File with permissions ---S--l---

Question

Can some one explain what the meaning of these attributes: ---S--l---?

When and why need to set this attribute? and for what?

$ ls -ltr
---S--l---   1 root     root          0 Mar 10 04:25/opt/sm/OP/Tor/kur/ll3/tur_lock

Answer 1

I trust that you’re familiar with the basic -rwxrwxrwx notation.  You probably know that set-user-ID gets you -rwsrwxrwx and set-group-ID gets you -rwxrwsrwx.  But, without further clarification, these forms are ambiguous.  If you see -rws------, you might assume that the mode is 04700 (set-user-ID + user read + write + execute), but how do you know that the execute bit is on when x isn’t displayed?  The answer is that mode 04600 (set-user-ID + user read + write, but without execute) is shown as -rwS------.  Similarly, 02060 (set-group-ID + group read + write, but without execute) is shown as ---rwS---.

Now, documentation on that l is proving to be hard to find.  Luckily, I’ve been around for a while, and I know where some of the bodies are buried.  I found this fcntl(2) page that says,

(Non-POSIX.) … record locks may be either advisory or mandatory, and are advisory by default.  Advisory locks are not enforced and are useful only between cooperating processes.

Mandatory locks are enforced for all processes.  If a process tries to perform an incompatible access (e.g., read(2) or write(2)) on a file region that has an incompatible mandatory lock, then the result depends upon whether the O_NONBLOCK flag is enabled for its open file description.  If the O_NONBLOCK flag is not enabled, then system call is blocked until the lock is removed or converted to a mode that is compatible with the access.  If the O_NONBLOCK flag is enabled, then the system call fails with the error EAGAIN.

To make use of mandatory locks, mandatory locking must be enabled both on the file system that contains the file to be locked, and on the file itself.  Mandatory locking is enabled on a file system using the "-o mand" option to mount(8), or the MS_MANDLOCK flag for mount(2).  Mandatory locking is enabled on a file by disabling group execute permission on the file and enabling the set-group-ID permission bit (see chmod(1) and chmod(2)).

The Linux implementation of mandatory locking is unreliable. See BUGS below.

TL;DR

On some (non-POSIX?) *nix systems, turning on the set-group-ID mode bit while leaving off the group execute bit enables mandatory locking on that file, if it is enabled in the filesystem.  And so the ls programs on some of these systems show an l (rather than S) in the seventh position of the textual representation of the mode to indicate that mandatory locking is enabled.  So, your tur_lock file has mode 06000.

TL;DR²

• An S in the fourth position indicates that the set-user-ID (04000) mode bit is set but the user (owner) execute permission (00100) mode bit is off.
• An S or an l in the seventh position indicates that the set-group-ID (02000) mode bit is set but the group execute permission (00010) mode bit is off.
• Whether ls displays an S or an l in the seventh position (when the set-group-ID mode bit is set but the group execute permission mode bit is off) is determined by rules that are not clearly documented; but it looks like you get the l if your operating system and filesystem support mandatory file locking.  The l then indicates that mandatory file locking is enabled for this file.

You can see the numeric modes (or, at least, the mode bits that are under user control) for all the files and whatnot in a directory tree with a command like

find directory -printf "%.5m %p\n"

find’s -printf accepts format %m to report the mode numerically (in octal).  (Use %M to report the mode symbolically, as ls does.)  Of course you can specify multiple directories to find, or use options like -mindepth or -maxdepth, or tests like -mtime, -name, -iname, and/or -size to narrow the search, or modify the -printf format.

You can see the numeric modes for selected files with a command like

stat -c "%a %n" file …

stat’s report format (specified with -c or --format) uses %a to report the mode (“access rights”) numerically (in octal).  (Use %A to report the mode symbolically, as ls does.)

Both of the above show only the mode bits that are under user control.  To see all the mode bits (including the ones that specify file/inode type), use

stat -c "%f %n" file …

Unfortunately, this displays it in hex.

---

… is there any option to identify files with ‘S’ …?

You can find files that have an S in the fourth position with

find directory -perm -4000 ! -perm -100

which is about as close to English as find syntax gets: find files where “permission” (mode) bit 04000 is set but mode bit 0100 is not set.

Similarly, you can find files that have an S or an l in the seventh position with

find directory -perm -2000 ! -perm -010 

Finding files that meet either of the above conditions is a bit messier:

find directory "(" "(" -perm -4000 ! -perm -100 ")" -o "(" -perm -2000 ! -perm -010 ")" ")"

Answer 2

This can be set with command chattr in Linux.

chattr is the command in the Linux operating system that allows a user to set certain attributes on a file residing on a Linux file systems.

It is also called as immutable bit.

There are so many attributes present which can be applied on files in Linux. In above question, S and I are some attributes. Below is the description of attribute S and I.

S - the changes are written synchronously on the disk; this is equivalent to the `sync' mount option applied to a subset of the files.

I - is used by the htree code to indicate that a directory is behind indexed using hashed trees.

To set immutable bit to any file, below is the syntax.

chattr +(attribute) (file name)

To remove immutable bit of any file, below is the syntax.

chattr -(attribute) (file name)

To check which file has attribute set, use lsattr command.

For more information, read chattr man page. All the attributes and its characteristics is mentioned in man page.