chattr:設置特殊權限
lsattr:查看特殊權限
chattr [+-=] [ASacdistu] [文件或目錄名稱]
參數說明:
+-=:分別是"+"(增加)、"-"(減少)、"="(設定)屬性
A:當設定了屬性A,這個文件(或目錄)的存取時間atime(access)將不可被修改,可避免諸如手提電腦容易產生磁盤I/O錯誤的情況;
S:這個功能有點類似sync,是將數據同步寫入磁盤中,可以有效避免數據流失;
a:設定a後,這個文件將只能增加數據而不能刪除,只有root才能設定這個屬性;
c:設定這個屬性後,將會自動將此文件壓縮,在讀取時自動解壓縮。但是在存儲的時候,會現進行壓縮在存儲(對於大文件很有用);
d:當dump(備份)程序執行時,設定d屬性將可使該文件(或目錄)具有dump功效;
i:這個參數可以讓一個文件”不能被刪除、更名、設定鏈接,也無法寫入數據,對於系統安全有很大的助益
j:當使用ext3文件系統格式時,設定j屬性將使文件在寫入時先記錄在日志中,但是當filesystem設定參數為data=journalled時,由於已經設定了日志,所以這個屬性無效
s:當文件設定了s參數時,它會被完全移出這個硬盤空間
u:與s相反,當使用u配置文件時,數據內容其實還可以存在於磁盤中,可以用來取消刪除
lsattr [-aR]
參數說明:
-a :將隱藏文件的屬性也顯示出來
-R :連同子目錄的數據一並顯示出來
更改下列文件權限,使任何人沒有更改賬戶權限:
chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow
man文檔真的很強大,可以看看
[root@client ~]# man chattr
CHATTR(1) CHATTR(1)
NAME
chattr - change file attributes on a Linux file system
chattr - 在EXT2文件系統上改變文件屬性
SYNOPSIS
chattr [ -RVf ] [ -v version ] [ mode ] files...
DESCRIPTION
chattr changes the file attributes on a Linux file system.
chattr 改變EXT2文件系統上的一個文件的屬性
The format of a symbolic mode is +-=[acdeijstuADST].
參數符號格式是 +-=[acdeijstuADST].
The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.
操作符 '+' 表示將選中的屬性增加到指定的文件上; '-' 則表示刪除該屬性;'=' 表示文件僅僅設置指定的屬性
The letters ‘acdeijstuADST’ select the new attributes for the files: append only (a), compressed (c), no dump (d), extent format (e), immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u), no atime updates (A), synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T).
字母 'acdeijstuADST' 分別表示下面的屬性: 僅追加(a), 壓縮 (c), 不備份(d),擴展格式(e), 不可更改的(i), 數據日志 (j), 安全刪除 (s), 非尾部合並(t), 不可刪除 (u), 不更新atime (A), 同步目錄更新 (D),同步更新 (S), 和目錄層次結構的頂級? (T).
The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: huge file (h), compression error (E), indexed directory (I), compression raw access (X), and compressed dirty file (Z).
接下來的屬性都是只讀的,可以用lsattr查看,不能用chattr進行修改:大文件(h), 壓縮錯誤(E), 索引目錄(I), 壓縮的原始訪問?(X), 和壓縮的零碎文件(Z).
OPTIONS
-R Recursively change attributes of directories and their contents.
-R 遞歸改變目錄和目錄的內容.
-V Be verbose with chattr’s output and print the program version.
-V 詳細的命令輸出和打印程序版本
-f Suppress most error messages.
-f 抑制大多數錯誤信息
-v version
Set the file’s version/generation number.
-v 設置文件的版本/代號
ATTRIBUTES
When a file with the ’A’ attribute set is accessed, its atime record is not modified. This avoids a certain amount of disk I/O for laptop systems.
當訪問一個設置了 ‘A' 屬性的文件時,atime記錄並不修改。這可以在筆記本上避免大量的磁盤I/O操作。
A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
如果文件設置了 ‘a’ 屬性,數據只能采用追加模式,僅僅超級用戶或者擁有CAP_LINUX_IMMUTABLE能力的進程可以設置和刪除該屬性。
A file with the ‘c’ attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk. Note: please make sure to read the bugs and limitations section at the end of this document.
如果文件設置了 ‘c’ 屬性, 那麼當這個文件在進行寫操作時,它將自動被壓縮,並且在讀的時候, 自動解壓.在存儲到磁盤時先壓縮數據。
When a directory with the ‘D’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the ‘dirsync’ mount option applied to a subset of the files.
如果一個目錄設置了 ‘D'屬性,任何改變將同步到磁盤;這等價於mount命令中的dirsync選項,同步目錄。
A file with the ‘d’ attribute set is not candidate for backup when the dump(8) program is run.
如果一個文件設置了 ‘d’ 屬性,dump(8)運行時,不會備份它。
The ’E’ attribute is used by the experimental compression patches to indicate that a compressed file has a com- pression error. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
‘E’ 屬性目前是一個實驗性質的壓縮選項,用來標記壓縮出現錯誤的文件。目前它還不能使用chattr來設置或者重置,雖然能使用lsattr命令來顯示。
The ’e’ attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr(1).
The ’I’ attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
The ’h’ attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors, and means that the file is (or at one time was) larger than 2TB. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
A file with the ‘j’ attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or clear this attribute.
When a file with the ‘s’ attribute set is deleted, its blocks are zeroed and written back to the disk. Note: please make sure to read the bugs and limitations section at the end of this document.
When a file with the ‘S’ attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the ‘sync’ mount option applied to a subset of the files.
A directory with the ’T’ attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator. This is a hint to the block allocator used by ext3 and ext4 that the subdirectories under this directory are not related, and thus should be spread apart for allocation purposes. For example it is a very good idea to set the ’T’ attribute on the /home directory, so that /home/john and /home/mary are placed into separate block groups. For directories where this attribute is not set, the Orlov block allocator will try to group subdirectories closer together where possible.
A file with the ’t’ attribute will not have a partial block fragment at the end of the file merged with other files (for those filesystems which support tail-merging). This is necessary for applications such as LILO which read the filesystem directly, and which don’t understand tail-merged files. Note: As of this writing, the ext2 or ext3 filesystems do not (yet, except in very experimental patches) support tail-merging.
When a file with the ‘u’ attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. Note: please make sure to read the bugs and limitations section at the end of this document.
The ’X’ attribute is used by the experimental compression patches to indicate that a raw contents of a compressed file can be accessed directly. It currently may not be set or reset using chattr(1), although it can be dis- played by lsattr(1).
The ’Z’ attribute is used by the experimental compression patches to indicate a compressed file is dirty. It may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
AUTHOR
chattr was written by Remy Card <[email protected]>. It is currently being maintained by Theodore Ts’o
<[email protected]>.
BUGS AND LIMITATIONS
The ‘c’, ’s’, and ‘u’ attributes are not honored by the ext2 and ext3 filesystems as implemented in the current
mainline Linux kernels. These attributes may be implemented in future versions of the ext2 and ext3 filesys-
tems.
The ‘j’ option is only useful if the filesystem is mounted as ext3.
The ‘D’ option is only useful on Linux kernel 2.5.19 and later.
AVAILABILITY
chattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net.
SEE ALSO
lsattr(1)
E2fsprogs version 1.41.12 May 2010 CHATTR(1)