To execute shell script, you mean r+x to the script file. To execute a binary, you just need x.
The "+" after the permission indicated if the file has an ACL
Numbers to represent rwx is 1/2/4. Or (add) the number to create composite permissions. For example, 700 means 1+2+4 for owner and 0 for group/other.
Setuid/setgid change the permission x to s in the listing. Set these permissions by specifying a 4th digit. For example. 2700 or 4700 sets the setgid or setuid respectively. "1" is to set the sticky bit to the program.
Kernel will not execute a script with setuid/setgid on.
Execute permission in directory indicated if the user can cd into the directory and access file that he has been permitted to. If user has x but no r for a directory, he cannot display the directory file content (i.e. list of files in directory) using ls command.
Using ACL has overhead and should not enable ACL on system directory and files. Not all file utility preserve ACL by default. Destination filesystem may or may not support ACL. In addition, the filesystem must be mounted with ACL enabled (default no ACL).
ACL grant access to other user or group beside the owner's. Beside ugo. ACL has a role called "mask" which specified the effective (maximum) permission ACL permitted for the directory or file. Any ACL specified more than mask's will not be effective (i.e. denied). Mask is usually set to the max permission allowed and individual ACL rule is more restrictive than mask's.
