- Linux extended file attributes
- Using xattrs or Extended Attributes on Linux
- Support for extended attributes
- Other attributes
- security.capability
- security.ima
- security.evm
- Related tools
- getfacl
- getfattr
- xattr
- More resources
- Linux goesZen
- Extended file attributes on your filesystem, how to enable and use them
- Enabling extended attributes on Linux
- Using extended file attributes
- Sidecar files, etc.
- Perl
- CLI tools support
- Related posts:
Linux extended file attributes
Extended file attributes are name-value pairs that can be associated with each node in a file system. Despite the fact that POSIX.1e draft which proposed them has been withdrawn, the extended file attributes are supported by many file systems. GNU tar can store extended file attributes along with the files. This feature is controlled by the following command line arguments:
Enable extended attributes support. When used with ‘ —create ’, this option instructs GNU tar to store extended file attribute in the created archive. This implies POSIX.1-2001 archive format (‘ —format=pax ’).
When used with ‘ —extract ’, this option tells tar , for each file extracted, to read stored attributes from the archive and to apply them to the file.
Disable extended attributes support. This is the default.
Attribute names are strings prefixed by a namespace name and a dot. Currently, four namespaces exist: ‘ user ’, ‘ trusted ’, ‘ security ’ and ‘ system ’. By default, when ‘ —xattr ’ is used, all names are stored in the archive (or extracted, if using ‘ —extract ’). This can be controlled using the following options:
Specify exclude pattern for extended attributes.
Specify include pattern for extended attributes.
Here, the pattern is a globbing pattern. For example, the following command:
$ tar --xattrs --xattrs-exclude='user.*' -c a.tar .
will include in the archive ‘a.tar’ all attributes, except those from the ‘ user ’ namespace.
Any number of these options can be given, thereby creating lists of include and exclude patterns.
When both options are used, first ‘ —xattrs-include ’ is applied to select the set of attribute names to keep, and then ‘ —xattrs-exclude ’ is applied to the resulting set. In other words, only those attributes will be stored, whose names match one of the regexps in ‘ —xattrs-include ’ and don’t match any of the regexps from ‘ —xattrs-exclude ’.
When listing the archive, if both ‘ —xattrs ’ and ‘ —verbose ’ options are given, files that have extended attributes are marked with an asterisk following their permission mask. For example:
-rw-r--r--* smith/users 110 2016-03-16 16:07 file
When two or more ‘ —verbose ’ options are given, a detailed listing of extended attributes is printed after each file entry. Each attribute is listed on a separate line, which begins with two spaces and the letter ‘ x ’ indicating extended attribute. It is followed by a colon, length of the attribute and its name, e.g.:
-rw-r--r--* smith/users 110 2016-03-16 16:07 file x: 7 user.mime_type x: 32 trusted.md5sum
File access control lists (ACL) are another actively used feature proposed by the POSIX.1e standard. Each ACL consists of a set of ACL entries, each of which describes the access permissions on the file for an individual user or a group of users as a combination of read, write and search/execute permissions.
Whether or not to use ACLs is controlled by the following two options:
Enable POSIX ACLs support. When used with ‘ —create ’, this option instructs GNU tar to store ACLs in the created archive. This implies POSIX.1-2001 archive format (‘ —format=pax ’).
When used with ‘ —extract ’, this option tells tar , to restore ACLs for each file extracted (provided they are present in the archive).
Disable POSIX ACLs support. This is the default.
When listing the archive, if both ‘ —acls ’ and ‘ —verbose ’ options are given, files that have ACLs are marked with a plus sign following their permission mask. For example:
-rw-r--r--+ smith/users 110 2016-03-16 16:07 file
When two or more ‘ —verbose ’ options are given, a detailed listing of ACL is printed after each file entry:
-rw-r--r--+ smith/users 110 2016-03-16 16:07 file a: user::rw-,user:gray:-w-,group::r--,mask::rw-,other::r--
Security-Enhanced Linux (SELinux for short) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including so-called mandatory access controls (MAC). Support for SELinux attributes is controlled by the following command line options:
Enable the SELinux context support.
Disable SELinux context support.
This document was generated on March 24, 2021 using texi2html 5.0.
Using xattrs or Extended Attributes on Linux
Extended attributes or xattrs, are an extensible mechanism to store metadata on a filesystem. Metadata is a collection of information or data points about a particular object. If we would compare this article, the metadata contains the title, author, description, language, Twitter image, etc.
Normally the file system can only store a limited set of information about files. Typically this is the filename, ownership, file permissions, and dates. By using extended attributes, we can describe more properties of the file.
Support for extended attributes
Not all file systems have support for xattrs. However, the popular ones do, like EXT4, Btrfs, ReiserFS, JFS, and ZFS. To determine if your file system has xattr support enabled, check the options file of the related device:
# cat /proc/fs/ext4/sda1/options | grep xattr user_xattr
One way to set an attribute for a file is by adding an access control list (ACL). This can be done with the setfacl command. For example, we can allow the web server daemon to read data from /data/storage.
# setfacl -m u:www-data:r /data/storage
Running the command won’t give any output. So let’s check if something has changed:
# ls -l
total 4
drwxr-xr-x+ 2 root root 4096 Nov 18 16:00 storage
The plus sign in ls reveals there is something different than the other files. This is because of adding the extended attribute.
Although we could use the getfacl command to determine the permissions, we can actually use the getfattr command to see what kind of attribute is added.
# getfattr /data/storage
getfattr: Removing leading ‘/’ from absolute path names
# file: data/storage
system.posix_acl_access
Now we know for sure it is an ACL stored in the extended attributes of this particular file (or actually directory).
If we want to see detailed information, we can use the xattr tool for that.
Using xattr to list extended attributes of a file
Other attributes
security.capability
The security.capability files stores Linux capabilities for the related file. Applies to binaries which are provided one or more capabilities via this file.
security.ima
For the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.
security.evm
Similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file. The different with IMA is that it protects the metadata of the file, not the contents.
Related tools
getfacl
Installation: apt-get install acl
getfattr
Installation: apt-get install attr
xattr
Installation: apt-get install python-xattr
More resources
Two useful links suggested by our readers, are:
One more thing.
Keep learning
So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.
Security scanning with Lynis and Lynis Enterprise
Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.
Linux goesZen
Extended file attributes on your filesystem, how to enable and use them
Many modern filesystems provide the user with a facility to store arbitrary key/value-pairs along with files, so-called metadata.
Extended file attributes is a file system feature that enables users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). Unlike forks, which can usually be as large as the maximum file size, extended attributes are usually limited in size to a value significantly smaller than the maximum file size. Typical uses can be storing the author of a document, the character encoding of a plain-text document, or a checksum.
Refer to the complete article for an investigation how different operating systems deal with them.
Wikipedia also provides a helpful file system comparison table.
Enabling extended attributes on Linux
Go to /etc/fstab and add «user_xattr» to the options section of the line regarding the file-system you’d like to enable extended attributes on. Such a line might look like:
/dev/sda1 / ext4 errors=remount-ro,user_xattr 0 1
Using extended file attributes
As XFS on Irix was one of the first filesystems to support extended attributes, there is a set of «legacy commands» to set/get xattribs:
xattr
getxattr — lgetxattr, fgetxattr
setxattr — lgetxattr, fgetxattr
listxattr — llistxattr, flistxattr
removexattr — lremovexattr, fremovexattr
To use xattribs on Linux, you need to install the attr tool with sudo apt-get install attr. The commands then are:
Usage: attr [-LRSq] -s attrname [-V attrvalue] pathname # set value attr [-LRSq] -g attrname pathname # get value attr [-LRSq] -r attrname pathname # remove attr attr [-LRq] -l pathname # list attrs -s reads a value from stdin and -g writes a value to stdout
If you mount NTFS, which does support extended attributes, under Linux, I can assure you that the ntfs-3g driver properly supports xattribs, trough the unix commands and for examples on moves, even between different filesystems. So you can rely on xattribs remaining intact, for example when you move a file between ext3 and NTFS.
It might be helpful to point out that each of the above commands behaves a bit differerntly. attr does automatically prepend the «user.» part in fron of attribute names, so if you would set «user.id» it would actually write the «user.user.id» attribute. And after operations it returns the number of bytes written. The getfattr and setfattr commands do not prepend the «user.» bit and expect you to do it. And they also don’t return the amount of data written. So make sure you test each command and what it expects, as these APIs might differ from platform to platform and might change over time.
Sidecar files, etc.
Despite Apple’s HFS supports xattr, you sometimes see the .DS_Store file, a file which stores metadata about directories. (Wikipedia)
Perl
Working with Perl, some modules from cpan help you wrangling xattribs:
File::ExtAttr used by File::Attributes::Extended, for example. Seems quite mature.
File::Attributes tries to provide a unique API for xattribs on various systems and filesystems. If File::Attributes::Extended is installed, it uses it to store «real» xattribs, otherwise it falls back to Fie::Attribute::Simple which stores extended attributes in sidecar files named with filename plus the .attributes suffix. It uses this sidecar files also on filesystems which don’t allow xattribs, like FAT.
Linux::UserXAttr «This module implements a very thin layer around the extended attributes syscalls on Linux».
Note: Installing File::ExtAttr might throw the error «Can’t build and link to ‘attr’«. In this case you need to install the attr devel package, which is named libattr-devel or libattr1-dev on Ubuntu.
CLI tools support
Be aware that common unix command line tools have varying behaviour regarding xattribs:
— cp by default will not copy over xattribs to new/copied files. You need to add the -a (archive) flag.
— mv does copy over xaatribs, even across file system boundaries.
Related posts:
- Recent Posts
- Epson printer refuses to move carriage into the «change cartridge» position [Solved]
- Fix a corrupted MP4, not with ffmpeg but untrunc
- Packstation ohne mobile Daten?
- Largest floppy disk manufacturers world-wide
- [Solution] Keyboard is obscuring button in Android apps
- goeszen on What is: doesn’t support DPO or FUA?
- Antoniocrown on What is: doesn’t support DPO or FUA?
- Andy on Extract subtitles with ffmpeg from a .ts video file
- Tristan Hergens on «TV total» Neuauflage mit Sebastian Pufpaff
- Ausweg Sonderweg on „Wetten, dass. “ pulverisiert die Konkurrenz
- Architecture
- Signature Buildings
- electronics
- industrial design
- interface design
- product design
- Accessoires
- Bags & Purses
- Shirts & Tops
- Shoes
- Screenwriting
- Storytelling
- Television
- computers & consoles
- emulation
- Game titles
- German
- multimedia
- Software
- Tools
- Ubuntu
- webserver
- Windows
- WIP
- Xandros / ASUS Eee PC
- Entertainment & Film Locations
- KML
- Landmarks & Historic Sites
- Science
- Themeparks
- Down
- Log in
- Entries feed
- Comments feed