Wednesday, January 20, 2010

"+" in the output of "ls -l" stands for what?

Today when I logged into one of my test system and did "ls -l /root", I found a "+" in the output against each file and directory immediately after the permission bits are displayed. One example is given below.

-rw-r-xr--+ 1 root root 151 Jul 31 20:38

I had no idea what this "+" indicates about the file or directory. I just searched google to find out without any luck. Every docuemnt that I referred speaks about all other fields displayed in the output, but kept silent about "+". "man ls" has nothing to say about it. But I was not ready to give up, I found out myself what that field indicates. You may already know what is meant by this +, but this blog is intended to explain how did I find it out myself which may be useful for you also if you face a similar situation in future. Below is the method that I followed.

I created a file in /tmp named file.txt. When I did "ls -l" on that file, I didn't see the "+" in the output. Now I have a file which has a + in the "ls -l" output and one which doesn't have.

Now I did strace on "ls -l" while listing both the files. Strace was executed as below.

# strace -fvvv -s 1024 -o output-file ls -l file-name

Analyzed both straces and compared them. This comparison helped me to see what is different between these two files.

For the file which has + in its output, I found the below system call in strace.

29608 getxattr("/root/", "system.posix_acl_access", 0x0, 0) = 44

For the file which doesn't have + in the output, I found the same system call as below.

29616 getxattr("/tmp/file.txt", "system.posix_acl_access", 0x0, 0) = -1 ENODATA (No data available)
29616 getxattr("/tmp/file.txt", "system.posix_acl_default", 0x0, 0) = -1 ENODATA (No data available)

The difference in the output of getxattr() told me that the file which has a "+" in the output has a filesystem acl on it where as the file which doesn't have a "+" in the output has no acls set on it (This is indicated by the "-1 ENODATA (No data available").

I verified this by running "getfacl " on both files. Then I did "man acl" and started reading that and found the below details.

"For files that have a default ACL or an access ACL that contains more than the three required ACL entries, the ls(1) utility in the long form produced by ls -l displays a plus sign (+) after the permission string."

Is "man acl" the right place to have this info?

No comments: