Extended attributes are properties organized in (name, value) pairs, optionally set to files or directories in order to record information which cannot be stored in the file itself. They are supported by operating systems such as Windows, Linux, Solaris, MacOSX and others, with variations.

On Linux, specifically, four categories of extended attributes have been defined :

• trusted : to record properties which should only be accessed by the kernel,
• security : to record security properties of a file,
• system : to record other system related properties on which the file owner has some control,
• user : to record properties defined by applications.

The names of the extended attributes must be prefixed by the name of the category and a dot, hence these categories are generally qualified as name spaces. Examples of extended attribute names are security.selinux,  system.posix_acl_access or user.mime_type. However a high-level language may hide the system prefixing so that, for instance, the user.mime_type attribute name would appear as "mime_type" in a source code.

They can be retrieved and set through system calls (getxattr(2), setxattr(2), removexattr(2)) or shell commands (getfattr(1), setfattr(1)), provided appropriate access conditions are met :

	condition for getting	condition for setting
trusted	root	root
security	read access	root
system	read access	owner
user	read access	write access

The extended attributes are enabled through the mount option streams_interface=xattr. With this option (activated by default), the four name spaces are supported by ntfs-3g on Linux.

Your operating system has to provide an extended attribute interface for the features referenced on this page to be available. Some Linux distributions and most other operating systems do not support a compatible extended attribute interface. On systems with open name spaces, such as Mac OS X, these features are enabled through the mount option streams_interface=openxattr.

The extended attributes in user name space are stored on NTFS as alternative data streams whose name is the unprefixed name of the attribute, and whose contents is the value of the attribute. They can be read and modified in Windows by using the standard file access functions, with a colon and the stream name (which is the unprefixed extended attribute name) appended to the file name.

Example :

(the green part is executed on Linux, the purple part is executed on Windows, the Linux file /media/tmp/xattr/file is the same physical file as k:tests\xattr\file on an NTFS partition)

[user xattr]$ # Set the extended attribute "user.color" with value "green"
[user xattr]$ setfattr -n user.color -v green /media/tmp/tests/xattr/file
[user xattr]$ # Check the value of the attribute
[user xattr]$ getfattr -n user.color /media/tmp/tests/xattr/file
getfattr: Removing leading '/' from absolute path names
# file: media/tmp/tests/xattr/file
user.color="green"

D:\xattr>REM On windows display the alternative stream "color"
D:\xattr>more < k:tests\xattr\file:color
green
D:\xattr>REM Change the alternative stream contents to "white"
D:\xattr>echo white > k:tests\xattr\file:color
D:\xattr>more < k:tests\xattr\file:color
white

[user xattr]$ # Back on Linux, display the extended attribute "user.color"
[user xattr]$ getfattr -n user.color /media/tmp/tests/xattr/file
getfattr: Removing leading '/' from absolute path names
# file: media/tmp/tests/xattr/file
user.color="white"

A few extended attributes in the system name space are used to give access to NTFS internal data which cannot be accessed through Linux standard methods. They can be accessed with any setting of the option streams_interface. They are not returned when the extended attribute list is queried, and consequently, unless stated otherwise, they are not saved by tar with option --xattrs to avoid conflicts with POSIX ACL and symbolic link savings, but specific tools may be designed to save and restore them.

The program ntfscp.c, available in tools.zip demonstrates how these data can be copied when copying files.

The following sections describe how to access a few NTFS internal data as extended attributes.

NTFS Attributes

The NTFS attributes are a set of miscellaneous flags associated with a file or directory.

The NTFS attributes are mapped to a four-byte word extended attribute named system.ntfs_attrib whose value is represented with the endianness of the processor used.

Only eight flags can be changed. The system flag (FILE_ATTRIBUTE_SYSTEM) is used in symbolic links and special files, it should not be changed unawares. The compressed flag on a directory is only used when creating new files into the directory, it has no effect on existing files. The other changeable flags are not used by Linux.

Names of settable flags	value (hex)
FILE_ATTRIBUTE_READONLY	1
FILE_ATTRIBUTE_HIDDEN	2
FILE_ATTRIBUTE_SYSTEM	4
FILE_ATTRIBUTE_ARCHIVE	20
FILE_ATTRIBUTE_TEMPORARY	100
FILE_ATTRIBUTE_COMPRESSED (directories only)	800
FILE_ATTRIBUTE_OFFLINE	1000
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED	2000

Examples :

# Display the current NTFS attributes of the file source-file
getfattr -h -e hex -n system.ntfs_attrib source-file

# Set the NTFS read-only flag to file target-file (on a small-endian computer)
setfattr -h -v 0x01000000 -n system.ntfs_attrib target-file

Reparse Data

NTFS use reparse data to define special actions before opening a file or directory. For instance reparse data is used to define Windows junctions and symlinks.

If present, the reparse data of a file or directory is mapped to an extended attribute named system.ntfs_reparse_data, and is returned as a raw variable-length record of small-endian items.

Please note :

• Setting invalid reparse data may have adverse consequences, as no check can be done when setting new data,
• when creating or deleting a junction or symlink by setting or deleting reparse data, the status of the file is not updated in the system caches and subsequent actions on the file may fail. The caches can be updated by setting the owner again after the reparse data change.
• for creating a junction or symlink by setting reparse data, the type of the target (plain file or directory) must match the type of the source on which the reparse data is set.
  

Examples :

# Display the reparse data of the file source-file
getfattr -h -e hex -n system.ntfs_reparse_data source-file

# Copy the reparse data of the file source-file to the file target-file
REPARSE=`getfattr -h -e hex -n system.ntfs_reparse_data source-file | \
         grep '=' | sed -s 's/^.*=//'`
setfattr -h -v $REPARSE -n system.ntfs_reparse_data target-file

NTFS ACLs

The NTFS ACLs are used to control access to files or directories. On linux they are translated into ownership, permissions and Posix ACLs parameters.

The NTFS ACL of a file or directory is mapped to an extended attribute named system.ntfs_acl, and is returned as a raw variable-length record of small-endian items. All the components of the ACL are returned : the owner id, the group id, the discretionary ACL and the system ACL.

The setting of a new NTFS ACL is rejected is the consistency check fails.

Examples :

# Display the NTFS ACL of the file source-file
getfattr -h -e hex -n system.ntfs_acl source-file

# Copy the ACL of the file source-file to the file target-file
ACL=`getfattr -h -e hex -n system.ntfs_acl source-file | \
         grep '=' | sed -s 's/^.*=//'`
setfattr -h -v $ACL -n system.ntfs_acl target-file

DOS names

An NTFS file may have an alternate short name to enable access by legacy application which can only process files whose name complies to a 8.3 pattern (the main part of the name has at most 8 characters, followed by a dot and a suffix which has at most 3 characters). Linux usually does not use such short names.

The short name of a file can be queried and set as if it were the value of an extended attribute named system.ntfs_dos_name. When there is a short name, the character set used to build both the short and the long name is restricted : control characters (whose code is less than 0x20) and nine specific characters (<>:"\/|?*) are not allowed in either name. As a consequence no short name can be set on a file whose existing name contains forbidden characters.

The Windows algorithm to derive a short name from a long name is not enforced by Linux, only the character set and the unicity of case-sensitive names are checked. When queried, the short name is always capitalized.

Please note :

• in a directory a file cannot have several short names and associated long names (same as Windows),
• setting a DOS name requires having write access to the parent directory

Examples :

# Display the short name of the file source-file
getfattr -h -n system.ntfs_dos_name source-file

# Set TARGET~1 as the short name of the file target-file
setfattr -h -v "TARGET~1" -n system.ntfs_dos_name target-file

An NTFS file is qualified by a set of four time stamps "representing the number of 100-nanosecond intervals since January 1, 1601 (UTC)", though UTC has not been defined for years before 1961 because of unknown variations of the earth rotation. These are :

• the time the file was created,
• the time the file was last written or truncated
• the time the file was last accessed,
• the time some attribute of the file was last changed

These times are mapped to an extended attribute named system.ntfs_times as an array of 64-bit quantities in the above order, represented with the endianness of the processor used. All four times can be queried, but only the first three can be set, as the last one records, for unknown purpose, the time of any change (possibly journalling, mirroring or backup).

Object ids (OIDs, also called GUIDs or UUIDs) are 16-byte labels identifying objects unambiguously. On NTFS, files and directories may have their own local OID which points to the initial OID of the file concatenated to the OID of the volume and the domain on which the file was initially created (64 bytes in all). The OID can thus be used to find files and directories which were relocated (see MSDN)

The full GUID of a file is mapped to an extended attribute named system.ntfs_object_id as a sequence of 64 bytes.