36

In Mac OS X, run 'ls -al' gives me something like this.

drwxrwxrwx+  4 smcho  staff     136 May  5 09:18 Public
drwxr-xr-x+  6 smcho  staff     204 Feb  1  2010 Sites
drwxrwxrwx   9 smcho  staff     306 Feb  2  2010 backup
drwxr-xr-x@ 36 smcho  staff    1224 Sep  4 22:51 bin
  • What's the + or @ at the end of the first column means?
  • Is this unique to Mac, or common in UNIX?

ADDED

After Michael Mrozek's answer, I ran 'ls -ale' to get the following.

drwx------+ 66 smcho  staff    2244 Aug 30 13:40 Library
 0: group:com.apple.sharepoint.group.3 allow search
 1: group:everyone deny delete
drwxr-xr-x   3 smcho  staff     102 Sep  4 15:01 Mail
drwx------+ 13 smcho  staff     442 Aug 28 17:55 Movies
 0: group:everyone deny delete
drwx------+  6 smcho  staff     204 Jul  9 09:37 Music
 0: group:everyone deny delete
drwx------+ 11 smcho  staff     374 Aug 28 16:55 Pictures
 0: group:everyone deny delete
drwxr-xr-x   3 smcho  staff     102 Mar 18 15:43 Projects
drwxrwxrwx+  4 smcho  staff     136 May  5 09:18 Public
 0: group:everyone deny delete
drwxr-xr-x+  6 smcho  staff     204 Feb  1  2010 Sites
 0: group:everyone deny delete

What those appended messages mean? Why do I have them for some of the files? I don't remember doing anything particular for them.

Gilles 'SO- stop being evil'
  • 829,060
prosseek
  • 8,558

1 Answers1

46

The @ suffix is unique to Mac OS and is covered by this question, so I copied this part of my answer from there; it means the file has extended attributes. You can use the xattr command-line utility to view and modify them:

xattr --list filename
xattr --set propname propvalue filename
xattr --delete propname filename

The + suffix means the file has an access control list, and is common in any *nix that supports ACLs. Giving ls the -e flag will make it show the associated ACLs after the file, and chmod can be used to modify then. Most of this is from the chmod man page:

You add an ACL with chmod +a "type:name flag permission,...", and remove it with chmod -a. The argument to chmod is fairly complicated:

  • type is either user or group, to clarify if name is referring to a username or a group name. If name is unambiguous, you can omit the type
  • name is the username or group the ACL applies to
  • flag is allow if this ACL entry is granting a permission, or deny if it's denying a permission
  • permission is the actual permission being modified; you can list as many as you like, comma-separated
    • delete -- Allow the file/directory to be deleted
    • readattr -- Read basic attributes
    • writeattr -- Write basic attributes
    • readextattr -- Read extended attributes (using xattr, from above)
    • writeextattr -- Write extended attributes
    • readsecurity -- Read ACL info
    • writesecurity -- Write ACL info
    • chown -- Change owner
    • Directory-specific permissions
      • list -- Show the files/folders in the directory
      • search -- Find a file/folder in the directory by name
      • add_file -- Create a new file in the directory
      • add_subdirectory -- Create a new directory in the directory
      • delete_child -- Remove a file/directory in the directory
      • Inheritance-control
        • file_inherit -- ACLs on the directory are inherited by files
        • directory_inherit -- ACLs on the directory are inherited by subdirectories
        • limit_inherit -- Stops ACLs inherited by this directory from being inherited by subdirectories
        • only_inherit -- Inherited by all newly created items but ignored
    • File-specific permissions
      • read -- Open the file for reading
      • write -- Open the file for writing
      • append -- Open the file for appending
      • execute -- Run the file

In your particular example, most of the ACL entries are group:everyone deny delete. That is, all users in the everyone group (which is naturally everyone) are denied the permission to delete the folder. I believe, although I can't find any documentation about it, that these are default ACLs to stop you from removing essential root folders -- somebody correct this if that's not the case. The only other entry is group:com.apple.sharepoint.group.3 allow search, which allows Directory Services to search for files by name in the /Library folder

Community
  • 1
Michael Mrozek
  • 93,103
  • 40
  • 240
  • 233
  • 1
    Showing + to indicate an ACL that goes beyond the traditional unix bits is common (at least FreeBSD, Linux and Solaris also do it; I don't know who did it first). – Gilles 'SO- stop being evil' Sep 06 '10 at 20:37
  • Mac OS also puts ACLs on key directories in the home directory. For example, Pictures has group:everyone deny delete. This actually makes it very difficult for the user to delete these directories, even if he doesn't want them. – Neil Mayhew Sep 10 '10 at 21:33
  • The args must have changed over the years. I found working answers/fixes at http://backdrift.org/fixing-mac-osx-file-permissions-and-acls-from-the-command-line – Mark Hudson Dec 11 '14 at 04:20
  • 1
    Thanks for the xattr command. I use xattr -c filename to clear all attrs so that the file can be accessed now. – xi.lin Apr 24 '15 at 07:05
  • Now for the Mac xattr does not support double minus arguments. Use xattr -h for more info. – Robotbugs Apr 09 '18 at 00:30