Using xattrs or Extended Attributes on Linux

What are extended attributes?

Extended attributes or xattrs, are an extensible mechanism to store metadata on a filesystem. Metadata is a collection of information or data points about a particular object. If we would compare this article, the metadata contains the title, author, description, language, Twitter image, etc.

Normally the file system can only store a limited set of information about files. Typically this is the filename, ownership, file permissions, and dates. By using extended attributes, we can describe more properties of the file.

Support for extended attributes

Not all file systems have support for xattrs. However, the popular ones do, like EXT4, Btrfs, ReiserFS, JFS, and ZFS. To determine if your file system has xattr support enabled, check the options file of the related device:

# cat /proc/fs/ext4/sda1/options | grep xattr
user_xattr

One way to set an attribute for a file is by adding an access control list (ACL). This can be done with the setfacl command. For example, we can allow the web server daemon to read data from /data/storage.

# setfacl -m u:www-data:r /data/storage

Running the command won’t give any output. So let’s check if something has changed:

# ls -l
total 4
drwxr-xr-x+ 2 root root 4096 Nov 18 16:00 storage

The plus sign in ls reveals there is something different than the other files. This is because of adding the extended attribute.

Although we could use the getfacl command to determine the permissions, we can actually use the getfattr command to see what kind of attribute is added.

# getfattr /data/storage

 

getfattr: Removing leading ‘/’ from absolute path names
# file: data/storage
system.posix_acl_access

Now we know for sure it is an ACL stored in the extended attributes of this particular file (or actually directory).

If we want to see detailed information, we can use the xattr tool for that.

Screenshot listing the extended attributes of a file

Using xattr to list extended attributes of a file

Other attributes

security.capability

The security.capability files stores Linux capabilities for the related file. Applies to binaries which are provided one or more capabilities via this file.

security.ima

For the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.

security.evm

Similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file. The different with IMA is that it protects the metadata of the file, not the contents.

Related tools

getfacl

Installation: apt-get install acl

getfattr

Installation: apt-get install attr

xattr

Installation: apt-get install python-xattr

 

More resources

Two useful links suggested by our readers, are:

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

3 comments

  • Chinmaya KarChinmaya Kar

    [root@test sdb3]# setfacl -m d:u:chin:- test2
    [root@test sdb3]#
    [root@test sdb3]#
    [root@test sdb3]#
    [root@test sdb3]# getfattr /mnt/sdb3/test2
    [root@test sdb3]#

    I have set ACl, and user_xattr is enabled. I still dont see anything in getfattr output

    [root@test ~]# cat /proc/fs/ext4/sdb3/options
    rw
    barrier
    user_xattr
    acl
    resuid=0
    resgid=0
    errors=continue
    commit=5
    min_batch_time=0
    max_batch_time=15000
    stripe=0
    inode_readahead_blks=32
    init_itable=10
    max_dir_size_kb=0

    Reply
  • Chinmaya KarChinmaya Kar

    Your command needs modification.
    [root@test sdb3]# getfattr /mnt/sdb3/test2 -m –
    getfattr: Removing leading ‘/’ from absolute path names
    # file: mnt/sdb3/test2
    security.selinux
    system.posix_acl_default

    getfattr displays the file name, and the set of
    extended attribute names (and optionally values) which are associated
    with that file. Per default only attributes in the user namespace are
    displayed, see -m.

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.