CHMOD(1) | General Commands Manual | CHMOD(1) |
chmod
— change
file modes or Access Control Lists
chmod |
[-fhv ] [-R
[-H | -L |
-P ]] mode
file ... |
chmod |
[-fhv ] [-R
[-H | -L |
-P ]] [-a | +a | =a] ACE
file ... |
chmod |
[-fhv ] [-R
[-H | -L |
-P ]] [-E ]
file ... |
chmod |
[-fhv ] [-R
[-H | -L |
-P ]] [-C ]
file ... |
chmod |
[-fhv ] [-R
[-H | -L |
-P ]] [-N ]
file ... |
The chmod
utility modifies the file mode
bits of the listed files as specified by the mode
operand. It may also be used to modify the Access Control Lists (ACLs)
associated with the listed files.
The generic options are as follows:
-f
chmod
could
not modify the mode for file, nor modify the exit
status to reflect such failures.-H
-R
option is specified, symbolic links on
the command line are followed and hence unaffected by the command.
(Symbolic links encountered during tree traversal are not followed.)-h
-L
-R
option is specified, all symbolic links
are followed.-P
-R
option is specified, no symbolic links
are followed. This is the default.-R
.*
”.-v
chmod
to be verbose, showing filenames as
the mode is modified. If the -v
flag is specified
more than once, the old and new modes of the file will also be printed, in
both octal and symbolic notation.The -H
, -L
and
-P
options are ignored unless the
-R
option is specified. In addition, these options
override each other and the command's actions are determined by the last one
specified.
If chmod
receives a
SIGINFO
signal (see the
status
argument for stty(1)), then
the current filename as well as the old and new modes are displayed.
Only the owner of a file or the super-user is permitted to change the mode of a file.
The chmod
utility exits 0 on
success, and >0 if an error occurs.
Modes may be absolute or symbolic. An absolute mode is an octal number constructed from the sum of one or more of the following values:
4000
suiddir
option
to mount(8).2000
1000
0400
0200
0100
0040
0020
0010
0004
0002
0001
For example, the absolute mode that permits read, write and execute by the owner, read and execute by group members, read and execute by others, and no set-uid or set-gid behaviour is 755 (400+200+100+040+010+004+001).
The symbolic mode is described by the following grammar:
mode ::= clause [, clause ...] clause ::= [who ...] [action ...] action action ::= op [perm ...] who ::= a | u | g | o op ::= + | - | = perm ::= r | s | t | w | x | X | u | g | o
The who symbols ``u'', ``g'', and ``o'' specify the user, group, and other parts of the mode bits, respectively. The who symbol ``a'' is equivalent to ``ugo''.
The perm symbols represent the portions of the mode bits as follows:
The op symbols represent the operation performed, as follows:
Each clause specifies one or more operations to be performed on the mode bits, and each operation is applied to the mode bits in the order specified.
Operations upon the other permissions only (specified by the symbol ``o'' by itself), in combination with the perm symbols ``s'' or ``t'', are ignored.
The ``w'' permission on directories will permit file creation, relocation, and copy into that directory. Files created within the directory itself will inherit its group ID.
644
go-w
=rw,+X
+X
755
u=rwx,go=rx
u=rwx,go=u-w
go=
g=u-w
ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specify the type of name.
If the user or group name contains spaces you can use ':' as the delimiter between name and permission.
The following permissions are applicable to all filesystem objects:
The following permissions are applicable to directories:
The following permissions are applicable to non-directory filesystem objects:
ACL inheritance is controlled with the following permissions words, which may only be applied to directories:
The ACL manipulation options are as follows:
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
.
# chmod +a "User 1:allow:read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: User 1 allow read
3: admin allow write,delete
The +a mode strives to maintain correct canonical form for the
ACL.
local deny
local allow
inherited deny
inherited allow
By default, chmod adds entries to the top of the local deny and local allow lists. Inherited entries are added by using the +ai mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
The +ai# mode may be used to insert inherited entries at a specific location. Note that these modes allow non-canonical ACL ordering to be constructed.
-a
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
Inheritance is not considered when processing the -a mode; rights and entries will be removed regardless of their inherited state.
If the user or group name contains spaces you can use ':' as the delimiter
Example
# chmod +a "User 1:allow:read" file1
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
This mode may not be used to add new entries.
-E
-C
-i
-I
-N
The -v
option is non-standard and its use
in scripts is not recommended.
chflags(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), sticky(7), symlink(7), chown(8), mount(8)
The chmod
utility is expected to be
IEEE Std 1003.2 (“POSIX.2”) compatible
with the exception of the perm symbol
“t” which is not included in that standard.
A chmod
command appeared in
Version 1 AT&T UNIX.
January 7, 2017 | Mac OS X 12 |