You are root on your system, you do a rm of a file and get a “rm: can not remove` test ‘: Operation not permitted” is this possible?

Yes, if there are any special extended attributes set on your filesystem.

The “interesting” thing is that also some rootkit use these attribute after have changed some binary (ps, netstat) so restoring the originals it’s a bit harder.

But don’t worry in this article i’ll present you the lsattr and chattr commands that will help you in list and manipulate the extended attribute on your Linux box







chattr and lsattr utilities on Linux and the attributes they manipulate are specific to the Second Extended Filesystem family (ext2, ext3), and are available as part of the e2fsprogs package. They don’t work on files residing on other filesystems, e.g. ReiserFS, FAT.

Chattr syntax

chattr [ -RV ] [ -+=AacDdijsSu ] [ -v version ] files chattr [-RV] [-+=AacDdijsSu] [-v version] files

The operator `+’ causes the selected attributes to be added to the existing attributes of the files; `-‘ causes them to be removed; and `=’ causes them to be the only attributes that the files have.

The letters `ASacDdijsu’ select the new attributes for the files

Some attributes include:

* don’t update atime (A)

* synchronous updates (S)

* synchronous directory updates (D)

* append only (a)

* compressed (c)

* no dump (d)

* immutable (i)

* data journalling (j)

* secure deletion (s)

* top of directory hierarchy (T)

* no tail-merging (t)

* undeletable (u)

Example of using it on my tmp (FS ext4)

root @ laptop: / tmp / test-extended # ls -l total 0 -rw-r--r-- 1 root root 0 2010 - 12 - 17 22 : 59 test -rw-r--r-- 1 root root 0 2010 - 12 - 17 22 : 59 test2 -rw-r--r-- 1 root root 0 2010 - 12 - 17 22 : 59 test3 root @ laptop: / tmp / test-extended # lsattr -----------------e- . / test -----------------e- . / test3 -----------------e- . / test2 root @ laptop: / tmp / test-extended # chattr +u test root @ laptop: / tmp / test-extended # lsattr -u---------------e- . / test -----------------e- . / test3 -----------------e- . / test2 root @ laptop: / tmp / test-extended # rm test root @ laptop: / tmp / test-extended # ls test2 test3 [email protected]:/tmp/test-extended# ls -l total 0 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test -rw-r--r-- 1 root root 0 2010-12-17 22:59 test2 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test3 [email protected]:/tmp/test-extended# lsattr -----------------e- ./test -----------------e- ./test3 -----------------e- ./test2 [email protected]:/tmp/test-extended# chattr +u test [email protected]:/tmp/test-extended# lsattr -u---------------e- ./test -----------------e- ./test3 -----------------e- ./test2 [email protected]:/tmp/test-extended# rm test [email protected]:/tmp/test-extended# ls test2 test3

Surprised?

In fact, the u flag was valid only in the original FS ext, but this feature (undelete) was lost from ext2, so the u flag is now totally useless.

But now let’s see something that work.

root @ laptop: / tmp / test-extended # touch test4 root @ laptop: / tmp / test-extended # chattr +i test4 root @ laptop: / tmp / test-extended # lsattr -----------------e- . / test3 -----------------e- . / test2 ----i------------e- . / test4 root @ laptop: / tmp / test-extended # rm test4 rm: cannot remove ` test4 ': Operation not permitted [email protected] :/tmp/test-extended# ls -l total 0 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test2 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test3 -rw-r--r-- 1 root root 0 2010-12-17 23:24 test4 [email protected]:/tmp/test-extended# touch test4 [email protected]:/tmp/test-extended# chattr +i test4 [email protected]:/tmp/test-extended# lsattr -----------------e- ./test3 -----------------e- ./test2 ----i------------e- ./test4 [email protected]:/tmp/test-extended# rm test4 rm: cannot remove `test4': Operation not permitted [email protected]:/tmp/test-extended# ls -l total 0 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test2 -rw-r--r-- 1 root root 0 2010-12-17 22:59 test3 -rw-r--r-- 1 root root 0 2010-12-17 23:24 test4

So the +i flag is working, and is to set the immutable bit to prevent even root from erasing or changing the contents of a file.

You can use this flag to set one or more files as immutable and be sure that no one will delete(or modify) them by mistake.

Another example with the append flag:

root @ laptop: / tmp / test-extended # touch test5 root @ laptop: / tmp / test-extended # chattr +a test5 root @ laptop: / tmp / test-extended # echo "this is a test" > test5 -bash: test5: Operation not permitted root @ laptop: / tmp / test-extended # lsattr -----------------e- . / test3 -----------------e- . / test2 -----a-----------e- . / test5 ----i------------e- . / test4 root @ laptop: / tmp / test-extended # echo "this is a test" >> test5 root @ laptop: / tmp / test-extended # cat test5 this is a test root @ capecchi: / tmp / test-extended # rm test5 rm: cannot remove ` test5 ': Operation not permitted [email protected]:/tmp/test-extended# touch test5 [email protected]:/tmp/test-extended# chattr +a test5 [email protected]:/tmp/test-extended# echo "this is a test" > test5 -bash: test5: Operation not permitted [email protected]:/tmp/test-extended# lsattr -----------------e- ./test3 -----------------e- ./test2 -----a-----------e- ./test5 ----i------------e- ./test4 [email protected]:/tmp/test-extended# echo "this is a test" >> test5 [email protected]:/tmp/test-extended# cat test5 this is a test [email protected]:/tmp/test-extended# rm test5 rm: cannot remove `test5': Operation not permitted

So with the a flag a file cannot be opened only in “append” mode, and it cannot be deleted. Logs are a good candidate for this to keep them from being tampered with.

Popular Posts:

None Found