Overview
The lsattr command is used in standard Linux file systems (such as ext2, ext3, and ext4) to check “special attributes” (extended attributes) that are separate from normal permissions (rwx).
This command allows you to identify files that are set to specific control states using chattr, such as “files that cannot be deleted even with root privileges” or “log files that only allow appending.” It is a critical tool for auditing security measures and system hardening settings.
Specifications (Arguments and Options)
Syntax
lsattr [options] [file or directory name]
Main Arguments and Options
| Option | Description |
-R | Recursively list attributes of directories and their contents. |
-a | List all files in directories, including hidden files (starting with a dot). |
-d | List directories like other files, rather than listing their contents. |
-v | List the file’s version/generation number. |
Basic Usage
Running the command without any options will list the attributes of the files in your current directory.
Command
# Display file attributes in the current directory
lsattr
Execution Result
The letters and dashes on the left side represent the status of the attributes, followed by the filename on the right. Usually, you will see the e (extent format) attribute.
--------------e------- ./config.txt
----i---------e------- ./important_backup.tar.gz
--------------e------- ./script.sh
In the example above, important_backup.tar.gz has the i attribute, which means it is “immutable.”
Practical Commands
Check the Attributes of a Directory Itself
By default, lsattr shows the contents of a directory. Use the -d option to check if attributes are set on the directory itself.
# Display the attributes of the /var/log directory itself
lsattr -d /var/log
Check All Files Recursively
This is used to investigate the attributes of every file under a specific directory. It is helpful for detecting unauthorized changes to system files.
# Recursively display attributes under /etc/nginx/
lsattr -R /etc/nginx/
Display Version Information (Generation Numbers)
The -v option shows the generation number managed by the file system. This number changes whenever a file is created or recreated. While rarely used in daily tasks, it is sometimes utilized by NFS or specific backup tools.
# Display attributes and the generation number
lsattr -v sample.txt
Customization Points
- Specifying Targets: If no file is specified, the current directory is used. You can also use wildcards, such as
lsattr /boot/*. - Meaning of Attributes:
- i (Immutable): Prevents any modification, deletion, renaming, or link creation.
- a (Append Only): Only allows adding data to the end of the file; overwriting or deleting is forbidden.
- e (Extents): Indicates the file is using extents for block mapping (standard in modern ext4).
Important Notes
- File System Dependency:
lsattris primarily designed for ext2, ext3, and ext4. While some other file systems like XFS provide partial support, it may not work in all environments. - Difference from ls -l: Even if you have write permission (
w) inls -l, you cannot edit or delete a file if theiattribute is set. If you encounter a situation where you cannot delete a file despite having permission, check this command. - Sudo Requirement: While regular users can usually view attributes, you may need
sudoto view files inside directories where you lack read permissions.
Application
Extract Only Files with the Immutable (i) Attribute
This example shows how to find important files in the system that are set to “cannot be modified.”
# Search for files with the 'i' attribute in the current directory and its subdirectories
lsattr -R | grep "\-i\-"
Summary
The lsattr command visualizes “special file system attributes” hidden behind normal permission settings. It is often the only way to confirm if a file has the i attribute (immutable) or the a attribute (append-only), which even the root user cannot bypass. We recommend checking this command alongside ls -l when performing security audits or troubleshooting mysterious “Permission denied” errors.
