9

My os: debian9.
The filesystem on my disk:

$ sudo blkid  | awk '{print $1 ,$3}'
/dev/sda2: TYPE="ext4"
/dev/sda1: TYPE="vfat"
/dev/sda3: TYPE="ext4"
/dev/sda4: TYPE="ext4"
/dev/sda5: TYPE="swap"

Now to chattr +i for my /etc/resolv.conf :

sudo chattr +i /etc/resolv.conf
chattr: Operation not supported while reading flags on /etc/resolv.conf
ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 31 Jan  8 15:08 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
sudo  mount -o remount,acl /
sudo chattr +i  /etc/resolvconf/run/resolv.conf
chattr: Inappropriate ioctl for device while reading flags on /etc/resolvconf/run/resolv.conf

How to set chattr +i for my /etc/resolve.conf?

  1. /dev/sda1 is empty for windows.

  2. My debian is installed on /dev/sda2 

    $ df 
Filesystem     1K-blocks     Used Available Use% Mounted on
udev             1948840        0   1948840   0% /dev
tmpfs             392020     5848    386172   2% /run
/dev/sda2       95596964 49052804  41644988  55% /

  3. acl is installed.

    $ dpkg -l acl    
Desired=Unknown/Install/Remove/Purge/Hold   
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)    
||/ Name           Version      Architecture Description   
+++-==============-============-============-=================================
ii  acl            2.2.52-3+b1  amd64        Access control list utilities

  4. No output info from these findmnt commands:

    sudo findmnt -fn / | grep -E "acl|user_xattr"
sudo findmnt -fn / | grep vfat
sudo findmnt -fn $(dirname $(realpath /etc/resolv.conf)) | grep tmpfs
sourcejedi
  • 48,311
  • 17
  • 143
  • 296
scrapy
  • 323
  • 4
  • 12
  • 27
  • 2
    Why do you want to make it immutable in the first place? If there's some process making unwanted changes to it, we should rather go after this one and change the underlying issues instead of going for the symptoms. But after all, it's best left to be managed e.g. by `systemd-resolved`. – Elias Probst Feb 05 '18 at 09:49
  • 1
    Possibly related question: [Unable to change file attributes (e.g. immutable) on /etc/resolv.conf](https://askubuntu.com/questions/732748/unable-to-change-file-attributes-e-g-immutable-on-etc-resolv-conf). My guess is that `/etc/resolvconf/run` is mounted with a `tmpfs` filesystem, like the linked question. – ErikF Feb 05 '18 at 10:14
  • Please add results of `ls -l /etc/resolvconf/run/resolv.conf` and `(cd /etc/resolvconf/run/; until findmnt . ; do cd .. ; done)` – ctrl-alt-delor Feb 05 '18 at 10:23
  • 2
    It seems that every clueless moron who writes some half-arsed network management tool or script thinks that it is acceptable to blow away a hand-crafted /etc/resolv.conf and replace it with some garbage that only works in the imaginary fantasy-land of the author's imagination, not in the real world. If you don't want your /etc/resolv.conf being mangled by programs like systemd-resolved or network manager, then you need to either a) configure them to stop doing that, or b) stop using them. In your case, something (probably systemd-resolved) has replaced your /etc/resolv.conf with a symlink. – cas Feb 05 '18 at 11:01
  • @cas, or the ISC DHCP client? – ilkkachu Feb 05 '18 at 11:11
  • 2
    yep. fortunately, it can be configured to not do that. There's also the dreadful `resolvconf` package, whose sole purpose is to mangle /etc/resolv.conf - I've said it before but `apt-get purge` is effective but unsatisfyingly inadequate, there should be a `--kill-it-with-fire` or `--banish-to-hell` option for miserable system-breaking junk like that. – cas Feb 05 '18 at 11:17
  • Please show out put of `ls -l /etc/resolvconf/run/resolv.conf` and `(cd /etc/resolvconf/run/; until findmnt . ; do cd .. ; done)` don't grep the data away. `ACL` has nothing to do with it. It seems that prety much all help you are getting is going the wrong way. – ctrl-alt-delor Feb 05 '18 at 13:32

5 Answers5

10

Try with -f flag

sudo chattr  -f   +i   /etc/resolv.conf
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Dileep Jayasundara
  • 111
  • 1
  • 3
  • 1
    Amazing! This solved my issue! I can now successfully modify /etc/resolv.conf on my Raspberry Pi (with Samba4 Active Directory)! – HansLindgren Feb 03 '23 at 16:01
9

Your /etc/resolv.conf is probably a symlink. See this explanation for further information.

You could try:

chattr +i "$(realpath /etc/resolv.conf)"

Does the root mountpoint support Access Control Lists (acl) or Extended Attributes?

Check it via:

findmnt -fn / | grep -E "acl|user_xattr" || echo "acl or user_xattr mount option not set for mountpoint /"

Is your root partition of the type 'VFAT'? I believe 'VFAT' does not support ACLs.

Check it via:

findmnt -fn / | grep vfat

Or maybe your symlink target directory is a tmpfs? ACLs are lost on tmpfs

Test it:

findmnt -fn $(dirname $(realpath /etc/resolv.conf)) | grep tmpfs && echo $(dirname $(realpath /etc/resolv.conf)) is tmpfs

cheers

muru
  • 69,900
  • 13
  • 192
  • 292
domson
  • 341
  • 1
  • 11
  • 2
    It's not an xattr. – ilkkachu Feb 05 '18 at 09:56
  • @DominikKummer wouldn't that be [`setfattr`](http://manpages.ubuntu.com/manpages/xenial/en/man1/setfattr.1.html)/`getfattr` - see `man xattr`'s related section – muru Feb 05 '18 at 10:12
  • @muru: absolutely! the question mentions that the mount option acl was set. Does vfat support acl? I am afraid the questioner's root partion is VFAT. – domson Feb 05 '18 at 10:18
  • no Fat system support extended attributes, permissions, or anything much else. – ctrl-alt-delor Feb 05 '18 at 10:28
  • @DominikKummer how do you know that the root fs is fat? You can not tell from `/dev/sda1: TYPE="vfat"`, and `sudo mount -o remount,acl /` did not error. They need xattr (acl will not help). – ctrl-alt-delor Feb 05 '18 at 10:30
  • @ctrl-alt-delor: I don't know it yet, I asked the questioner to test for it via `find -fn / | grep vfat`. – domson Feb 05 '18 at 10:33
  • Is UMSDOS still supported? Apparently not, ["UMSDOS was removed from the Linux 2.6.11 kernel for lack of maintenance."](https://en.wikipedia.org/wiki/FAT_filesystem_and_Linux#umsdos). Without it, I doubt there's any way to have a sensible root fs on VFAT, or even that single symlink. – ilkkachu Feb 05 '18 at 11:12
  • @DominikKummer What does the $ sign do in `chattr +i "$(realpath /etc/resolv.conf)"`? Where can I read on it? – Shayan Aug 23 '19 at 18:05
  • 1
    @shayan it is called [Command Substitution](https://www.gnu.org/software/bash/manual/bash.html#Command-Substitution) and executes a command in a subshell. The resulting output of the command withing the substitution is passed to the chattr command as argument. – domson Aug 24 '19 at 19:36
  • on ubuntu 18.04 even your first command fails. How can resolv.conf do not have a valid real path? – Freedo Mar 28 '20 at 10:41
  • @Freedo whats the actual error message? file not found? – domson Mar 29 '20 at 21:03
7

As you saw, it seems you can't set chattr attributes on symlinks. Also, they're not supported on tmpfs. The man page for chattr mentions that

Not all flags are supported or utilized by all filesystems; refer to filesystem-specific man pages such as btrfs(5), ext4(5), and xfs(5) for more filesystem-specific details.

And there's no mention of the immutable flag or chattr in tmpfs(5).

ACLs or extended attributes have nothing to do with this, chattr attributes are stored directly on the inode, as seen for ext4 in this table of the inode structure.

You'll need to find some other way to prevent your programs from modifying it. systemd-resolved should be smart enough to leave the file alone if you replace the symlink with a static file:

Three modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

· Alternatively, /etc/resolv.conf may be managed by other packages, in which case systemd-resolved will read it for DNS configuration data. In this mode of operation systemd-resolved is consumer rather than provider of this configuration file.

Note that the selected mode of operation for this file is detected fully automatically, depending on whether /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or lists 127.0.0.53 as DNS server.

If you have other programs that might modify it (like a DHCP client), you'll have to see about reconfiguring them. Or chattr +i /etc/resolv.conf after making it a static file instead of a symlink, but beware that whatever tries to write it, might not like the resulting errors.

ilkkachu
  • 133,243
  • 15
  • 236
  • 397
  • This fails in containers with `chattr: Operation not permitted while setting flags` for every file. If you control the container, you might be able to get past it with `--cap-add CAP_LINUX_IMMUTABLE`. See discussion: https://github.com/moby/moby/issues/15959 – dfarrell07 Nov 12 '18 at 20:35
5
sudo rm /etc/resolv.conf //remove the symlink
sudo nano /etc/resolv.conf //create the new file and populate it as you wish
sudo chattr +i /etc/resolv.conf //change its attributes as you wish.....
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Oduoe
  • 51
  • 1
  • 1
0

Booting to a live cd or usb linux install, then browsing to resolv.conf on the hard drive allows the standard syntax for chattr to be implemented.

saphyra
  • 1
  • 1