+ or @ mark after running ‘ls -al’

by

In Mac OS X, run ‘ls -al’ gives me something like this.

drwxrwxrwx+  4 smcho  staff     136 May  5 09:18 Public
drwxr-xr-x+  6 smcho  staff     204 Feb  1  2010 Sites
drwxrwxrwx   9 smcho  staff     306 Feb  2  2010 backup
[email protected] 36 smcho  staff    1224 Sep  4 22:51 bin
  • What’s the + or @ at the end of the first column means?
  • Is this unique to Mac, or common in UNIX?
Contents hide
ADDED
Answers:
Method 1

ADDED

After Michael Mrozek’s answer, I ran ‘ls -ale’ to get the following.

drwx------+ 66 smcho  staff    2244 Aug 30 13:40 Library
 0: group:com.apple.sharepoint.group.3 allow search
 1: group:everyone deny delete
drwxr-xr-x   3 smcho  staff     102 Sep  4 15:01 Mail
drwx------+ 13 smcho  staff     442 Aug 28 17:55 Movies
 0: group:everyone deny delete
drwx------+  6 smcho  staff     204 Jul  9 09:37 Music
 0: group:everyone deny delete
drwx------+ 11 smcho  staff     374 Aug 28 16:55 Pictures
 0: group:everyone deny delete
drwxr-xr-x   3 smcho  staff     102 Mar 18 15:43 Projects
drwxrwxrwx+  4 smcho  staff     136 May  5 09:18 Public
 0: group:everyone deny delete
drwxr-xr-x+  6 smcho  staff     204 Feb  1  2010 Sites
 0: group:everyone deny delete

What those appended messages mean? Why do I have them for some of the files? I don’t remember doing anything particular for them.

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

The @ suffix is unique to Mac OS and is covered by this question, so I copied this part of my answer from there; it means the file has extended attributes. You can use the xattr command-line utility to view and modify them:

xattr --list filename
xattr --set propname propvalue filename
xattr --delete propname filename

The + suffix means the file has an access control list, and is common in any *nix that supports ACLs. Giving ls the -e flag will make it show the associated ACLs after the file, and chmod can be used to modify then. Most of this is from the chmod man page:

You add an ACL with chmod +a "type:name flag permission,...", and remove it with chmod -a. The argument to chmod is fairly complicated:

  • type is either user or group, to clarify if name is referring to a username or a group name. If name is unambiguous, you can omit the type
  • name is the username or group the ACL applies to
  • flag is allow if this ACL entry is granting a permission, or deny if it’s denying a permission
  • permission is the actual permission being modified; you can list as many as you like, comma-separated
    • delete — Allow the file/directory to be deleted
    • readattr — Read basic attributes
    • writeattr — Write basic attributes
    • readextattr — Read extended attributes (using xattr, from above)
    • writeextattr — Write extended attributes
    • readsecurity — Read ACL info
    • writesecurity — Write ACL info
    • chown — Change owner
    • Directory-specific permissions
      • list — Show the files/folders in the directory
      • search — Find a file/folder in the directory by name
      • add_file — Create a new file in the directory
      • add_subdirectory — Create a new directory in the directory
      • delete_child — Remove a file/directory in the directory
      • Inheritance-control
        • file_inherit — ACLs on the directory are inherited by files
        • directory_inherit — ACLs on the directory are inherited by subdirectories
        • limit_inherit — Stops ACLs inherited by this directory from being inherited by subdirectories
        • only_inherit — Inherited by all newly created items but ignored
    • File-specific permissions
      • read — Open the file for reading
      • write — Open the file for writing
      • append — Open the file for appending
      • execute — Run the file

In your particular example, most of the ACL entries are group:everyone deny delete. That is, all users in the everyone group (which is naturally everyone) are denied the permission to delete the folder. I believe, although I can’t find any documentation about it, that these are default ACLs to stop you from removing essential root folders — somebody correct this if that’s not the case. The only other entry is group:com.apple.sharepoint.group.3 allow search, which allows Directory Services to search for files by name in the /Library folder


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x