chattr Command Cheat Sheet
chattr (change attribute) manages file attributes on Linux file systems (originally for ext2/3/4). These attributes provide powerful control over file behavior beyond standard permissions (read/write/execute), such as making files immutable or append-only.
Synopsis
chattr [ -RVf ] [ -v version ] [ mode ] files...
lsattr [ -RVadv ] [ files... ]
Description
chattr changes the file attributes on a Linux file system. The operator + causes the selected attributes to be added to the existing attributes of the files; - causes them to be removed; and = causes them to be the only attributes that the files have.
Basic Usage
Make File Immutable (+i)
sudo chattr +i file.txt
Even root cannot modify, delete, rename, or link to this file until the attribute is removed.
Make File Append-Only (+a)
sudo chattr +a logfile.log
File can only be opened in append mode for writing. Existing data cannot be overwritten or truncated.
Remove Attribute (-i)
sudo chattr -i file.txt
View Attributes
lsattr file.txt
Common Attributes
| Attribute | Flag | Description |
|---|---|---|
| Immutable | i |
Cannot be modified, deleted, or renamed. No link can be created. |
| Append Only | a |
Can only be opened in append mode for writing. |
| Compressed | c |
Automatically compressed on disk by kernel. |
| No Dump | d |
Not backed up by dump command. |
| Secure Deletion | s |
When deleted, blocks are zeroed out. |
| Synchronous | S |
Changes are written synchronously to disk (like sync). |
| No Atime | A |
Access time is not updated (performance boost). |
| Undeletable | u |
When deleted, contents are saved for recovery (rarely implemented). |
| Journaling | j |
Data is written to journal before file (ext3/4 data=ordered). |
| Top of Directory | T |
Directory is top of hierarchy (Orlov block allocator hint). |
Use Cases
Protecting Configuration Files
Prevent accidental (or malicious) changes to critical system files like /etc/resolv.conf (which often gets overwritten by network managers).
sudo chattr +i /etc/resolv.conf
Securing Log Files
Ensure logs can only be added to, never deleted or modified.
sudo chattr +a /var/log/auth.log
Note: Log rotation scripts may fail if they try to move/rename the log file. You might need to adjust rotation scripts to use copy-truncate or remove the attribute temporarily.
Improving Performance (Databases)
Disable atime updates for database files to reduce disk writes.
sudo chattr +A /var/lib/mysql/ibdata1
Disable Copy-on-Write (CoW) on Btrfs for VM images or databases to reduce fragmentation.
sudo chattr +C /var/lib/libvirt/images/vm.qcow2
Preventing Backup
Mark temporary or cache directories to be skipped by backup tools that respect the d attribute (like dump).
sudo chattr -R +d /var/cache/apt
Recursive Operations
Apply to Directory Recursively
sudo chattr -R +i /var/www/html/static
Makes the entire static directory tree immutable.
Listing Attributes (lsattr)
lsattr lists file attributes.
List Current Directory
lsattr
Output example:
----i---------e---- ./immutable_file.txt
-----a--------e---- ./append_only.log
--------------e---- ./normal_file.txt
List Specific File
lsattr -d /tmp
Shows attributes of directory itself, not contents.
List Recursively
lsattr -R directory/
Security Implications
Root Capability
Only the superuser (root) or processes with CAP_LINUX_IMMUTABLE capability can set or clear i (immutable) and a (append-only) attributes.
Intrusion Detection
If you find a file that root cannot delete:
rm file
# rm: cannot remove 'file': Operation not permitted
Check attributes:
lsattr file
# ----i---------e---- file
Attackers sometimes use +i to prevent admins from deleting their tools/malware.
File System Support
Ext2/3/4
Fully supported.
XFS
Supports i, a, d, A.
Btrfs
Supports a, c (compression), C (no-COW), d, i, S.
Specific note on c (compression): Btrfs supports transparent compression (zlib, lzo, zstd).
ZFS (on Linux)
Supports i, a via standard tools, maps to ZFS attributes.
Secure Deletion (s attribute)
When s attribute is set, deleting the file causes the blocks to be zeroed.
sudo chattr +s secret.txt
rm secret.txt
Note: This is file-system dependent and may not work on all valid filesystems (especially SSDs with TRIM/Wear Leveling or journaled FS). Use shred for reliable secure deletion.
Troubleshooting
"Operation not supported"
The file system does not support extended attributes or the specific attribute you requested.
Check file system type:
df -T .
"Permission denied"
You need root privileges.
sudo chattr +i file
"Inappropriate ioctl for device"
You tried to run chattr on a file that isn't a regular file or directory (e.g., a symlink limit).
Tips and Best Practices
- Don't Forget +i Files - If you can't edit a config file, check
lsattr. - Use +a for Audit Logs - Great for compliance and security auditing.
- Use +C for VM Images on Btrfs - Critical performance fix for copy-on-write filesystems.
- Backup Exclusion - Use
+dto exclude huge cache dirs from backups. - Combine with Permissions - Attributes work alongside chmod/chown, adding a second layer of security.
- Watch Out for Updates - System updates might fail if they can't replace immutable config files.
Exit Status
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Error (invalid option, file not found) |