I was changing file permissions and I noticed that some of the permissions
modes ended in @
as in -rw-r--r--@
, or a +
as in drwxr-x---+
. I've looked
at the man pages for chmod and chown, and searched around different help
forums, but I can't find anything about what these symbols mean.
File Permissions – Understanding Mode Ending in @ or +
filespermissions
Related Solutions
You seem to understand the concept of permissions, but I think you're getting caught up on user/group/other and what those mean in various contexts.
Briefly,
- A user is an individual POSIX account
- A group is a logical grouping of multiple POSIX accounts
A file on disk has two owners. The user
owner and the group
owner. For any particular file, other
is any user account that does not match the user
nor is a member of the group
. In other words, other
is any user that is not the user owner and is not a member of the group owner.
Further, each process runs under a specific User ID (or UID), and is a member of one or more Group ID's (GID). Use the command ps -ef
(on Linux and Solaris, or ps -ej
on OS X or *BSD) to see the user executing each process. You'll see that apache and ws_ftp are also being executed by users.
When a process tries to access a file on disk the following happen:
- If the
UID
of the process matches theuser
owner of the file thenuser
permissions are enforced. - Else, if any
GID
s of the process match thegroup
owner of the file thengroup
permissions are enforced. - Else
other
permissions are enforced.
To answer your questions specifically:
When I log in with WS_FTP, am I Owner?
Technically yes, because there is always an owner, but it depends on your definition of "I".
If you are logging in as a real POSIX user on the system then files you create/access will be as the user you logged in as. If you logged anonymously then the files you create/access will be that of the UID of WS FTP. This will likely be either ftp
or nobody
.
Is a web browser an Other?
The web browser is not anything because it's not being executed on the server. But the browser accesses a web server. The web server is running as some specific user (just like WS_FTP is). That user is likely www-data
, apache
or nobody
.
Do the PHP scripts themselves fall into one of these classes?
PHP scripts are executed by the scripting engine module of the web server. They will be executed as the same user running the web server.
Is there a difference between read and execute on a .php file?
Yes. Read means that the user can read the contents of the file. Execute means that the contents can be run as a full fledged process.
Since PHP scripts execute inside the scripting engine of the web server (i.e., they are part of the memory space and execution thread of the server) they do not need to be set executable.
Since I have no idea who "inetuser" is, would I be correct in not giving Group any permissions? What if this was not the case (i.e., the site's username was also used for Group - which it is on my dev site on a different host)?
inetuser
is a user account on the system, just like your account. It may also be a group. Hopefully you can answer this question yourself after reading through this.
What permissions does each kind of file/dir need under these circumstances?
Generally, you want data files to be owned by user accounts that are used by actual humans (i.e., you). In other words, your web content should not be owned by the apache user.
- User permissions should almost always be rw- for data files or rwx for directories and programs.
- Group permissions should usually be r-- for data files or r-x for directories and programs. If you want members of that group to be able to write to those files then it should be rw- and rwx.
- Other permissions should almost always be r-- for data files and r-x for directories and programs or --- if you want to deny all access.
chmod
might or might not change the permissions of files that are already set to what you want, but if not, it would still need to check them to see what their current permissions are[0]. With hundreds of thousands of files, I don't think it would matter either way; the time is most likely being spent by the tools stat
ing every file.
You can try using find
to either check for files newer than the last run or files that need chmod
to be run, but I don't think you'll get much speed improvement.
If possible for your script, you might be able to get the new files put into a separate directory first, as a "holding" area. Then you can chmod
THAT directory (which only has new files), and mv
them in with the rest. That should be substantially faster, but unfortunately won't work for every application.
[0] Even if it does try to set the permission of files that don't need any changes, the underlying filesystem probably won't do anything with the request, because it's unnecessary.
Best Answer
+
means that the file has additional ACLs set. You can set them withsetfacl
and query them withgetfacl
:I haven't seen
@
yet personally, but according to this thread it signifies extended attributes, at least on MacOS. Tryxattr -l
on such a file.