Linux: Extended attributes

Hello there my friends! My name is Dot. And I am here, to tell you about extended attributes. And you may be wondering, what is it?

Extended File Attributes aka xattr, are values which can be associated with files, to describe them beyond what the standard filesystem attributes provide. They are a very good option to further restrict the operations to be performed with our files and directories. They can also be used to store file metadata.

Listing attributes of files and directories.

We can list the attributes of files and archives, using the command lsattr

As we can see, it has very similar arguments to the normal ls. See all arguments with man lsattr

Editing the attributes

In order to modify these attributes, we can use the command chattr followed by the + or - symbol, then, the option we want, and finally the file:

There are a lot of attributes, we will see the most common and most used with examples, and the others, I will explain then briefly.

Common attributes

a

Append attribute. The file can only be opened to append data to it.

As we can see, once we apply this attribute to a file, it can not be deleted or overwritten, it just allows it to be edited if the data is appended. This is confusing at first, even if we are root and have write permission on the file, we cannot delete or overwrite it.

i

Immutable attribute (read-only). It puts the file in read-only mode, and it is not possible to edit, rename, or create links to it.

A

Before explaining this attribute, I would like to explain one thing about dates and files. There are different types of dates, which are:

ctime (change time)

It is updated when some of the file fields are modified (permissions, owner, group and hard links), the file is moved to another directory, renamed and also when it is modified. We can check it executing ls -lc.

mtime (modify time)

It is updated when the file is modified, that is, when it is written to the data blocks in the file. Most of the times ctime and mtime will coincide. It is the date that appears in the ls -l

atime (access time)

It is updated when the file is opened and all or some of its data blocks are read. Many commands modify the atime, for example: cat, grep, head, tail, etc. We can see this date with ls -lu

Let's do a couple of tests:

As we can see, the atime has changed.

As we can see here, the ctime has been updated

But in this case, we can see that the atime has not been updated, why?

ls -lu does not give last access time
The manpage of ls says: -u with -lt: sort by, and show, access time; with -l: show access time and sort by name; otherwise: sort by access time but that doesn’t seem to work: test@
last time file opened
Is it possible to get the time when file was opened last time and sort all files in a directory by those times?
There is a big caveat, though. Updating the atime every time a file is read causes a lot of usually-unnecessary IO, slowing everything down. So, most Linux distributions now default to the noatime filesystem mount option, which basically kills atimes, or else relatime, which only updates atimes once a limit has passed (normally once per day) or if the file was actually modified since the previous read.

Well, now that this is explained, let's move on to attribute A aka atime mode. No atime updates, this means that the last access date will not be updated, even if more than 24 hours pass.

As we can see, first we tried to force the change of the atime, without success, since the A attribute was set. Finally, when we remove this attribute, and force the update of the atime, we see that it works, since the attribute A is no longer set.

e

Extent format. This attribute indicates that the file is using extents for mapping the blocks on disk.

An extent is a contiguous area of storage in a computer file system, reserved for a file. When a process creates a file, file-system management software allocates a whole extent. When writing to the file again, possibly after doing other write operations, the data continues where the previous write left off. This reduces or eliminates file fragmentation and possibly file scattering too.

These are the most common/used. Now I will explain the rest of the attributes, which are not a few...

c: compressed --> Files with this attribute are automatically compressed by the kernel when written to disk. Its contents are uncompressed when read. Note: This attribute has no effect in the ext2, ext3, and ext4 filesystems.

C: no copy on write --> Files with this attribute are not subject to copy-on-write updates. If this attribute is set on a directory, new files created in that directory get this attribute set.

d: no dump --> Files with this attribute are bypassed in any backup initiated by dump, a legacy tool for ext2 filesystems.

D: synchronous directory updates --> Changes to a directory with this attribute are written synchronously to disk. That is, the system waits for write completion before doing something else. Equivalent to the dirsync option to the mount command, applied to a subset of files on a filesystem.

j: data journalling --> A file with this attribute has all its data written to its journal before being written to the file itself. Only effective on ext3 and ext4 filesystems which have journalling enabled and the "data=ordered" or "data=writeback" options set.

s: secure deletion --> If a file with this attribute is deleted, its data is overwritten with zeroes, similar to a simple shred. This attribute is ignored by ext2, ext3, and ext4 filesystems.

S: synchronous updates --> When files with this attribute are modified, the changes are written synchronously to disk. Equivalent to the sync option of the mount command, for individual files.

t: no tail-merging --> A file with this attribute will not have any partial block fragment at the end of the file shared with another file's data. This attribute is necessary for software such as LILO, which reads the filesystem directly and is not aware of tail merging. Some filesystems do not support tail merging, in which case this attribute has no effect.

T: top of directory hierarchy --> A directory with this attribute is deemed to be the top of directory hierarchies by the Orlov block allocator, used by ext2 and ext3. The attribute gives a hint to the allocator that the subdirectories are not related in how they are used, and their data should be separate when blocks are allocated. For example, the /home directory may have this attribute, indicating that /home/mary and /home/john should be placed in separate block groups.

u: undeletable --> When a file with this attribute is deleted, its contents are saved, enabling their later undeletion. Undelete tools that can take advantage of this attribute like extundelete.

https://unix.stackexchange.com/questions/66870/how-to-find-undeletable-files-that-were-removed

Important:
The 'c', 's', and 'u' attributes are not honored by the ext2, ext3, and ext4 filesystems as implemented in the current mainline Linux kernels. Setting 'a' and 'i' attributes will not affect the ability to write to already existing file descriptors.

Well, that's all for today, if you have any question you can ask me here. I hope this post have served as food for your brains, see you in the next. Fire it up, baby.