The attributes of a file include metadata which is common to many or all files, such as their name and date of creation. Extended attributes, or xattrs, are metadata which apply only to specific files, and aren’t used by the great majority: they’re options used for particular purposes.
In Classic Mac OS, many files have resource forks to contain structured metadata: a classic app, for example, stores definitions of windows, menus, dialogs, etc., in its resource fork. In macOS 10 and 11, files and folders can also have other named forks, which are implemented as extended attributes; a resource fork becomes resource metadata in a xattr of type
com.apple.ResourceFork. Although sometimes claimed to be a quirk of Macs, extended attributes are now quite widely used in other file systems, in Linux and BSD, for example.
macOS and applications use xattrs for various purposes. One of the most prominent is implementing the quarantine flag which indicates that a file has been downloaded from the internet and requires full security checks. Other xattrs might attach details of the website from which a file was downloaded, copyright information, and more. They’re not normally used to store content-specific metadata such as EXIF for images, or those associated with other media files, which are normally incorporated within the file data to ensure their preservation on all file systems.
In Mac native file systems such as APFS, extended attributes aren’t stored with the main data for files, but in the Attributes area of the volume metadata. As such they’re out of reach of normal file tools, and can only be accessed using those specifically intended to work with xattrs. Each file and folder can have an effectively unlimited number of xattrs, each of which can be more than 100 KB.
Because they’re part of the volume metadata, some versions of macOS may not include the space occupied by them when calculating free and used disk space. It’s possible to fill a volume with extended attributes and run it out of free space, and that space may also be ignored by services which manage storage use, for example space allocations for clients in a server system. These should be pathological problems, but could also result from malicious activity.
Most file systems to which macOS can write either handle xattrs natively (HFS+, APFS), or macOS uses a scheme to preserve them. NFS is an important exception, and files copied to NFS will have all their xattrs stripped. Other file systems, including those popular with Linux, may impose stricter limits than APFS on the number and size of xattrs.
Xattrs are almost universally named using a type signature similar to an app ID, which reads like a URL backwards, although that isn’t required and you may still encounter older names such as
The following types are examples of those most commonly encountered:
com.apple.FinderInfois found very widely, and contains (a little) Finder information, sometimes including the old file type and creator strings.
com.apple.ResourceForkis a resource fork.
com.apple.rootlessmarks items which are protected by SIP.
com.apple.quarantinemarks files which have been downloaded from the internet, and contains their Gatekeeper status, indicating whether they still require full checking, have passed a full check, and have been run on that Mac.
com.apple.metadatais for metadata generally, and is usually qualified by a subtype, such as those below.
Metadata subtypes (confusingly termed attributes by Apple) commonly encountered include:
- _kMDItemUserTags contains Finder tag information
- kMDLabel_ is normally serialised with a string of apparently random letters
- kMDItemDownloadedDate gives the datestamp for when a downloaded item was obtained
- kMDItemWhereFroms gives the URL from which a downloaded item was obtained
- kMDItemIsScreenCapture, kMDItemScreenCaptureGlobalRect, and kMDItemScreenCaptureType for screenshots.
Examples of compound types include
com.apple.metadata:kMDLabel_jwzqfxqstyro4udfe2psoz7kyi, which has a serialised subtype.
Metadata stored in xattrs is usually hidden from the user, although Finder’s Get Info may show the content of some xattrs such as
kMDItemWhereFroms. Some third-party apps may expose relevant metadata. For example, better text editors show and allow the setting of the information stored in
com.apple.TextEncoding, which records the encoding scheme used by many text files.
In Terminal, the most reliable way of discovering whether one or more xattrs are associated with a file or folder is using the command
ls -la. Resulting listings append the at sign @ at the end of the permissions flags to indicate that item has associated xattrs:
drwxr-xr-x@ 254 hoakley staff 8636 24 Jul 18:39 miscDocs
The standard command tool for working with xattrs is the command
xattr. xattrs are listed with
xattr -l itempath
itempath is the path to the file or folder to be examined.
Copying xattrs using this command is complex, and requires writing the xattr which is printed in hex form, e.g.
xattr -wx com.apple.FinderInfo "`xattr -px com.apple.FinderInfo thisitem`" thatitem
com.apple.FinderInfo xattr from
If you’d prefer to use GUI apps to work with xattrs, I have a collection here, including:
- xattred, a full-featured xattr editor which can do almost anything you want with xattrs, and can also attach quarantine flags if you wish to test that apps can clear Gatekeeper’s checks;
- Metamer, a simple editor for text-based xattrs, including 16 standard types which are indexed by Spotlight;
- Pratique, to mark document quarantine flags as clear;
- Sandstrip, to remove spurious quarantine flags;
- SearchKey and SearchKeyLite, which edit five major xattr types generally useful in document metadata;
- Precize from this page gives detailed size information and a listing of xattrs for individual files;
cmpxat, a command tool to compare the xattrs of two files and report all differences between them.
Xattred is a highly capable xattr editor.
Metamer is a lightweight editor for text-based xattrs which can be used in Spotlight searches.
Problems with xattrs have been relatively uncommon, but are usually difficult to identify and diagnose because of their poor visibility. Perhaps their most common problem is that most measures of a file’s size forget to include the size of any xattrs. Although usually small in comparison to the size of file data, increasing use of xattrs can result in some puzzling discrepancies. To investigate xattr size more accurately, use Precize.
Over the last few years, Apple has increasingly used xattrs, both the quarantine flag
com.apple.quarantine and a xattr new with Catalina,
com.apple.macl, for security and privacy protection. These can lead to strange and apparently intractable problems; as they’re essentially undocumented by Apple, even discovering their cause can be difficult.
Other problems arise when xattrs whose contents are important are inadvertently stripped when a file is moved to a different volume or file system, such as iCloud. The latter now preserves more xattrs than it has in the past, but some may still need special protection. Xattrs have a longstanding system for specifying when they should be preserved, but this was only documented in obscure source code. It also appends flags to the end of the xattr type name, which isn’t generally respected and can cause problems of its own.
In the command line and shell scripts, xattrs can behave unexpectedly. Some old commands, including
cpio, zip, and
pax, may omit xattrs unless they’re specifically included using an option: if xattrs are to be preserved when using such commands, you should check with the man page and preferably perform a small-scale test before proceeding.
Occasionally, bugs in specific apps can attach incorrect or very large xattrs to files quite inappropriately. These can in turn cause some services to fail, most commonly the
mdworker daemon responsible for indexing metadata for Spotlight. These usually present with bizarre symptoms, and until they are recognised as being caused by xattrs, they remain baffling.
Forthcoming articles will look in more detail at these different topics.
One of the few lists of xattrs is given for
com.apple.metadata subtypes in Apple’s File Metadata Attributes Reference (last substantially updated in 2011).
There are many other articles on this blog, in the Category xattr, with its contents page (also listed to the right, at the top of the widgets there).