Understanding the “+” Symbol in Linux File Permissions: ACLs vs Traditional drwxrwsr-x+


2 views

When examining file permissions in Linux using ls -l, you might encounter permission strings ending with a "+" sign, like drwxrwsr-x+. This isn't part of the standard Unix permission notation and indicates something special about the file's access controls.

Standard Unix permissions consist of three components:

-rwxr-xr-x   # Standard permission string
drwxrwsr-x   # Directory with setgid bit
drwxrwsr-x+  # With additional ACL entries

The "+" symbol appears when the file has Access Control Lists (ACLs) applied, which provide more granular permission control beyond the standard user/group/others model.

To verify if a file has ACL entries:

getfacl shared
# Output might show:
# file: shared
# owner: deploy
# group: www-data
# user::rwx
# group::r-x
# group:developers:rwx
# mask::rwx
# other::r-x

In deployment scenarios (like Capistrano), ACL issues often manifest when:

  • The deployment user lacks proper ACL entries
  • Directory inheritance isn't properly configured
  • Group write permissions conflict with ACL settings

To ensure smooth deployments with ACLs:

# Set default ACLs for the directory
setfacl -d -m u:deploy:rwx shared/
setfacl -d -m g:www-data:rwx shared/
setfacl -m u:deploy:rwx shared/
setfacl -m g:www-data:rwx shared/

If you prefer traditional permissions:

# Remove all ACL entries
setfacl -b shared/
# Then set standard permissions
chmod 775 shared/
chown deploy:www-data shared/
chmod g+s shared/  # Set setgid bit
Feature Standard Permissions ACL-Enabled
Permission string drwxrwsr-x drwxrwsr-x+
Multiple groups No Yes
Fine-grained control Limited Detailed
Inheritance Basic Configurable

When facing deployment failures:

  1. Check effective permissions with getfacl
  2. Verify the deployment user is in all necessary groups
  3. Test creating files manually as the deploy user
  4. Look for SELinux context issues if on CentOS/RHEL

When working with Linux file permissions, you might encounter permission strings ending with a plus sign (+), like drwxrwsr-x+. This isn't standard Unix permission notation but indicates the presence of Access Control Lists (ACLs) on the file or directory.

Traditional Unix permissions follow the drwxrwxrwx format:

drwxrwsr-x   # Standard permissions
drwxrwsr-x+  # With ACLs enabled

The plus sign specifically tells you there are additional permissions beyond the standard owner/group/others model.

To view the complete ACL entries, use:

getfacl /path/to/directory

Sample output might look like:

# file: shared/
# owner: deploy
# group: www-data
user::rwx
user:jenkins:r-x
group::r-x
group:deployers:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

In web deployment scenarios (like your Capistrano case), ACL issues often manifest when:

  • Multiple users need write access to a directory
  • System services (like Apache) need specific permissions
  • CI/CD systems interact with deployment directories

For your Capistrano deployment, try these steps:

# 1. Check current ACLs
getfacl /path/to/shared

# 2. Set appropriate ACLs (example)
setfacl -R -m u:deploy:rwx,u:www-data:rx,g:deploy:rwx /path/to/shared
setfacl -R -d -m u:deploy:rwx,u:www-data:rx,g:deploy:rwx /path/to/shared

# 3. Verify changes
getfacl /path/to/shared | grep -E 'user:(deploy|www-data)|group:deploy'

When working with ACLs:

  • Always use getfacl before modifying permissions
  • Consider using default ACLs (-d flag) for directories
  • Document ACL changes as they're not visible in standard listings
  • Test deployment with capistrano -T to verify permissions