Linux ext4 (and, to a lesser extent, ext2 and ext3) filesystems have certain attributes that can be set to invoke special controls on a file by file basis. We will cover a number of these attributes here. We will discover, unfortunately, that the three most enticing of these attributes (c, u and s) are still unimplemented in the kernel. Besides that, attributes are only supported on ext filesystems. Since xfs is now the default filesystem on linux, their use is probably of limited value.

File attributes are changed by the chattr command (chflags on BSD/OSX) and queried by the lsattr command.

chattr uses +Y to turn on attribute Y and -Y to turn it off. (Yes, it is intuitive (+=add, -=delete), unlike the set command.)

chattr option letters (used with +/- and output by lsattr(1))

A  don't update the last access date upon access.

a  append-only. Writes to this file can only append it. It cannot be edited, removed, or renamed. It can still be read. Only root can toggle the append-only attribute. Even root is governed by the append-only attribute, but it can change the attribute.

c  compress. The file is stored compressed. Writes to the file are compressed as they are written. Reads from the file return uncompressed data. This option sounds great, but it is, as yet, unimplemented.

e extents. The file is using extents. This attribute is always on for ext4 filesystems. It cannot be modified by chattr.

i  immutable. This file cannot be changed, renamed, or removed. Only root can set the immutable attribute. root is governed by it, but can change it.

s  secure delete. A file marked for secure delete has its data blocks zeroed when it is removed. At the time of this writing, tests show this is not yet implemented on ext4 filesystems. It was never implemented on ext2 or ext3 filesystems.

t no tail merging. A file so marked will not have its partially-filled block at the end of the file merged with other files. It is unclear whether ext4 supports tail-merging, but ext2 and ext3 do not, so this attribute may be meaningless on those filesystems.

T top of directory hierarchy. A directory so marked has unrelated subdirectories that should not be allocated close together. Normally the blocks allocated to the subdirectories of a directory are clustered together for efficiency, but the top of directory hierarchies (such as / or /home ) should have their directories dispersed. (There is no reason for /home/gboyd and /home/amoghtan to be allocated "close together", but the subdirectories of /home/gboyd should be "close", so /home should be marked +T, while /home/gboyd should not be.) I have no way to test this attribute but it is supposed to be implemented.

There are also attributes for synchronous write (D), for undeletable (u) (which is apparently unimplemented as well)

The really enticing attribute is secure delete. Although it is unimplemented, an alternate method, using the program shred, has been used in the past few years. shred will repeatedly write random patterns on the data in a file, then delete the file. Unfortunately, this program's success relies on the kernel updating data in-place, which is no longer the case. Let me illustrate what happens:

• you create a file. Let's say for simplicity that it has one data block, which contains some sensitive data.
• you want to delete the file, but do not want to leave the data in the freed data block for later retrieval by a scavenging program. You employ shred to destroy the data, which it does, prior to deleting it.
• unknown to you, when shred updates the data it has been given a copy! It writes the shredded data back to a new data block. The original data block (still containing the original data) has already been freed. shred then deletes the file, freeing the shredded [copy of the] data. The original data block is still intact on the disk, and available for a disk scavenger program to find. This is exactly what happens if you use the shred program on our version of linux!
  

Examples: We will experiment with the -A attribute on a file named access:

Now that it is marked as dont update access date (A), let's see if it worked

$ date
Sun Jul 11 18:03:09 PDT 2010
$ cat access
is the access date different?
$ ls -lu access
-rw-r--r-- 1 gboyd users 30 Jul 11 18:02 access

The access date didn't change when we accessed it a minute later. Let's turn off the attribute and see:

$ chattr -A access
$ lsattr access
------------- access
$ ls -lu access
-rw-r--r-- 1 gboyd users 30 Jul 11 18:02 access
$ date
Sun Jul 11 18:04:40 PDT 2010
$ cat access
is the access date different?
$ ls -lu access
-rw-r--r-- 1 gboyd users 30 Jul 11 18:04 access
$

The -i and -a attributes can be combined with permissions (or with sudo) to give additional protection on sensitive files. Thus you could allow someone to append or examine them (even as root!) and yet not modify existing contents or remove them.

Note: NFS filesystems do not honor attributes. Thus you cannot change or list attributes on any filesystem that is NFS-mounted. You can only experiment with attributes on local filesystems, and then only if they are an ext filesystem.

At the current time, our home directories on linux are NFS-mounted, and most local filesystems are xfs.