A.10 Extended Attributes (XAttr) Commands

The Extended Attributes (XAttr) extension for NSS provides accessibility into many extended attributes for NSS on Linux. It allows you to read, back up, and restore extended attributes of files on NSS. This section describes options to determine how extended attributes are handled for NSS on Linux.

A.10.1 CtimeIsMetadataModTime Option

By default, the Linux ctime is mapped to NSS create time (CreateTime). We prefer that ctime be based on the NSS metadata modified time (MetadataModifiedTime) instead of the NSS create time, but modifying the Linux ctime function might cause unknown complications. Thus, NSS provides the CtimeIsMetadataModTime option to allow an administrator to select to map the metadata modified time as the Linux ctime value, rather than the NSS create time when the different time stamp matters for your deployment.

The CtimeIsMetadataModTime option can be set persistently in the /etc/opt/novell/nss/nssstart.cfg file, or it can be set from nsscon by a user with root access.

nss /CtimeIsMetadataModTime

Maps the NSS metadata modified time to Linux ctime. This is the default behavior in OES 2 Linux and later.

nss /noCtimeIsMetadataModTime

Maps the NSS create time to Linux ctime.

A.10.2 ListXattrNWmetadata Option

ListXattrNWmetadata Option

In OES 1 SP2 and later, the NetWare metadata (netware.metadata) extended attribute was added for files and directories. The ListXattrNWmetadata option for NSS allows a user or application with root access to select whether the netware.metadata extended attribute is returned for a file or directory at listxattr(2) time. The ListXattrNWmetadata option is disabled (OFF) by default. This option is intended for use by indexing or backup programs.

For users or applications without root access (without the CAP_SYS_ADMIN capability), the listxattr(2) command never lists the netware.metadata extended attribute, regardless of the ListXattrNWmetadata setting.

The ListXattrNWmetadata option can be set persistently in the /etc/opt/novell/nss/nssstart.cfg file, or it can be set from nsscon by a user with root access as follows:

nss /(No)ListXattrNWmetadata

Enables or disables the ability to return the netware.metadata extended attribute for a file or directory at listxattr(2) time.

The option is disabled by default in all OES versions. Enable the option if there is a need to use the Linux xattr functions to access or change NetWare metadata fields by name.

  • Off: listxattr() does not return netware.metadata as an extended attribute for NSS files and directories. It is still possible to get extended attributes (getxattr()) and set extended attributes (setxattr()) by using the specific xattr name:

    "netware.metadata"
    
  • On: listxattr() returns netware.metadata as an extended attribute for NSS files and directories.

Examples

To enable the return of netware.metadata information, enter the following in the NSS Console:

nss /ListXattrNWmetadata

To disable the return of netware.metadata information, enter the following in the NSS Console:

nss /NoListXattrNWmetadata

Security Issues for ListXattrNWmetadata

The ListXattrNWmetadata option is available only to the user or application with root access (the CAP_SYS_ADMIN capability). It is disabled (off) by default.

When this feature is enabled (on) (such as by the backup user or by third-party backup software), and if the user or application has root user access, the following occurs:

  • When copying NSS files or directories with the Linux cp utility from NSS volumes to NSS volumes, the cp utility copies the trustees assigned to a file or directory to the destination file or directory. This means that the old trustees of the file or directory now have visibility into the destination directory. In addition, the old trustees inherit trustee rights from the destination directory for other files in that directory.

    NOTE:For users or applications without root access (without the CAP_SYS_ADMIN capability), the trustee information is not copied to the destination directory.

  • When copying NSS files with the cp utility from NSS volumes to non-NSS volumes, the cp utility issues a warning message advising that it could not apply the netware.metadata extended attribute.

    NOTE:For users or applications without root access (without the CAP_SYS_ADMIN capability), the cp utility does not attempt to apply the netware.metadata extended attribute.

There is no work-around for these two copy-related issues for the user or application with root access. This is how the Linux cp utility works.

Using the Linux cp Command to Copy Files with Extended Attributes

The Linux cp command has changed for OES 2. In OES 1, when listxattr is enabled, the extended attributes are also copied when you use the cp command as the root user to copy files. However, in OES 2, in order to copy the extended attributes, you must use the --preserve option.

The man page of cp on OES2 provides the following description of the --preserve option:

  • --preserve[=ATTR_LIST]
  • Preserve the specified attributes (default: mode,ownership,timestamps), if possible additional attributes: links, xattrs, all.

For example, after you enable listxattr, you can copy a file and its netware.metadata by logging in as the root user, then entering the following at a terminal console prompt:

cp --preserve=all /path/file1 /newpath/file1

Using the Linux rsync Command to Copy Files with Extended Attributes

When using the Linux rsync command to copy files with extended attribute, use the rsync -A and -X options. For example:

rsync -A -X -av test/ test2/

Options

Description

-A, --acls

preserve ACLs (implies -p)

-X, --xattrs

preserve extended attributes

-p, --perms

preserve permissions

A.10.3 Additional Information

For information about how to use the XAttr Extension for NSS, see the NDK: XAttr Extension for NSS.

For the latest patches for the km_nss module, visit the Novell Support SUSE Patch Support Database (by date listing).

For information about how to use the Linux listxattr(2) command, see the man page (enter man 2 listxattr at a terminal console prompt).

Novell Cool Solutions has a listxattrs tool you can use to check if you get the extended attributes after enabling /ListXattrNWmetadata. The listxattrs tool can be downloaded from the Cool Solutions > Cool Tools > List Extended Attributes with xattr APIs.