File Permissions – Understanding Mode Ending in @ or +

filespermissions

I was changing file permissions and I noticed that some of the permissions
modes ended in @ as in -rw-r--r--@, or a + as in drwxr-x---+. I've looked
at the man pages for chmod and chown, and searched around different help
forums, but I can't find anything about what these symbols mean.

Best Answer

+ means that the file has additional ACLs set. You can set them with setfacl and query them with getfacl:

martin@martin ~ % touch file
martin@martin ~ % ll file 
-rw-rw-r-- 1 martin martin 0 Sep 23 21:59 file
martin@martin ~ % setfacl -m u:root:rw file 
martin@martin ~ % ll file 
-rw-rw-r--+ 1 martin martin 0 Sep 23 21:59 file
martin@martin ~ % getfacl file 
# file: file
# owner: martin
# group: martin
user::rw-
user:root:rw-
group::rw-
mask::rw-
other::r--

I haven't seen @ yet personally, but according to this thread it signifies extended attributes, at least on MacOS. Try xattr -l on such a file.

Related Solutions

Linux – Clarify File Permissions

You seem to understand the concept of permissions, but I think you're getting caught up on user/group/other and what those mean in various contexts.

Briefly,

A user is an individual POSIX account
A group is a logical grouping of multiple POSIX accounts

A file on disk has two owners. The user owner and the group owner. For any particular file, other is any user account that does not match the user nor is a member of the group. In other words, other is any user that is not the user owner and is not a member of the group owner.

Further, each process runs under a specific User ID (or UID), and is a member of one or more Group ID's (GID). Use the command ps -ef (on Linux and Solaris, or ps -ej on OS X or *BSD) to see the user executing each process. You'll see that apache and ws_ftp are also being executed by users.

When a process tries to access a file on disk the following happen:

If the UID of the process matches the user owner of the file then user permissions are enforced.
Else, if any GIDs of the process match the group owner of the file then group permissions are enforced.
Else other permissions are enforced.

To answer your questions specifically:

When I log in with WS_FTP, am I Owner?

Technically yes, because there is always an owner, but it depends on your definition of "I".

If you are logging in as a real POSIX user on the system then files you create/access will be as the user you logged in as. If you logged anonymously then the files you create/access will be that of the UID of WS FTP. This will likely be either ftp or nobody.

Is a web browser an Other?

The web browser is not anything because it's not being executed on the server. But the browser accesses a web server. The web server is running as some specific user (just like WS_FTP is). That user is likely www-data, apache or nobody.

Do the PHP scripts themselves fall into one of these classes?

PHP scripts are executed by the scripting engine module of the web server. They will be executed as the same user running the web server.

Is there a difference between read and execute on a .php file?

Yes. Read means that the user can read the contents of the file. Execute means that the contents can be run as a full fledged process.

Since PHP scripts execute inside the scripting engine of the web server (i.e., they are part of the memory space and execution thread of the server) they do not need to be set executable.

Since I have no idea who "inetuser" is, would I be correct in not giving Group any permissions? What if this was not the case (i.e., the site's username was also used for Group - which it is on my dev site on a different host)?

inetuser is a user account on the system, just like your account. It may also be a group. Hopefully you can answer this question yourself after reading through this.

What permissions does each kind of file/dir need under these circumstances?

Generally, you want data files to be owned by user accounts that are used by actual humans (i.e., you). In other words, your web content should not be owned by the apache user.

User permissions should almost always be rw- for data files or rwx for directories and programs.
Group permissions should usually be r-- for data files or r-x for directories and programs. If you want members of that group to be able to write to those files then it should be rw- and rwx.
Other permissions should almost always be r-- for data files and r-x for directories and programs or --- if you want to deny all access.

Chmod – Recursive Permission on Thousands of Files

chmod might or might not change the permissions of files that are already set to what you want, but if not, it would still need to check them to see what their current permissions are[0]. With hundreds of thousands of files, I don't think it would matter either way; the time is most likely being spent by the tools stating every file.

You can try using find to either check for files newer than the last run or files that need chmod to be run, but I don't think you'll get much speed improvement.

If possible for your script, you might be able to get the new files put into a separate directory first, as a "holding" area. Then you can chmod THAT directory (which only has new files), and mv them in with the rest. That should be substantially faster, but unfortunately won't work for every application.

[0] Even if it does try to set the permission of files that don't need any changes, the underlying filesystem probably won't do anything with the request, because it's unnecessary.

Best Answer

Related Solutions

Linux – Clarify File Permissions

Chmod – Recursive Permission on Thousands of Files

Related Question