存取时间。c:自动压缩文件,读取时解压缩,写入时压缩。u:删除文件时,文件内容会被保存,便于恢复。e:文件会被完全从磁盘上删除。s:文件被删除时,其内容会被完全覆盖,以提高安全性。S:文件写入时,数据会同步写入磁盘,以确保数据完整性。d:文件或目录被删除时,不会放入回收站,而是直接删除。
完整的支持的属性选项
| Character | Attribute | Description |
|---|---|---|
| a | append only | The file may only be opened for writing in append mode: its existing data may not be overwritten. It cannot be deleted or renamed; hard links cannot be made to this file; most of its metadata cannot be changed. Modifying this attribute requires root privileges. |
| A | no atime updates | When the file is accessed, its atime record is not modified, which in some situations can reduce disk I/O. |
| c | compressed | Files with this attribute are automatically compressed by the kernel when written to disk. Its contents are uncompressed when read. Note: This attribute has no effect in the ext2, ext3, and ext4 filesystems. |
| C | no copy on write | Files with this attribute are not subject to copy-on-write updates. If this attribute is set on a directory, new files created in that directory get this attribute set. Note: This attribute is only effective on filesystems which perform copy-on-write. On btrfs, this attribute should be set on new or empty files. If this attribute is set after a btrfs file already contains data, the time when its data will be stable is undefined. |
| d | no dump | Files with this attribute are bypassed in any backup initiated by dump, a legacy tool for ext2 filesystems. |
| D | synchronous directory updates | Changes to a directory with this attribute are written synchronously to disk. That is, the system waits for write completion before doing something else. Equivalent to the dirsync option to the mount command, applied to a subset of files on a filesystem. |
| e | block extents | Indicates that a file should be stored using block extents. Data is stored contiguously between two blocks, and only those two blocks must be known to find the file's data. Block extent mapping may potentially save disk space, because it reduces the number of blocks which must be listed in the file's inode. |
| i | immutable | Files with this attribute cannot be deleted or renamed; hard links cannot be made to this file; most of its metadata cannot be changed; data cannot be written to the file. Modifying this attribute requires root, or a process with the CAP_LINUX_IMMUTABLE capability, as set with setcap. |
| j | data journalling | A file with this attribute has all its data written to its journal before being written to the file itself. Only effective on ext3 and ext4 filesystems which have journalling enabled and the "data=ordered" or "data=writeback" options set. If journaling is enabled in those systems, but the "data=journal" option is set, this attribute has no effect. Only root or a process with CAP_SYS_RESOURCE capability as set with setcap can change this attribute. |
| P | project hierarchy | A directory with this attribute will enforce a hierarchical structure for project IDs. Files and directories created in the directory will inherit the project ID of the directory. Rename operations are constrained so when those files or directories are moved to another directory, the project IDs will match. Hard links to these files may only be created if the project ID of the target and destination match. |
| s | secure deletion | If a file with this attribute is deleted, its data is overwritten with zeroes, similar to a simple shred. This attribute is ignored by ext2, ext3, and ext4 filesystems. |
| S | synchronous updates | When files with this attribute are modified, the changes are written synchronously to disk. Equivalent to the sync option of the mount command, for individual files. |
| t | no tail merging | A file with this attribute will not have any partial block fragment at the end of the file shared with another file's data. This attribute is necessary for software such as LILO, which reads the filesystem directly and is not aware of tail merging. Some filesystems do not support tail merging, in which case this attribute has no effect. |
| T | top of directory hierarchy | A directory with this attribute is deemed to be the top of directory hierarchies by the Orlov block allocator, used by ext2 and ext3. The attribute gives a hint to the allocator that the subdirectories are not related in how they are used, and their data should be separate when blocks are allocated. For example, the /home directory may have this attribute, indicating that /home/mary and /home/john should be placed in separate block groups. |
| u | undeletable | When a file with this attribute is deleted, its contents are saved, enabling their later undeletion. Undelete tools that can take advantage of this attribute include extundelete. |
使用案例
-
设置文件为不可修改 :
假设我们有一个重要的配置文件/etc/config.conf,我们希望防止任何修改和删除,可以使用chattr命令添加i属性:bashsudo chattr +i /etc/config.conf此时,文件
config.conf将无法被修改或删除。 -
允许文件追加内容 :
对于日志文件,我们可能希望只允许追加内容,而不允许修改或删除。例如,对/var/log/syslog设置a属性:bashsudo chattr +a /var/log/syslog这样,任何人都不能删除或修改
syslog文件,但可以追加新的日志条目。
lsattr命令
lsattr(list attributes)命令用于显示文件的扩展属性。它可以帮助用户查看文件是否具有特殊的隐藏属性。
常用参数
-R:递归显示目录及其子目录中的文件属性。-V:显示lsattr的版本信息。
使用案例
-
查看文件属性 :
要查看/etc/config.conf的属性,可以使用:bashlsattr /etc/config.conf如果文件有设置
i属性,输出将会包含----i------。 -
递归查看目录属性 :
如果要查看某个目录及其所有子目录和文件的属性,可以使用-R参数。例如:bashlsattr -R /var/log/这会列出
/var/log/目录下所有文件的属性,包括子目录中的文件。
结合使用chattr和lsattr
在实际使用中,chattr和lsattr通常结合使用,以保护和监控重要文件或目录。
例如,对于一个系统管理员来说,保护系统配置文件是非常重要的。可以先用chattr设置文件为不可修改,然后定期使用lsattr检查这些文件的状态,确保它们没有被意外修改。
bash
# 设置文件属性
sudo chattr +i /etc/config.conf
# 定期检查文件属性
lsattr /etc/config.conf通过这种方式,可以大大增强系统的安全性。