Using xattrs or Extended Attributes on Linux

Using xattrs or Extended Attributes on Linux

Extended attributes, xattrs for short, are an extensible mechanism to store metadata along files. In other words, they describe some additional properties of the file. Normally this information is limited, like ownership and dates. With xattrs more information can be stored about the file.

Support for xattrs

Not all file systems have support for xattrs, but nowadays the most common ones support it (EXT4, Btrfs, ReiserFS, JFS and ZFS). To determine if your file system has xattr support enabled, check the options file of the related device:

# cat /proc/fs/ext4/sda1/options | grep xattr
user_xattr

One way to set an attribute for a file, is by adding an access control list (ACL) with the setfacl command. For example we want to allow the web server daemon to read data from /data/storage.

# setfacl -m u:www-data:r /data/storage

Running the command won’t give any output. So let’s check if something has changed:

# ls -l
total 4
drwxr-xr-x+ 2 root root 4096 Nov 18 16:00 storage

The plus sign in ls reveals there is something different than other files. Of course this is because of adding the extended attribute.

Although we could use the getfacl command to determine the permissions, we can actually use the getfattr command to see what kind of attribute is added.

# getfattr /data/storage

 

getfattr: Removing leading ‘/’ from absolute path names
# file: data/storage
system.posix_acl_access

Now we now for sure it is an ACL stored in the extended attributes of this particular file (or actually directory).

If we want to see detailed information, we can use the xattr tool for that.

Screenshot listing the extended attributes of a file

Using xattr to list extended attributes of a file

Other attributes

security.capability

The security.capability files stores Linux capabilities for the related file. Applies to binaries which are provided one or more capabilities via this file.

security.ima

For the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.

security.evm

Similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file. The different with IMA is that it protects the metadata of the file, not the contents.

Related tools

getfacl

Installation: apt-get install acl

getfattr

Installation: apt-get install attr

xattr

Installation: apt-get install python-xattr

 

More resources

Two useful links suggested by our readers, are:

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *