How to set `chattr +i` for my `/etc/resolv.conf `?

debian xattr

28,021

Solution 1

Your /etc/resolv.conf is probably a symlink. See this explanation for further information.

You could try:

chattr +i "$(realpath /etc/resolv.conf)"

Does the root mountpoint support Access Control Lists (acl) or Extended Attributes?

Check it via:

findmnt -fn / | grep -E "acl|user_xattr" || echo "acl or user_xattr mount option not set for mountpoint /"

Is your root partition of the type 'VFAT'? I believe 'VFAT' does not support ACLs.

Check it via:

findmnt -fn / | grep vfat

Or maybe your symlink target directory is a tmpfs? ACLs are lost on tmpfs

Test it:

findmnt -fn $(dirname $(realpath /etc/resolv.conf)) | grep tmpfs && echo $(dirname $(realpath /etc/resolv.conf)) is tmpfs

cheers

Solution 2

As you saw, it seems you can't set chattr attributes on symlinks. Also, they're not supported on tmpfs. The man page for chattr mentions that

Not all flags are supported or utilized by all filesystems; refer to filesystem-specific man pages such as btrfs(5), ext4(5), and xfs(5) for more filesystem-specific details.

And there's no mention of the immutable flag or chattr in tmpfs(5).

ACLs or extended attributes have nothing to do with this, chattr attributes are stored directly on the inode, as seen for ext4 in this table of the inode structure.

You'll need to find some other way to prevent your programs from modifying it. systemd-resolved should be smart enough to leave the file alone if you replace the symlink with a static file:

Three modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

· Alternatively, /etc/resolv.conf may be managed by other packages, in which case systemd-resolved will read it for DNS configuration data. In this mode of operation systemd-resolved is consumer rather than provider of this configuration file.

Note that the selected mode of operation for this file is detected fully automatically, depending on whether /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or lists 127.0.0.53 as DNS server.

If you have other programs that might modify it (like a DHCP client), you'll have to see about reconfiguring them. Or chattr +i /etc/resolv.conf after making it a static file instead of a symlink, but beware that whatever tries to write it, might not like the resulting errors.

Solution 3

Try with -f flag

sudo chattr  -f   +i   /etc/resolv.conf

Solution 4

sudo rm /etc/resolv.conf //remove the symlink
sudo nano /etc/resolv.conf //create the new file and populate it as you wish
sudo chattr +i /etc/resolv.conf //change its attributes as you wish.....

View more solutions

28,021

scrapy

Updated on September 18, 2022

Comments

scrapy almost 2 years
My os: debian9.
The filesystem on my disk:
```
$ sudo blkid  | awk '{print $1 ,$3}'
/dev/sda2: TYPE="ext4"
/dev/sda1: TYPE="vfat"
/dev/sda3: TYPE="ext4"
/dev/sda4: TYPE="ext4"
/dev/sda5: TYPE="swap"
```
Now to chattr +i for my /etc/resolv.conf :
```
sudo chattr +i /etc/resolv.conf
chattr: Operation not supported while reading flags on /etc/resolv.conf
ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 31 Jan  8 15:08 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
sudo  mount -o remount,acl /
sudo chattr +i  /etc/resolvconf/run/resolv.conf
chattr: Inappropriate ioctl for device while reading flags on /etc/resolvconf/run/resolv.conf
```
How to set chattr +i for my /etc/resolve.conf?
1. /dev/sda1 is empty for windows.
2. My debian is installed on /dev/sda2
```
$ df 
Filesystem     1K-blocks     Used Available Use% Mounted on
udev             1948840        0   1948840   0% /dev
tmpfs             392020     5848    386172   2% /run
/dev/sda2       95596964 49052804  41644988  55% /
```
3. acl is installed.
```
$ dpkg -l acl    
Desired=Unknown/Install/Remove/Purge/Hold   
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)    
||/ Name           Version      Architecture Description   
+++-==============-============-============-=================================
ii  acl            2.2.52-3+b1  amd64        Access control list utilities   
```
4. No output info from these findmnt commands:
```
sudo findmnt -fn / | grep -E "acl|user_xattr"
sudo findmnt -fn / | grep vfat
sudo findmnt -fn $(dirname $(realpath /etc/resolv.conf)) | grep tmpfs
```
- Elias Probst over 6 years
  
  Why do you want to make it immutable in the first place? If there's some process making unwanted changes to it, we should rather go after this one and change the underlying issues instead of going for the symptoms. But after all, it's best left to be managed e.g. by systemd-resolved.
- ErikF over 6 years
  
  Possibly related question: Unable to change file attributes (e.g. immutable) on /etc/resolv.conf. My guess is that /etc/resolvconf/run is mounted with a tmpfs filesystem, like the linked question.
- ctrl-alt-delor over 6 years
  
  Please add results of ls -l /etc/resolvconf/run/resolv.conf and (cd /etc/resolvconf/run/; until findmnt . ; do cd .. ; done)
- ilkkachu over 6 years
  
  @cas, or the ISC DHCP client?
- Alessio over 6 years
  
  yep. fortunately, it can be configured to not do that. There's also the dreadful resolvconf package, whose sole purpose is to mangle /etc/resolv.conf - I've said it before but apt-get purge is effective but unsatisfyingly inadequate, there should be a --kill-it-with-fire or --banish-to-hell option for miserable system-breaking junk like that.
- ctrl-alt-delor over 6 years
  
  Please show out put of ls -l /etc/resolvconf/run/resolv.conf and (cd /etc/resolvconf/run/; until findmnt . ; do cd .. ; done) don't grep the data away. ACL has nothing to do with it. It seems that prety much all help you are getting is going the wrong way.
ilkkachu over 6 years

It's not an xattr.
muru over 6 years

@DominikKummer wouldn't that be setfattr/getfattr - see man xattr's related section
domson over 6 years

@muru: absolutely! the question mentions that the mount option acl was set. Does vfat support acl? I am afraid the questioner's root partion is VFAT.
ctrl-alt-delor over 6 years

no Fat system support extended attributes, permissions, or anything much else.
ctrl-alt-delor over 6 years

@DominikKummer how do you know that the root fs is fat? You can not tell from /dev/sda1: TYPE="vfat", and sudo mount -o remount,acl / did not error. They need xattr (acl will not help).
domson over 6 years

@ctrl-alt-delor: I don't know it yet, I asked the questioner to test for it via find -fn / | grep vfat.
ilkkachu over 6 years

Is UMSDOS still supported? Apparently not, "UMSDOS was removed from the Linux 2.6.11 kernel for lack of maintenance.". Without it, I doubt there's any way to have a sensible root fs on VFAT, or even that single symlink.
dfarrell07 over 5 years

This fails in containers with chattr: Operation not permitted while setting flags for every file. If you control the container, you might be able to get past it with --cap-add CAP_LINUX_IMMUTABLE. See discussion: github.com/moby/moby/issues/15959
Shayan almost 5 years

@DominikKummer What does the $ sign do in chattr +i "$(realpath /etc/resolv.conf)"? Where can I read on it?
domson almost 5 years

@shayan it is called Command Substitution and executes a command in a subshell. The resulting output of the command withing the substitution is passed to the chattr command as argument.
Freedo over 4 years

on ubuntu 18.04 even your first command fails. How can resolv.conf do not have a valid real path?