2

If the ls -l command gives me a permission string like

rwsr-s--x

What does the 's' mean? The only sources I found mention that it can be present sometimes but do not elaborate.

What does a '+' instead of a '-' mean? I have found mentions of 'extended permission' but nothing clear.

Stephen Kitt
  • 434,908
Ferduun
  • 31
  • 1
  • 3

2 Answers2

5

As explained by the very good and comprehensive wikipedia page on the subject :

+ (plus) suffix indicates an access control list that can grant additional permissions. Details are available with man getfacl.

Furthermore, there are three permission triads :

  • First triad : what the owner can do
  • Second triad : what the group members can do
  • Third triad : what other users can do

As for the characters of the triad :

  • First character
    • r : readable
  • Second character
    • w : writable
  • Third character
    • x: executable
    • s or t: executable and setuid/setgid/sticky
    • S or T: setuid/setgid or sticky, but not executable

The setuid/setgid basically means that, if you have the permission to run the program, you will run it as if you were the owning user and/or of the owning group of that program. This is helpful when you need to run a program which needs root access but also needs to work for non-root users (to change your password, for example).

The sticky bit might have different meaning depending on the system or flavor you are running and how old it is, but on linux, the wiki page states that :

[...] the Linux kernel ignores the sticky bit on files. [...] When the sticky bit is set on a directory, files in that directory may only be unlinked or renamed by root or the directory owner or the file owner.

user43791
  • 2,688
  • getfacl is a program that has never been standardized. It exists only in a standard proposal from around 1993 tat has been withdrawn in 1997. – schily Dec 08 '19 at 10:45
4

See Understanding UNIX permissions and their attributes for an explanation of the s.

+ appears after the standard permissions, and is one of the possible characters used to indicate that the file has "alternate access methods". With GNU ls the character can be blank (the default), . to indicate a security context applies to the file, or + to indicate any other alternate access method, typically ACLs (which you can see using getfacl).

POSIX defines the position as being used for the alternate access method flag, but possible values are left to each implementation:

The optional alternate access method flag shall be the empty string if there is no alternate or additional access control method associated with the file; otherwise, it shall be a string containing a single printable character that is not a blank.

Community
  • 1
Stephen Kitt
  • 434,908