Linux chattr Makes Files Immutable
Prerequisites
- A Linux machine (ext2/ext3/ext4/xfs filesystem)
- Root or sudo access
- Basic terminal knowledge
- The emotional maturity to accept that future you will forget you did this
- At least one file you care about more than your Netflix password
The Command Nobody Talks About
Here’s a scenario. You’ve got SSH keys, config files, certificates, all the stuff that makes your server actually work. And then some rogue script, a sync tool, or just plain human error comes along and overwrites the lot.
“But I set permissions!” you say. Mate, root doesnt care about your permissions. Root is the honey badger of Linux. It does what it wants.
Enter chattr. Specifically, the immutable flag (+i). It locks a file down so hard that even root gets told no. No modifying. No deleting. No renaming. Nothing.
Locking Things Down
Dead simple. One command:
sudo chattr +i ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
That’s it. Those files are now immutable. They cannot be:
- Modified
- Deleted
- Renamed
- Hard-linked
Even root gets a slap:
$ sudo rm ~/.ssh/id_ed25519
rm: cannot remove '/home/user/.ssh/id_ed25519': Operation not permitted
Root. The all-powerful superuser. Denied. By a single flag on a file. Beautiful.
Checking What’s Locked
Want to verify the flag is actually set? Use lsattr:
lsattr ~/.ssh/id_ed25519*
# Output: ----i---------e------- /home/user/.ssh/id_ed25519
That i in the output is what you’re looking for. If its there, the file isnt going anywhere.
Unlocking When You Need To
Eventually you will need to modify a locked file. Maybe you’re rotating SSH keys, maybe you’re updating a certificate. The process is straightforward:
sudo chattr -i ~/.ssh/id_ed25519
# Make your changes
sudo chattr +i ~/.ssh/id_ed25519
Remove the flag, do your thing, put the flag back. Like unlocking the front door, grabbing your post, and locking it again. Except the door is a file and the post is, well, also a file. The analogy falls apart a bit there.
Other Useful Attributes
The immutable flag gets all the attention, but chattr has a few other tricks worth knowing about:
| Flag | Effect |
|---|---|
+i | Immutable: cannot be modified, deleted, or renamed |
+a | Append only: can add data, but not modify existing content |
+u | Undeletable: contents saved for recovery when deleted |
+S | Synchronous: changes written immediately to disk |
The append only flag (+a) is particularly handy for log files. You want things to keep writing to them, but you dont want anything clearing the evidence.
Good Candidates for Immutable
Not everything needs locking down, but some files absolutely should be:
- SSH keys (
~/.ssh/id_*) - Critical config files (
/etc/passwd,/etc/shadow) - SSL certificates
- Anything that should never change without you explicitly deciding it should
Basically, if a file changing unexpectedly would ruin your day, lock it.
Gotchas
Because nothing in Linux is ever truly simple:
Filesystem support. This only works on ext2/ext3/ext4/xfs. If you’re on NFS or CIFS mounts, you’re out of luck.
Physical access. Someone who can boot from live media can bypass this entirely. chattr protects against software mistakes, not someone with a USB stick and physical access to your machine.
The big one: you will forget. Six months from now, you’ll try to update something, get “Operation not permitted”, and spend 20 minutes questioning your sanity before remembering you set the immutable flag. This is a rite of passage. We’ve all done it.
