Usha Guduri

Also @

Extended File Attributes

The other day, a simple

ushaguduri@work:Wed Feb 20 15:40:17 -> ls -al
-rw-r--r--@ 1 ushaguduri  staff   899B Feb 20 15:26 test_file

got me digging deeper into the underlying File System. Notice the @ after the file permissions? That’s a way to associate metadata with a file. Its not used by the file system for any useful purpose - just to store additional information, say like the source of the file, author etc.

Bringing up the manual for the ls command describes the @ as an available option too:

 -@      Display extended attribute keys and sizes in long (-l) output.

Further digging leads to the xattr command and using it on the test_file above showed interesting data:

ushaguduri@work:Wed Feb 20 15:40:41 scripts(db5-v1-me) -> xattr warmup_redis.rb
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine

The above two values in particular indicate:

  1. com.apple.metadata:kMDItemWhereFroms: where the file was downloaded from along with a binary property list, if any

  2. com.apple.quarantine: added by the OS the first time a file is downloaded(referring to the source of the download), so that it can ask for confirmation when the program is run (to stop malware by ensuring that the user is aware of a program wanting to execute). Once confirmed the attribute would be removed so that the program can run normally again without user confirmation.

xattr command takes several options to manipulate the metadata:

-l --> list the actual values
-d --> delete the attribute
-w --> set the attribute

For example:

ushaguduri@work:Wed Feb 20 15:41:57 scripts(db5-v1-me) -> xattr -l test_file
com.apple.metadata:kMDItemWhereFroms:
00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 4F 68 74  |bplist00..._.Oht|
00000010  74 70 73 3A 2F 2F 74 69 63 6B 65 74 73 2E 73 6D  |tps://<website url>|
.......
000000A0  00 00 00 00 01 01 00 00 00 00 00 00 00 03 00 00  |................|
000000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 9B        |..............|
000000be
com.apple.quarantine: 0001;51253196;Google Chrome DEV.app;193F85B5-63F1-4A50-A83E-5713ED49D904|com.google.Chrome
ushaguduri@work:Wed Feb 20 15:41:59 scripts(db5-v1-me) -> xattr -w com.apple.metadata:kMDItemWhereFroms http://example.com test_file

Bonus: If you dont want the quarantine attribute set, you can override the defaults on Mac [if you know what you are doing ;)] as such:

   defaults write com.apple.LaunchServices LSQuarantine -bool NO

Comments