Master Linux File Attributes: Using chattr for Immutable and Append‑Only Files

Common chattr Flags

A

: Atime – tells the system not to update the file's last access time. S: Sync – forces the system to write changes to disk immediately after a write operation. a: Append‑Only – allows only data to be appended to the file; the file cannot be overwritten or truncated. When set on a directory, new files can be created and modified, but existing files cannot be deleted. b: Do not update the file or directory's last access time. c: Compress – stores the file or directory in a compressed form. d: Dump – the file or directory will be ignored by dump backup utilities. D: Checks for errors in compressed files. i: Immutable – the system disallows any modifications to the file. If set on a directory, files inside can be modified but new files cannot be created or deleted. s: Secure delete – permanently removes the file by overwriting its disk blocks with zeros. u: Undelete – retains the file's data blocks after deletion to allow recovery. t: Tail‑merging – enables tail merging in the file system. X: Allows direct access to the contents of compressed files.

Typical chattr Commands

Lock a file so it cannot be deleted or changed: chattr +i /etc/passwd Make a file append‑only (cannot delete, only add data): chattr +a /etc/passwd View file attributes: lsattr /etc/passwd Unlock a file (remove immutable flag):

chattr -i /home/jiaxu/test.txt

Hiding the chattr Command

To conceal the use of chattr, rename the binary and use an alias:

which chattr
mv /usr/bin/chattr /opt/ftl/
cd /opt/ftl/
mv chattr h    # rename to "h" to hide identity
/opt/ftl/h +i /home/jiaxu/test.txt   # use hidden command to set immutable flag
lsattr /home/jiaxu/test.txt   # verify attribute

Restoring the Hidden Command

Move the renamed binary back and remove the immutable flag:

mv h /usr/bin/chattr
chattr -i /home/jiaxu/test.txt
lsattr /home/jiaxu/test.txt