Linux File Permissions

The Linux Newbie Guide

⇒

Fundamentals

Advanced

Supplement

Command Index

ENG⇒中

File Ownership and Permissions

1.0 File Owners and Permissions
Ownership
Permissions
Directory Permissions
Special Permissions
Sticky Bit
SGID (Set Group ID bit)
SUID (Set User ID Bit)
chmod : Change File Permissions
Numeric Mode
Symbolic Mode
Link File Permissions
umask: Change Default File Permissions
1.1 File Attributes
chattr : Change File Attributes
lsattr : Display File Attributes
ENG⇒中 ENG⇒中
1.0 File Ownership and Permissions
It is said in the file-related instructions : "The file extension under Linux is only for "reference"; for example, the executable file of Linux will not use ".exe" as the file extension like Windows." So how does Linux determine which files are executable files? Why can’t some directories be entered when I log in with a normal user? Why can’t other files be deleted except for the files I created? Even many files are not allowed to be read by me? Everything is the same as The "ownership" of the file is related to the "permissions". Let's experience it
before explaining it.

Example: (Log in with a regular user account for testing, do not log in with the "root" account, because Superuser is not subject to authority regulations)

$ cd /root ←Go to the directory "/root" and play
bash: cd: /root: Permission denied ←Permission denied
$ cat /etc/shadow ← Read the account password information file "/etc/shadow"
cat: /etc/shadow: Permission denied ← Permission denied
$ cp /etc/shadow ~/ ←Copy "/etc/shadow" to see
cp: cannot open '/etc/shadow' for reading: Permission denied ←Permission denied
$ rm -f /bin/ls ←delete command "/bin/ls"
rm: cannot remove `/bin/ls': Permission denied ←Permission denied

Ownership
Because Linux is a multi-tasking & multi-user OS, that is, it can be used by many people, so there must be some mechanism to properly isolate the reading and writing of files by different logins. Write, execute and delete, or even enter a certain directory, this security mechanism is the "ownership" and "permission" of the file. The owner category of Linux files can be divided into " owner" (user), "group" and "others" as follows:

Owner
The default situation of the owner, the account created by the file, who is the owner (user) and owner of the file, so user is also called owner, and only the owner of the file and "root", Its permissions can be changed freely .
group
One or more user accounts can form a group, that is, a group , which can be compared to a company's department or a school's class or club, etc. How to form a group can be planned by yourself. Of course, one account can also join multiple groups at the same time. If the file/directory belongs to a certain group, you can set several group management to regulate it. Usually, when creating an account, a group with the same name as the account will be created at the same time. If you want to know the name of your group account, you can use the command groups to query.
others
Anything that is not specifically defined for the owner or group is considered as "others."

There are actually two identities when logging in in Linux, one is the user and the other is the group accompanying the registrant, and if a file is created, this file will record these two identities.

example:

$ echo "hello Wold" > /tmp/myfile ←Create a file "myfile"
$ ls -l /tmp/myfile ←Use ls -l to list lengthy file information
-rw-rw-r-- 1 aaa aaa 11 2011-10-10 10:10 myfile ←The one marked in red is user, and the one marked in green is group

^ back on top ^

Permissions
File permissions determine whether the owner (user/group/others) of a file has the ability to "read," "write," or "execute" it. In Linux, the execution of a file is not determined solely by its file extension. Even executable files need to have the proper "execute" permission granted in order to be executed.

However, these file permissions, except for the "execute" permission, are only enforced for the "root" user. When logged in as the "root" user, there are no restrictions. The "root" user has unrestricted access and can perform any action, such as deleting files or modifying their contents, without any limitations. It's as if the "root" user has complete control and can do anything within the system.

Except whether these permissions of the file can be "executed". Recall the example of using ls -l to list lengthy file information when introducing the ls command, as follows:

$ ls -l ← list lengthy file contents
drw-rw-r--	1	aaa	aaa	292	2011-09-07	11:44	myfile
↑		↑	↑
permission		user	group

In the above example, the "permissions" column lists 9 characters in total. For easy identification, it is deliberately displayed in different colors for illustration. The 9 characters of the permission are similar to "rwxrwxrwx" , representing three different ownership The meaning is as follows:

The first three " rwx " represent the permissions of the "owner".
The three "rwx " in the middle represent the permissions of the "group".
The last three "rwx" represent permissions for "others".

The English characters "r", "w", and "x" (the order of "rwx" is fixed) appearing in the permission column of the file represent the meanings of the file as read / write /execute permission, and the permission that is not set is displayed with "-". For example, "r--" only has read permission.

The following table shows the role of permissions on files:

Permissions	The role of the file
r (read)	You can view the content of the file, such as cat or less or other tools to read.
w (write)	Its content can be changed, such as vi or >> (STDOUT Append Redirection) can be used to change the content of the file.
x (execute)	If it is an executable file, it can be executed, but if it is a shell script, it must have read permission before it can be executed (because the shell needs to read the file)

example:

$ ls -l /tmp/myfile
-rw-rw-r-- 1 aaa aaa 11 2011-10-10 10:10 myfile

例:
In the above example , the output permission of ls -l is displayed as "rw-rw-r--", the first character of the red character is "r", which means that the owner (this is the account "aaa") has "read" permission for this file , the second character is "w", which means the owner has "write" permission for this file, and the third character "-", does not have "w", but shows "-", which means the owner has no permission for this file. permission to execute.

The same green font means that the group "aaa" also has read and write permissions for this file but has no execution permission, while other has no specification for both the owner and the group owner, and can only read and cannot write. Next, let's test it with different accounts.

example:

$ echo "hello Wold" > /tmp/myfile ←Create a file "myfile"
$ ls -l /tmp/myfile ←Verify permissions
-rw-rw-r-- 1 aaa aaa 15 2011-09-07 00:46 /tmp/myfile ← the same owner/group can read and write but others can only read
$ cat /tmp/myfile← read and see (test "read" permission)
Hello Wold
$ echo 'Hello Linux' >> /tmp/myfile ← change take a look at the content of "myfile" (test the "write" permission)
$ cat /tmp/myfile ← Verify and see
Hello World
Hello Linux
$ su bbb ← Temporarily change other account
Password: ← Enter its account password
$ cat myfile ← Test "Read" permission
Hello World ←This file other has "read" permission, so other people can read the file created by the account aaa
Hello Linux
$ echo 'Hello Unix' >> /tmp/myfile←Add the content of "myfile" to see
bash: /tmp/myfile: Permission denied ←Permission denied (because "others" do not have the "write" permission for this file)

Let's look at other examples.

Ex:

$ ls -l /etc/shadow ←The long file format of the information file "/etc/shadow" that lists the account password
-r-------- 1 root root 1147 2011-09-07 11:47 /etc/shadow

The file "/etc/shadow" in the above example is the shadow file of the account password. Although the contents are all ASCII-encoded text files, they have been encrypted . Because this file is very important, it may be cracked by a hacker to know the login password of each account, so the owner and group of this file are "root", and its permissions are displayed as "r--------" Indicates that this file can only be read and cannot be written even if you log in with "root", but not being able to write to "root" is a declaration that is greater than the reality, because the account "root" has unlimited privileges.

Let's take a look at what the owner and permissions of a general executable file look like.

Ex:

$ ls -l /bin/cat
-rwxr-xr-x 1 root root 23360 2007-10-31 11:52 /bin/cat

In the above example, the owner and group of the cat command is "root" and can be fully read, written, and executed, while the owner and group other than "root" who use this command are counted as others and can only read and execute.

In addition, some commands such as cp will change the owner and group of the target file, making it owned by the operator. The purpose is to hope that the copied file can be fully controlled.

Example: (Please log in with a regular user account to test)

$ cp /bin/cat ~/ ←copy "/bin/ls" to home directory
$ ls -l /bin/cat ~/cat ←list these 2 files for comparison
-rwxr-xr-x 1 root root 23360 2007-10-31 11:52 /bin/cat
-rwxr-xr-x 1 aaa aaa 23360 2011-10-10 10:10 ./cat ←Did you notice that the copied file, the owner and the group have changed to the operator all

Then how to keep the original taste of the copied files? For example, when backing up the system files, you can't even change the original owner and permissions. If you want to restore the system, the world will be in chaos. Use the cp -a or cp -p option to keep the owner and permissions of the original file.

^ back on top ^

Permissions of Directories
The permissions of directories are somewhat different from those of files, as shown in the following table:

permissions	The effect on the directory
r	List the files in the directory or its subdirectories (such as using ls to display the files in the directory but not using cat to read the files in the directory)
w	Add, delete or rename files in the directory (for example, you can operate rm , cp , or mv on the files in the directory, etc.)
x	Enter the directory or execute the program in the directory (for example, cd can enter the directory)

Of course, these permissions in the directory are not binding on"'root".

example:

$ ls -l /home ←List all home directory permissions in "/home"
drwx------ 28 aaa aaa 4096 4096 2-11-10-11 15:41 aaa
drwx------ 3 bbb bbb 4096 4096 2-11-10-03 19:59 bbb
$ ls /home/bbb ← See what is in other people’s homes?
ls: cannot open directory /home/bbb: Permission denied ← No permission

The above example shows that the owner of each person’s home directory has the “x” permission, so they can freely enter their own home directory, and has the “rw” permission, so they can list and add or delete files in their own home directory, but the use of other accounts Those who are other will be blocked at the door of the house (except account "root").

Special Permissions
Although regular file permissions can meet most requirements, there are gray areas. For example, consider a file with permissions set as "rw- --- ---." In theory, only the owner should be able to modify the file's contents. However, the "others" category has permissions set as "--- --- -wx" for a directory. This means that "others" have "x" (permission to enter the directory) and "w" (permission to add or remove files within the directory). Consequently, it appears that others can enter the directory and delete or rename files that do not belong to the owner.

When file and directory permissions contradict each other, it is important to determine which permissions take precedence. In such cases, the system typically follows a set of predefined rules or priorities to resolve the conflicts.

To address vulnerabilities and potential security risks, special permissions play a crucial role. They utilize the position of the "x" (execute) permission to set and display additional permissions. If you see a "t" or "s" displayed in the place of the "x" permission, it indicates the presence of special permissions.

Special permissions serve as a mechanism to address and prevent vulnerabilities, ensuring that the appropriate access controls are in place for files and directories.

Sticky Bit
If a directory is a public directory (such as /tmp ), and the other permission of the directory is "rwx", it means that anyone can enter the directory and add or delete files in the directory. Because only the owner can read and write, although it can prevent others from tampering or peeking at the contents of the file, it cannot prevent the file from being deleted or renamed by others (because the directory permission other has "w" and "x"). How to prevent the files in the public directory from being deleted or renamed by others, that is the function of Sticky bit (SBIT for short).

The purpose of setting SBIT for the directory is that only the owner of the file in the public directory can delete or change the name (of course "root" is excluded), for example:

Example

$ ls -ld /tmp
drwxrwxrwt 9 root root 4096 2011-10-16 12:11 /tmp ←Note that the "rwx" of the other permission is displayed as "rwt", and the lowercase t is the sticky bit

In the above example, the permission of the directory "/tmp" has the permission of sticky bit. After the sticky bit is set, the permission will be displayed as "t" where the original "x" is.

Sticky bit is only valid for directories, not for files.

Example: (Log in and test with a regular user account)

$ cd /tmp ← enter the directory "/tmp"
$ echo 'Hello' > file ← create a file "file"
$ ls -l file ← use ls -l to list long list format
-rw-rw-r-- 1 aaa aaa 6 2011-10-10 10:10 file ←The owner and group of the file are both "aaa"
$ su bbb ←Use the command su to temporarily change other users
Password: (enter the account password of other users)
$ mv file fileB ←Operate and rename with other users. See
mv: cannot move 'file' to 'fileB': Operation not permitted ←Permission denied
$ rm -f file ←Delete files that do not belong to you. See
rm: cannot remove 'file': Operation not permitted ←denied
$ exit ←Return to the account of the original login
$ mv -v file fileB ←Rename to see
'file' -> 'FileB' ←ok now
$ rm -v fileB ←Delete and see
removed 'fileB' ←Success

From the above operation experiments, we can know that the function of Sticky bit is to protect private files in the public directory.

SGID
SGID (Set Group ID bit), as the name suggests, "Set Group ID" is for Groups, that is, groups, and can only be used in executable files or directories. If it is used in the execution file, it will temporarily own the Group (group) owned by the program when the program is executed. Let's look at the example of using the existing SGID in the system in the execution file.
E.g.

$ ls -l /usr/bin/wall
-r-xr-sr-x 1 root tty 10712 2007-10-11 03:54 /usr/bin/wall ← Pay attention to observation, the group is tty, but the "x" of the authority How to change lowercase "s", if the lowercase s appears in the group, it is the SGID

Before explaining, let me explain the purpose of the command wall . wall is the abbreviation of write all , and its function is to send messages to each terminal (tty). For example, if an account logs in at tty1 and enters wall 'Happy New Year' or uses input redirection wall < message_file , if someone logs in at other ttys at the same time, they will receive a broadcast message from the tty1 login.

But to receive a broadcast message from a certain tty (terminal), at least everyone must be in the same group, so the solution is whoever executed the wall command ( the group of the wall command is tty), regardless of the original group of the login Anything will temporarily change the group to which the executable file belongs (the group in this example is tty, and the tty group is the system default). When this command ends, it will immediately return to the original login group.

Similar commands with SGID include /usr/bin/write , /usr/bin/ locate , etc.

The SGID file permission will display "s" where the original group "x" is displayed.

If it is used in a directory, any file placed in a directory with an SGID will become a group of this directory. It is mainly used in group collaborative work.

SUID
SUID (Set User ID Bit), as its name suggests, is a special permission for the owner. SUID is only used in executable files. If a certain executable file has SUID, the owner of the program will be temporarily changed when the program is executed. Let's see an example of using the existing SUID in the system in the executable file.

example:

$ ls -l /usr/bin/chsh /etc/passwd ← list "/usr/bin/chsh" and "/etc/passwd" file information
-rw-r--r-- 1 root root 1783 2015-07-21 16:58 /etc/passwd
-rws--x--x 1 root root 14472 2007-10-17 04:48 /usr/bin/chsh ←Pay attention,the " s" of owner authority is SUID

The command chsh is used to change or list the available shells. When changing the shell, chsh will change the configuration file "/etc/passwd" (the last few lines of this file define the default shell for each account). But here comes the problem, the file "/etc/passwd" only has write permission for "root". How can a normal account change the file "/etc/passwd"? The solution is to set the command chsh to SUID . Therefore, no matter who executes this command, the owner ("root") of the file will be temporarily changed during execution and has the right to change the file "/etc/passwd".

Commands similar to SUID include　/bin/mount , usr/bin/passwd , etc. SUID file permissions are displayed as "s" where the original owner "x" is.

The following is an overview of the purpose and usage of special permissions:

special permission	file/directory	effect	proviso	ls -l show
Sticky bit	directory	In a directory with a sticky bit, only the owner of the file or "root" can delete or rename the file	oher also have "x" permission	--- --- --t
Set Group ID	file(s)	Only for executable files, the group to which the file belongs will be temporarily changed during execution	group also has "x" permission	--- --s ---
Set Group ID	directory	Any files placed in the directory will become the group of this directory	group also has "x" permission	--- --s ---
Set User ID	file(s)	Only for the execution file, the owner of the file will be temporarily changed during execution	user must also have "x" permission	--s --- ---

^ back on top ^

chmod : Change File Permissions
The command chmod (change mode) can change the permissions and special permissions of files and directories. Only the owner of the file and "root" have the right to change its permissions. chmod accepts "Numeric mode" and "Symbolic mode".

Numeric mode
chmod ’s number notation is " chmod [-option][#]### [file directroy] ", where the first "#" is a number with special permissions , which can be omitted if not set; The following "###" are the permissions of onwer, group and other ("#" is a number, ranging from 0 to 7).

There are eight possible states for permissions, and the numbers 0~7 represent each possible state as follows:

Absolute(Numeric) Mode in Linux
#	Permissions	rwx
7=111_BIN)	full	rwx
6=110 _BIN)	read & write	rw-
5=101 _(BIN)	read & execute	r-x
4=100 _(BIN)	read only	r--
3=011 _(BIN)	write & execute	-wx
2=010 _(BIN)	write only	-w-
1=001 _(BIN)	execute only	--x
0=000 _(BIN)	none	---

The relationship between numbers and permissions is that if the binary digit of the number is "0", then the permissions are "-", otherwise they are "rwx", for example, number 6_(DEC)=110 _(BIN)=rw-.

Because the number 6 = "rw-", and the number 4 = "r--", so if you want to set a file permission as "rw-rw-r--", the command is chmod 664 file.

example:

$ echo 'hello world' > myfile ← Create a file "myfile"
$ ls -l myfile ←← Use ls -l to list
-rw-rw-r-- 1 aaa aaa 12 2011-10-22 16:27 myfile ←The default text file is generally read only by other
$ chmod 660 myfile ←Change the permission to "-rw -rw- ---", that is, other can no longer read
$ ls -l myfile ←Look at the permission change no?
-rw-rw---- 1 aaa aaa 12 2011-10-22 16:27 myfile

example:

$ chmod 777 file ←permission is rwx rwx rwx
$ chmod 644 file ←permission is rw- r-- r--
$ chmod -R 711 dir/ ← recursively change all file permissions in the directory
$ chmod 000 file ← permission is - -- -- ---, no permission, what do you want to do? If it is a file, it usually only needs to be read/written by "root" (it may be a confidential file)

.
Then how to change the special permissions ? The special authority number 4= SUID , 2= SGID and 1= SBIT , as shown in the following table.

special permissions numeric notation
#	special permissions
4=100 _(BIN)	SUID
2=010 _(BIN)	SGID
1=001 _(BIN)	SBIT

If the special permisions is to be set, its digits should be added to the leftmost character in the original number notation, so 4 numbers are required to represent it. .

example:

$ cp /bin/cat ~/my_exec ←Copy an executable file and transform it
$ chmod 4755 my_exec ←Add SUID to the permission of the executable file (SUID digit is 4)
$ ls -l my_exec ←Confirm
-rwsr-xr-x 1 aaa aaa 23360 2007-10-31 00:52 my_exec ←The "s" at user permission is SUID

However, special permissions cannot be set indiscriminately, otherwise invalid special permissions may be generated.

Example: (continued from the experiment)

$ echo "hello" > my_text ←Create a text file
$ chmod 4640 my_text ←Change text file permission, user removes "x" permission, and adds SUID
$ chmod 1654 my_exec←Change execution file permission, other removes "x" permission, And add SBIT
# ls -l my_text my_exec ←ls -l confirm file "root_file" &"root_cat"
-rw-r-wr-T 1 aaa aaa 23360 2007-10-31 00:52 my_exec ←SBIT "t" become "T"??
-rwSr----- 1 aaa aaa 6 2011-10-23 14:59 my_text ←SUID "s" become "S"??

corresponding "x" (execution) permission also needs to set special permissions to take effect (refer to the purpose and usage overview of special permissions ).

For example, to set the SGID to be effective, the group needs to set "x" permision. But it doesn't necessarily mean that the special permissions display " s" or "t" will use the function, because SBIT is only effective for directories, and SGID and SUID have no function for text files, and setting them is useless.

Symbolic Mode
Symbolic mode is relatively more intuitive than Numeric mode and its syntax is "chmod [-option][ugoa][+-=][rwx][st] [file directroy]".

In [ugoa] in the syntax, "u" stands for user; "g" stands for group; "o" stands for other; "a" stands for all, i.e. u+g+o. (If "a" is omitted, it is also u+g+o)
In the syntax [+ - =], "+" means to increase the authority; "-" to subtract the authority; "=" means to directly set the authority.
The last [st] of the syntax is special permission, where "s" is SUID or SGID , and "t" is Sticky bit .

When using symbolic notation, it is better to add the parameter "-v" or "-c" to display the process of changing permissions, which is convenient for confirmation.

例:

$ chmod -v a=rw file ←set file owner/group/other all have rw permission
mode of `file' changed to 0666 (rw-rw-rw-)
$ chmod -v =rw file ← same as above (omit "a" )
$ chmod -v ug=rwx,o-r file ←user and group permission is "rwx", other minus "r" permission
mode of `file' changed to 0772 (rwxrwx-w-)
$ chmod ug+x file ←owner Add "w" permissions to group (others remain unchanged)
$ chmod u-x,g+rw file ←owner minus "x", group add "rx" permissions (others remain unchanged)
$ chmod u+s file ←add SUID
$ chmod g-s file ←remove SGID
$ chmod +t dir ←Set SBIT (sticky bit can only be used in other, so "o" in o+t can be omitted)
$ chmod a=rwx,o+t dir ←Set directory owner/group/other = "rwx" and add Sticky bit

^ back on top ^

Link File Permissions
f it is a linked file , should the permissions be based on the original file or its clone? If it is a symbolic linked file, if you use ls -l to query its permissions, it will always display "lrwxrwxrwx". But its meaning is not that anyone can read/write/execute (enter the directory), but "completely according to the permission of the original file". For example, changing the permission of the symbolic link file is actually changing the permission of the original file, and the symbolic link file is allways displayed "lrwxrwxrwx".

If it is a hard link , because the hard link is same file, so changing the it will change together.

umask: Change The Default File Permissions
If you log in with a regular user account to create a file, most Linux distributions have the default file permissions as "rw-rw-r--" (other has no write permissions); if you create a file for Superuser The file limit of the file will be a little more, and its file permission is "rw- r-- r--" (group and other have no write permission). The command umask can change the default permissions for creating files or directories.

Example: (This is a regular user account test, if you use "root" test, the result will be different)

$ umask ←If there is no option, the output is to show the default permission
0002

The numbers output by umask are compared with the following table for the permissions to create files or directories.

umask	Default File Permissions	Default Directory Permissions
000	666 (rw- rw- rw-)	777 (rwx rwx rwx)
002	664 (rw- rw- r--)	775 (rwx rwx r-x)
022	644 (rw- r-- r--)	755 (rwx r-x r-x)
027	640 (rw- r-- ---)	750 (rwx r-x ---)
077	600 (rw- --- ---)	700 (rwx --- ---)
277	400 (r-- --- ---)	500 (r-x --- ---)

It can be seen from the table that umask= 0002 means that the permission to create a file is "rw-rw-r--", and if it is a directory, the permission is "rwx rwx rx".

If you want to change the default permissions for creating files, just enter umask [#][###] ("#" is a digit, refer to the above table, and the first "#" is a special permission, which is generally not changed, so keep 0) .

Example: (This is a regular user account test, if you use "root" test, the result will be different)

$ umask ← Look at the default permission
0002
$ echo 'umask file1' > umask_0002 ← Create a file "umask_0002"
$ umask 0027 ← Change the default permission to "0027" (rw- r-- ---)
$ umask ← Confirm See if the default permission has been changed to
0027 ← changed to "0027"
$ echo 'umask file2' > umask_0027 ←Use umask=0027 to create a file "umask_0027"
$ ls -l umask_0002 umask_0027 ← List the permissions of the two files for comparison
-rw-rw-r-- 1 aaa aaa 12 2011-10-10 10:10 umask_0002 ← Note that the permissions of the two files are different
-rw-r----- 1 aaa aaa 12 2011-10-10 10:11 umask_0027

General application lookup table should be enough, if you want to ask 「Why umask = 0002, the permission to create a new file is "rw-rw-r--"」? You can continue to read.

Umask is the abbreviation of "user mask", and "mask" in computer engineering. The meaning of mask is "to change a bit by bitwise operation". The Boolean logic operation formula ( Boolean operators) is " Inital value & ~ umask value " (initial value file is 666, directory is 777) or the following logic circuit operation.

linux umask

Because it is not necessary to execute the text files, the initial value of the permission "666" (rw-rw-rw-).
In the previous sample test, put umask=002, inital value=666 into the formula "666 & ~002", and the result is "664" (rw-r--r--).
In another example, the initial value of umask=027 is 666, which is brought into the expression "666 & ~027" = "640" (rw- r-- ---).

If a directory is created, this directory can be entered due to requirements, so the initial value is "777" (rwx rwx rwx).
Take umask=002 as an example to import the formula "777 & ~002" = "775" (rwx rwx rx).

^ back on top ^

1.1 File attributes

File permissions are not binding on the account "root", Therefore, if you accidentally make a mistake and issue the command rm -fr / (the root directory and all subdirectories and files will be killed without mercy), then Linux will probably die. Is there any way to regulate root? That is "file attributes", can make up for the danger of too much root power.

chattr : Change File Attributes
chatttr ( change attribute ) can change 16 attributes of Linux files, only about 8~14 are defined (the number of attributes and definitions supported by different releases may be different) . The usage is somewhat similar to chmod , with "+" to add attributes; "-" to subtract attributes; "=" to directly set attributes, the syntax is as follows:

Syntax: chattr [-otpiton][+-=][mode] file/directroy
Command name/Function/Command user	Options	Function	The attributes of mode are [aAcdDisSu], each meaning is
chattr/ change attribute/ Any(mainly for Superuser)	-R	Change the attributes of files recursively	"a": used for files can only be accumulated, can not be deleted. When used in a directory, only the content of the files in the directory can be modified, but the files cannot be added or deleted. And only "root" can use . "A": Do not update the atime of the file "c": automatically compress files when archiving, and automatically decompress when reading "d": Exclude dump data, that is, this file will be excluded when executing the dump command "D" If the directory is set, the data in the buffer memory will be saved to the hard disk synchronously "i": Make the file indestructible; including cannot delete, rename, modify content, change permissions, etc. and only "root" can use it "s": Destroy corpses and wipe out traces. When a file is deleted, the block of the file will be filled with 0 (so that those who are interested cannot restore the file) "S": When archiving, do not write to the buffer memory first, but directly write to the hard disk (the performance is poor, but it can prevent file loss when the power is cut off) "u": Contrary to "s" destroying and erasing traces, when the file is just deleted, only the inode is deleted, so that the file can be saved if you regret it in the future "maybe"
chattr/ change attribute/ Any(mainly for Superuser)	-V	The process of displaying transaction attributes

From chattr 's mode usage, we can know that many attributes are for standardizing "root" (Supperuser). For example, the attribute "a" is mainly used for the record file that will accumulate. Even with the "root" account, this file cannot be deleted. The attribute "i" can't even touch this one.

When deleting a file, Linux only deletes the inode of the file and does not actually clear the data (block) for efficiency. If there is confidential data, it is right to add the attribute "s" for fear of being restored when deleting.

Experiment: (log in as "root", test)

# echo '123' > myfile ←Create a file "myfile"
# chattr +a myfile ←Set "a" attribute can only be accumulated, but cannot be deleted
# rm -f myfile ←Delete and see
rm: cannot remove `myfile': Operation not permitted ←denied
# echo '456' > myfile ← overwrite to see
bash: myfile: Operation not permitted ←denied
# echo '456' >> myfile ← accumulate to see
# cat myfile ← verify
123
456
# chattr -V -a myfile ← Subtract the "a" attribute to be deleted
chattr 1.40.2 (12-Jul-2007)
Flags of myfile set as ----------------

Experiment: (log in as "root", test)

# chattr =aAdS file ←Set the file to have attributes "a", "A", "d", "S"
# chattr -V +i -ad file ←Add the attribute "i" to the file and subtract "a", " d" attribute

lsattr : Displays File Attributes.
Sometimes there may be no problem with permissions , but some files cannot be deleted or modified. At this time, you can use lsattr to check whether the attributes have been changed by chattr . lsattr is the abbreviation of l i s t attr bute, use To check the properties of the file, the usage is as follows:

Syntax::lsattr [-otpiton] file/directroy

command name/function/command user

options

Function

lsattr/
list attrbute/
Any

-a

List all files and directories, including hidden files and properties of the working directory and the upper directory

-d

List only directory properties

-R

Recursively list files and subdirectories under a directory attribute

Example: (logged in as root)

# echo > file
# chattr =aAdS file ←Set the file to have "a", "A", "d", "S" attributes
# lsattr file ←Display file attributes
--S--adA-------- file

Example:

# lsattr -a ←List the attributes of all files in the directory (including the working directory and its parent directory)
-----a---------- ./. ←Attributes of the working directory
---------------- ./.. ← Attributes of the upper directory
-----a---------- ./jun ← Attributes of files in the directory

^ back on top ^