How do I make a file NOT modifiable?
Solution 1
You can set the "immutable" attribute with most filesystems in Linux.
chattr +i foo/bar
To remove the immutable attribute, you use -
instead of +
:
chattr -i foo/bar
To see the current attributes for a file, you can use lsattr:
lsattr foo/bar
The chattr(1) manpage provides a description of all the available attributes. Here is the description for i
:
A file with the `i' attribute cannot be modified: it cannot be deleted
or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Solution 2
To make an entire directory tree read-only:
cd <directory>
find ./ -print0 | sudo xargs -I {} -0 chattr +i {}
To make it readable again, change +i
to -i
.
Solution 3
You can:
- Change the file owner to
root
or a dummy newly created user - Keep the correct group.
- Use
chmod 440
to allow reading by group (which is you).
If the correct user is not the only one in this group, you should create a new group and add only him in it, and use this group for it. However, you are not the owner of the file, therefore your vi
cannot change the file owner.
Related videos on Youtube
user2141130
Updated on September 18, 2022Comments
-
user2141130 almost 2 years
While logged in, I can do the following:
mkdir foo touch foo/bar chmod 400 foo/bar chmod 500 foo
Then I can open vim (not as
root
), editbar
, force a write withw!
, and the file is modified.How can I make the operating system disallow any file modification?
UPDATE Mar 02 2017
chmod 500 foo
is a red herring: the write permission on a directory has nothing to do with the ability to modify a file's contents--only the ability to create and delete files.chmod 400 foo/bar
does in fact prevent the file's contents from being changed. But, it does not prevent a file's permissions from being changed--a file's owner can always change his file's permissions (assuming they can access the file i.e. execute permission on all ancestor directories). In fact, strace(1) reveals that this is what vim (7.4.576 Debian Jessie) is doing--vim calls chmod(2) to temporarily add the write permission for the file's owner, modifies the file, and then calls chmod(2) again to remove the write permission. That is why usingchattr +i
works--only root can callchattr -i
. Theoretically, vim (or any program) could do the same thing with chattr as it does with chmod on an immutable file if run as root.
-
jordanm over 11 yearsI believe under the hood,
vim
is actually changing the permissions and then putting it back. -
user2141130 over 11 yearsAlvin, I do this as a non-root user. I have edited the post to clarify.
-
Stéphane Chazelas over 11 yearsOn Linux, that immutable flag is available on many file systems not just ext2/3/4 (at least btrfs, hfsplus, jfs, nilfs2, xfs, ocfs2, ubifs, gfs2, reiserfs AFAICT from a quick look through the code)
-
Stéphane Chazelas over 11 yearsIf you can write to the parent directory, then vim can delete the file and create a new one (and it's what it does when you do
:w!
). vim doesn't go as far as changing the permissions of the directory temporarily though. So keeping the directory non-writable should be safe. -
jordanm over 11 years@StephaneChazelas I saw the
chattr
command was part ofe2fsprogs
package on my system. That is why I made that statement. I have updated the answer based on your comment. -
natenho about 9 yearsIt doesn't work for symlinks :-(. This solution would be great, because I want to avoid that the symlink can be accidentaly modified by any user including root.
-
rassa45 almost 6 yearsImmutable is an inode flag correct, not an xattr? ioctl flag to be precise?