Fedora Linux

backup.star.gz artype= exustar -acl
star: WARNING: skipping leading '/' on filenames.
Release star 1.5a69 (i386-redhat-linux-gnu)
Archtype exustar
Dumpdate 1146974078.733347 (Sat May 6 23:54:38 2006)
Volno 1
Blocksize 20
x home/ directory
x home/john/ directory
x home/john/.bash_logout 24 bytes, 1 tape blocks
x home/john/.bash_profile 191 bytes, 1 tape blocks
x home/john/.bashrc 124 bytes, 1 tape blocks
x home/john/.gtkrc 120 bytes, 1 tape blocks
...(Lines snipped)...

8.3.4. Where Can I Learn More?

? The manpages for acl(5) , getfacl , and setfacl

? The manpages for star and spax

8.4. Making Files Immutable

Because the root user can override permissions, file permissions alone are not enough to ensure that a file will not be changed. But when a file is made immutable , it cannot be changed by anyone.

8.4.1. How Do I Do That?

To make a file immutable, use the chattr (change attribute) command to add the i attribute to the file:

# chattr +i foo
# date >> foobash: foo: Permission denied
# mv foo baz
mv: cannot move Qfoo' to Qbaz': Operation not permitted
# rm foo
rm: cannot remove Qfoo': Operation not permitted

You can find out if the i attribute has been set by using the lsattr (list-attribute) command:

# lsattr foo
----i-------- foo

The presence of the i in the output indicates that the file foo has been made immutable.

Removing the i attribute causes the file to act normally again:

# chattr -i foo
#
date >>foo
#
mv foo baz
#
rm baz
# ls baz
ls: baz: No such file or directory

8.4.2. How Does It Work?

The immutable capability is provided by the ext2/ext3 filesystems. Each file has an immutable flag that is part of the ext2/ext3 file attributes; when set, the ext2/ext3 code in the kernel will refuse to change the ownership, group, name, or permissions of the file, and will not permit writing, appending, or truncation of the file.

By making configuration files and programs immutable, you can provide a small measure of protection against change. This can be used to guard against accidental changes to configuration files. It can also prevent a program from being subverted to change files it should not; although SELinux provides similar protection, you may add software to your system that is not covered by the SELinux targeted policy.

Do not attempt to upgrade or remove software packages if you've made any of the files belonging to those packages immutable! Doing so may render your system unusable. Be particularly careful if you are using immutable files on a system that has automatic yum updates enabled. 

8.4.3. What About...

8.4.3.1. ...making an entire subtree immutable?

The -R option to chattr causes it to operate recursively over all of the files and subdirectories within a directory:

# chattr -R +i /etc