I don’t remember where exactly I picked up this trick but it doesn’t seem to be particularly well known so I thought I would share it here. On Linux (yes Linux specifically, not BSD, Solaris etc.) there is a command called chattr for changing file attributes.

Some of the available attributes are rather useful for example a for append only or s for a file to be automatically zeroed on delete. And then there is the immutable flag i, which is just plain evil.

It works something like this:

$ echo hello > myfile.txt
$ sudo chattr +i myfile.txt

And the result:

$ > myfile.txt
-bash: myfile.txt: Permission denied
$ sudo touch myfile.txt
touch: cannot touch ‘myfile.txt’: Permission denied
$ ls -l myfile.txt
-rw-r--r-- 1 nemu nemu 0 Jan 15 06:20 myfile.txt
$ chmod 777 myfile.txt
chmod: changing permissions of ‘myfile.txt’: Operation not permitted
$ sudo !!
sudo chmod 777 myfile.txt
chmod: changing permissions of ‘myfile.txt’: Operation not permitted
$ wtf
-bash: wtf: command not found

You know that you are in trouble with root receives a Permission denied error.

$ sudo chattr -i myfile.txt 
$ echo haha > myfile.txt
$ cat myfile.txt
haha

Below is a matrix to illustrate the interaction with the traditional chmod permissions.

  chmod +w chmod -w
chattr -i Okay Permission denied
chattr +i Permission denied Permission denied


This can be useful for hacking around applications that are chmod aware and too smart for their own good. Be default dhcpcd for example will blindly clobber everything inside of /etc/resolv.conf with whatever random DNS server the router tells it which is not cool at all. If you use chmod to make /etc/resolv.conf non-writable, dhcpcd will simply reverse the permissions. It does not know about chattr -i though.

It is also useful against humans who do not know their system as well as you. I have heard stories of penetration testers giving Blue Team defenders a hard time with this little trick.