Security

How To: Protect a file or directory from being deleted or changed by root

The following article is a guest article that will teach you how to protect a file or directory from being deleted or changed – even by root. This is a handy skill to have as you may have files you want to ensure are never changed.

This time, I’m going to do very little editing – but not out of laziness, but because I really don’t seem to need to do much. I really only need to do some formatting changes and we’ll be good.

Note: I forgot to ask the author if they want me to disclose their name. It’s a little late in the day now, as they’re in another time zone entirely, so when they see this they can let me know if they want their name credited/anything linked from it.

Without further ado…

Protect A File Or Directory:

Sometimes we come across files/directories in Linux that we don’t want to be changed. It won’t be long before we realize making a file “read only” through the GUI of our desktop environment doesn’t work the way we want to because the root user is still able to alter that file.

In this article I’m going to show you how to protect ANY file or directory from being deleted or changed even by the root user. For this example I’ll use xorg.conf which is nvidia’s config file.

Files:

In order to make xorg.conf immortal, as I like to call this process, open terminal and type:

sudo chattr +i /etc/X11/xorg.conf

and press enter. To make sure the file has become immutable, which is what the +i stands for, open it as root in your favorite text editor (sudo gedit /etc/X11/xorg.conf). Some text editors will allow you to write new content to the file but they won’t allow you to save the changes because the file is already immutable. Other text editors won’t react to pressing keys and there will be a “read only” string in the title bar next to the file name.

Undoing a file immutable is pretty much the same, with the only difference being that instead of a + you must use a minus symbol:

sudo chattr -i /etc/X11/xorg.conf

Directories:

You can also make a directory immutable or even a set of subdirectories. For this example open your home directory in your favorite file manager, then open terminal and type:

mkdir -p testdir/dir2/

Now, here comes a little tricky part that you need to remember for the immutabling of the directories to work: placing a slash after the names tells the shell that dir2 is a directory and not a file. If you type /testdir/dir2, the shell will think dir2 is a file and will return an error.

If you have entered the command correctly, you will see this output:

mkdir: created directory „'testdir'“
mkdir: created directory „'testdir/dir2/'“

If you have closed terminal, open it again in your home directory where you just created these two directories and type (exactly the way you see it, with the capital R and V):

sudo chattr -RV +i testdir/

-R stands for “recursive”, meaning it will do the same operation to all subdirectories, including dir2.
-V stands for “verbose” which will display what has been done.

In order to test this, simply select test dir and press Delete to try and delete it. You’ll see an error message which means testdir and the dir2 inside it have both become “immortal” and now nobody can delete them, not even root.

Undoing this is the same command, only instead of +i, you must use -i.

Closure:

And there you have it, a fairly well written article that I didn’t do much to other than some basic formatting. If there’s an error, don’t blame me! Ha! It looks right to me and jives with what I know on the subject, but I did not actually go through and test this. I trust the author to know what they’re talking about.

By the way, if you have a favorite subject and want to write an article, it really is that easy. Up in the upper right, click on the ‘contribute’ and I’ve made it even easier. (Don’t worry if it won’t let you pick a category, it’ll go through – and I still have to pick a category for it anyhow. All that does is save it as a draft for me to work on. It certainly doesn’t publish anything without my intervention. That’d just be silly talk!)

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

KGIII

Retired mathematician, residing in the mountains of Maine. I may be old and wise, but I am not infallible. Please point out any errors. And, as always, thanks again for reading.

Recent Posts

Enable/Disable Your Network Interface

Today we'll cover one way to enable or disable your network interface in the Linux…

5 months ago

Check Your NIC Speed In The Terminal

Today's exercise is a nice and simple exercise where we check your NIC speed in…

6 months ago

Easily Monitor Your Wireless Connection

Have you ever wanted to easily monitor your wireless connection? Well, now you can learn…

6 months ago

Count The Files In A Directory

I think I've covered this before with the ls command but this time we'll count…

6 months ago

Get System Information With The ‘uname’ Command In Linux

Today we'll be learning about a basic Linux command that's known as 'uname' and it…

6 months ago

hardinfo Has Been Rebooted As hardinfo2

If you've used hardinfo in the past, it may interest you to know that hardinfo…

6 months ago