Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • M1 & M2 Macs
  • Mac Problems
  • Mac articles
  • Art
  • Macs
  • Painting
hoakley December 8, 2017 Macs, Technology, xattr

Extended attributes in High Sierra 10.13.2

Yesterday I revealed how common and rich in information are extended attributes, xattrs, on a desktop system with years of accumulated rubbish, in Sierra 10.12.6. Today I will compare and contrast that with a much leaner system running High Sierra 10.13.2, and look at the structure and function of some of the xattrs which you are likely to come across on both systems.

Extended attributes are still widespread in High Sierra

Because my High Sierra system is much leaner – it has only 86600 items in my Home folder, compared with over 1.7 million on my Sierra system – there are far fewer files with xattrs than on the Sierra system. But there are still over 47000, of which the great majority are in my Home folder. Of the files in that Home folder, 50% have at least one xattr, and the average number of xattrs per file with xattrs is 1.2.

Since my look at Sierra, I have improved my XattrXverser app, and extended coverage to the /private folder. In both Sierra and High Sierra, there is extensive use of xattrs in items in that folder, although from a limited range of types.

My app was able to examine fewer items in the /System/Library folder in High Sierra than in Sierra, I suspect because of more restrictive permissions. It does not obtain elevated privileges, so is locked out of more folders there in High Sierra.

There are still very many different xattr types

I have now found a total of 152 different xattr types in my Sierra Home folder; in my much leaner High Sierra Home folder, I found a total of 64 in a folder one fifth of the size of that in Sierra.

Neither Apple nor any of the other users of xattrs seems to be reducing the number of xattr types.

So which xattr types look important?

There are few xattr types which are so extensively used that they appear in almost every one of the top-level folders in High Sierra. Those which are even found in /private are:

  • com.apple.quarantine – the Gatekeeper quarantine metadata, which I have explored in detail before. This is commonly encountered not only in /Applications, but attached to all manner of files in the Home folder.
  • com.apple.metadata:com_apple_backup_excludeItem – this is used by Apple to exclude items from Time Machine backups.
  • com.apple.TextEncoding – used sporadically to indicate the text encoding for a plain text file.
  • com.apple.rootless – a marker of some folders and files which are protected by SIP.
  • com.apple.uuiddb.boot-uuid – used on some log files.
  • com.apple.logd.metadata – used on some log files.

I look at these in more detail below.

com.apple.ResourceFork, the traditional HFS+ resource fork, is still widely used even in High Sierra, and appears to work fine (as do xattrs) in APFS. I was surprised to find that 5% of the files in my Home folder still have resource forks stored as xattrs.

Apple’s Mail app has its own suite of xattrs, used to label messages and attachments. These include

  • com.apple.metadata:com_apple_mail_dateReceived
  • com.apple.metadata:com_apple_mail_dateSent
  • com.apple.metadata:com_apple_mail_isRemoteAttachment

Several different xattrs can be used to attach copyright information, which would be opaque to the great majority of users. These include:

  • com.apple.metadata:kMDItemCopyright
  • org.openmetainfo:kMDItemCopyright
  • org.openmetainfo.time:kMDItemCopyright

Another xattr which can give valuable information about the origins of a file is com.apple.metadata:kMDItemWhereFroms.

Finder Comments appear occasionally, using a xattr of type com.apple.metadata:kMDItemFinderComment.

Details of five important xattrs in common use with Sierra and High Sierra system files

com.apple.metadata:com_apple_backup_excludeItem seems to be used to mark files and folders which are to be excluded from Time Machine backups, in addition to the exclusions set in the Time Machine pane. They are typically composed of a property list, in hex form like
62706c69 73743030 5f101163 6f6d2e61 70706c65 2e626163 6b757064 08000000 00000001 01000000 00000000 01000000 00000000 00000000 00000000 1c
which starts with the Unicode characters bplist00_ com.apple.backupd

com.apple.TextEncoding is used quite generally by text files to indicate the encoding of their contents. This is normally given as a Unicode string, such as
utf-8;134217984

com.apple.rootless is used to mark some, but probably not all, items which are locked down by SIP. The contents appear very variable, and it can be empty. When it does contain data, this is Unicode text, such as
SystemPolicyConfiguration

com.apple.uuiddb.boot-uuid is attached to the log’s uuidtext files, and contains a UUID in null-terminated ASCII text.

com.apple.logd.metadata is attached to the log’s tracev3 log files, and contains binary data, such as (in hex)
01000000 19df4284 6c424836 89698cef 414e9d68 00000000 ff95a12e 05000000 2935f936 3f010000

I hope that has given you sufficient information to arouse your interest in xattrs and their uses.

My next addition to XattrXverser is going to be a facility to list all xattrs of a specific type, across files in a chosen folder, so that I can examine their usage in more detail.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology, xattr and tagged extended attributes, forensics, HFS+, High Sierra, macOS, macOS 10.13, metadata, xattr, xattred. Bookmark the permalink.

Quick Links

  • Downloads
  • Mac Troubleshooting Summary
  • M1 & M2 Macs
  • Mac problem-solving
  • Painting topics
  • Painting
  • Long Reads

Search

Monthly archives

  • January 2023 (62)
  • December 2022 (74)
  • November 2022 (72)
  • October 2022 (76)
  • September 2022 (72)
  • August 2022 (75)
  • July 2022 (76)
  • June 2022 (73)
  • May 2022 (76)
  • April 2022 (71)
  • March 2022 (77)
  • February 2022 (68)
  • January 2022 (77)
  • December 2021 (75)
  • November 2021 (72)
  • October 2021 (75)
  • September 2021 (76)
  • August 2021 (75)
  • July 2021 (75)
  • June 2021 (71)
  • May 2021 (80)
  • April 2021 (79)
  • March 2021 (77)
  • February 2021 (75)
  • January 2021 (75)
  • December 2020 (77)
  • November 2020 (84)
  • October 2020 (81)
  • September 2020 (79)
  • August 2020 (103)
  • July 2020 (81)
  • June 2020 (78)
  • May 2020 (78)
  • April 2020 (81)
  • March 2020 (86)
  • February 2020 (77)
  • January 2020 (86)
  • December 2019 (82)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

APFS Apple AppleScript Apple silicon backup Big Sur Blake bug Catalina Consolation Console diagnosis Disk Utility Doré El Capitan extended attributes Finder firmware Gatekeeper Gérôme HFS+ High Sierra history of painting iCloud Impressionism iOS landscape LockRattler log logs M1 Mac Mac history macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 macOS 11 macOS 12 macOS 13 malware Mojave Monet Monterey Moreau MRT myth narrative OS X Ovid painting Pissarro Poussin privacy realism Renoir riddle Rubens Sargent scripting security Sierra SilentKnight SSD Swift symbolism Time Machine Turner update upgrade Ventura xattr Xcode XProtect

Statistics

  • 13,721,419 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina, Big Sur
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Metamer, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • T2M2, Ulbow, Consolation and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, Sparsity, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
  • Spundle, Cormorant, Stibium, Dintch, Fintch and cintch
  • Long Reads
  • Mac Troubleshooting Summary
  • LockRattler: 11.0 Big Sur
  • M1 & M2 Macs
  • Mints: a multifunction utility
  • LockRattler: 12.x Monterey
  • VisualLookUpTest
  • Virtualisation on Apple silicon
  • LockRattler: 13.x Ventura
Secondary navigation
  • Search

Post navigation

Apple has pushed another security update
In Between: the paintings of Anita Rée, 2

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • The Eclectic Light Company
    • Join 3,125 other followers
    • Already have a WordPress.com account? Log in now.
    • The Eclectic Light Company
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
%d bloggers like this: