Extended Filesystem Attributes: OS X

In the case of OS X, in addition to supporting BSD Filesystem Attributes (which we've covered before), there are extended attributes.

Chimera:DMG axon$ ls -la audacity-macosx-intel-1.2.5.dmg
-rw-r--r--@ 1 axon staff 3483297 Aug 24 16:09 audacity-macosx-intel-1.2.5.dmg

Notice the @ after the permissions. In OS X, that means that there are extended attributes. Have you ever run into a warning like this?

That's the com.apple.quarantine flag talking. We use the xattr command to view and manipulate these attributes.
Chimera:DMG axon$ xattr audacity-macosx-intel-1.2.5.dmg
To view the contents of an attribute, use the -p flag.  I had already removed the com.apple.quarantine attribute from Audacity's DMG file, so I'll use the TrueCrypt DMG for this example:
Chimera:DMG axon$ xattr -p com.apple.quarantine TrueCrypt\ 6.0a\ Leopard.dmg

The contents of this attribute don't matter much, it's simply meta-data. Likely a time stamp and obviously some information about which application created the file. The mere existence of this attribute is causing the warning. 

Attributes can be created or existing values modified using the -w flag.  On an interesting aside, data can be hidden within a file's extended attributes. You can use an arbitrary attribute name, although I don't know what maximum length exists for the attribute name or its contents.
Chimera:DMG axon$ sudo xattr -w secret.message "all your base are belong to us" \

Chimera:DMG axon$
xattr -p secret.message audacity-macosx-intel-1.2.5.dmg
all your base are belong to us

To remove the attribute, use the -d [attribute] flag. 
Chimera:DMG axon$ sudo xattr -d com.apple.quarantine audacity-macosx-intel-1.2.5.dmg
Chimera:DMG axon$
xattr audacity-macosx-intel-1.2.5.dmg

Only secret.message and com.apple.diskimages.recentcksum remain. The last is an attribute containing (among other things) the checksum of the DMG file, for integrity purposes. I'd imagine it would be easy to modify manually, but I don't even know if the operating system uses this checksum upon mounting the disk image.

Mac OS X Internals covers many more of the attributes that are officially recognized by the operating system, as well as a wealth of other tricks with the kernel, sysctl etc, and is worth a read if this kind of stuff fascinates you.

blog comments powered by Disqus