Understanding the ‘+’ Symbol in Linux File Permissions: ACLs Explained for Developers


3 views

When you run ls -l on a CentOS system and see a plus sign (+) at the end of file permissions like drwxrwxrwx+, this indicates the file has Access Control Lists (ACLs) applied. These extend beyond basic Unix permissions to provide more granular access control.

To verify if a file has ACLs, use:

getfacl filename
# Example output:
# file: docs
# owner: benson
# group: avahi-autoipd
# user::rwx
# group::rwx
# other::rwx
# additional entries may appear here

To set an ACL for a specific user:

setfacl -m u:username:rwx filename

To set default ACLs for new files in a directory:

setfacl -d -m u:username:rwx directory

Imagine a web server where:

# Grant apache read access without changing group ownership
setfacl -m u:apache:r /var/www/html/secure_files

# Verify with:
getfacl /var/www/html/secure_files | grep apache
# Should show: user:apache:r--

To completely remove all ACL entries:

setfacl -b filename

Remember that ACLs are filesystem-dependent - not all Unix filesystems support them. Common supported ones include ext3/4, xfs, and zfs.

When you run ls -l on a Linux system and see a plus sign (+) at the end of the permission string like drwxrwxrwx+, it indicates that the file or directory has extended Access Control Lists (ACLs) beyond the standard Unix permissions.

Traditional Unix permissions use three sets of rwx (read, write, execute) for owner, group, and others. The plus sign tells you there's more to the story:


# Standard permissions
-rw-r--r--  1 user group  1024 Jan 1 10:00 file.txt

# With extended ACLs
-rw-r--r--+ 1 user group  1024 Jan 1 10:00 special_file.txt

To see the complete ACL information, use the getfacl command:


getfacl docs/
# file: docs/
# owner: benson
# group: avahi-autoipd
user::rwx
group::rwx
other::rwx
additional entries will appear here if ACLs exist

Here are some practical examples of working with ACLs:


# Add read/write permissions for specific user
setfacl -m u:username:rw docs/

# Add execute permission for a group
setfacl -m g:developers:x script.sh

# Remove all extended ACLs
setfacl -b protected_file

Extended ACLs are useful when:

  • You need to grant permissions to specific users without changing file ownership
  • Multiple groups require different access levels to the same resource
  • Implementing complex permission schemes in shared environments

While most modern Linux distributions support ACLs (ext2/ext3/ext4, XFS, Btrfs), some older or minimal installations might not have ACL support enabled. Check your filesystem mount options:


mount | grep acl
# Should show 'acl' in the options list