1chmod(1)                         User Commands                        chmod(1)
2
3
4

NAME

6       chmod - change the permissions mode of a file
7

SYNOPSIS

9       chmod [-fR] absolute-mode file...
10
11
12       chmod [-fR] symbolic-mode-list file...
13
14
15       chmod [-fR] acl_operation file...
16
17
18       chmod [-fR] [-@ named_attribute]...attribute_specification_list file...
19
20

DESCRIPTION

22       The chmod utility changes or assigns the mode of a file.
23
24
25       chmod  can  also be used to modify Access Control Lists (ACLs) on files
26       and directories, and to modify boolean read-write system attributes  on
27       regular files, directories, and opaque extended attribute files.
28
29   Absolute Mode
30       An absolute mode command line has the following format:
31
32
33       chmod [options] absolute-mode file . . .
34
35
36       where  absolute-mode  is  specified using octal numbers nnnn defined as
37       follows:
38
39       n    a number from 0 to 7. An absolute mode is constructed from the  OR
40            of any of the following modes:
41
42            4000        Set user ID on execution.
43
44
45            20#0        Set group ID on execution if # is 7, 5, 3, or 1.
46
47                        Enable mandatory locking if # is 6, 4, 2, or 0.
48
49                        For  directories, files are created with BSD semantics
50                        for propagation of the group  ID.  With  this  option,
51                        files  and  subdirectories  created  in  the directory
52                        inherit the group ID of the directory, rather than  of
53                        the  current process. For directories, the set-gid bit
54                        can only be set or cleared by using symbolic mode.
55
56
57            1000        Turn on sticky bit. See chmod(2).
58
59
60            0400        Allow read by owner.
61
62
63            0200        Allow write by owner.
64
65
66            0100        Allow execute (search in directory) by owner.
67
68
69            0700        Allow read, write, and execute (search) by owner.
70
71
72            0040        Allow read by group.
73
74
75            0020        Allow write by group.
76
77
78            0010        Allow execute (search in directory) by group.
79
80
81            0070        Allow read, write, and execute (search) by group.
82
83
84            0004        Allow read by others.
85
86
87            0002        Allow write by others.
88
89
90            0001        Allow execute (search in directory) by others.
91
92
93            0007        Allow read, write, and execute (search) by others.
94
95
96
97
98       For directories, the setgid bit cannot be set (or cleared) in  absolute
99       mode; it must be set (or cleared) in symbolic mode using g+s (or g-s).
100
101   Symbolic Mode
102       A symbolic mode command line has the following format:
103
104
105       chmod [options] symbolic-mode-list file . . .
106
107
108       where symbolic-mode-list is a comma-separated list (with no intervening
109       white space) of symbolic mode expressions of the form:
110
111
112       [who] operator [permissions]
113
114
115       Operations are performed in the order given. Multiple permissions  let‐
116       ters  following a single operator cause the corresponding operations to
117       be performed simultaneously.
118
119       who           zero or more of the characters u, g, o, and a  specifying
120                     whose permissions are to be changed or assigned:
121
122                     u    user's permissions
123
124
125                     g    group's permissions
126
127
128                     o    others' permissions
129
130
131                     a    all permissions (user, group, and other)
132
133                     If  who  is omitted, it defaults to a, but the setting of
134                     the file mode creation mask (see umask in sh(1) or csh(1)
135                     for  more information) is taken into account. When who is
136                     omitted, chmod does not override the restrictions of your
137                     user mask.
138
139
140       operator      either  +,  , or =, signifying how permissions are to be
141                     changed:
142
143                     +       Add permissions.
144
145                             If permissions are omitted, nothing is added.
146
147                             If who is omitted, add the file mode bits  repre‐
148                             sented  by permissions, except for the those with
149                             corresponding bits  in  the  file  mode  creation
150                             mask.
151
152                             If  who is present, add the file mode bits repre‐
153                             sented by the permissions.
154
155
156                     Take away permissions.
157
158                             If permissions are omitted, do nothing.
159
160                             If who is omitted, clear the file mode bits  rep‐
161                             resented  by  permissions,  except for those with
162                             corresponding bits  in  the  file  mode  creation
163                             mask.
164
165                             If  who is present, clear the file mode bits rep‐
166                             resented by permissions.
167
168
169                     =       Assign permissions absolutely.
170
171                             If who is omitted, clear all file mode  bits;  if
172                             who  is  present, clear the file mode bits repre‐
173                             sented by who.
174
175                             If permissions are omitted, do nothing else.
176
177                             If who is omitted, add the file mode bits  repre‐
178                             sented  by permissions, except for the those with
179                             corresponding bits  in  the  file  mode  creation
180                             mask.
181
182                             If  who is present, add the file mode bits repre‐
183                             sented by permissions.
184
185                     Unlike other  symbolic  operations,  =  has  an  absolute
186                     effect  in  that  it resets all other bits represented by
187                     who. Omitting permissions is useful only with =  to  take
188                     away all permissions.
189
190
191       permission    any compatible combination of the following letters:
192
193                     l        mandatory locking
194
195
196                     r        read permission
197
198
199                     s        user or group set-ID
200
201
202                     t        sticky bit
203
204
205                     w        write permission
206
207
208                     x        execute permission
209
210
211                     X        execute permission if the file is a directory or
212                              if there is execute permission for  one  of  the
213                              other user classes
214
215
216                     u,g,o    indicate that permission is to be taken from the
217                              current user, group or other mode respectively.
218
219                     Permissions to a file can vary  depending  on  your  user
220                     identification  number (UID) or group identification num‐
221                     ber (GID). Permissions are described in  three  sequences
222                     each having three characters:
223
224
225
226
227                     User                 Group                 Other
228                     rwx                  rwx                   rwx
229
230                     This example (user, group, and others all have permission
231                     to read, write, and execute a  given  file)  demonstrates
232                     two categories for granting permissions: the access class
233                     and the permissions themselves.
234
235                     The letter s is only meaningful with u or g, and  t  only
236                     works with u.
237
238                     Mandatory  file and record locking (l) refers to a file's
239                     ability to have its reading or writing permissions locked
240                     while a program is accessing that file.
241
242                     In  a  directory  which  has  the  set-group-ID  bit  set
243                     (reflected as either -----s--- or -----l--- in the output
244                     of  'ls  -ld'), files and subdirectories are created with
245                     the group-ID of the parent directory—not that of  current
246                     process.
247
248                     It is not possible to permit group execution and enable a
249                     file to be locked on execution at the same time. In addi‐
250                     tion,  it is not possible to turn on the set-group-ID bit
251                     and enable a file to be locked on execution at  the  same
252                     time.  The following examples, therefore, are invalid and
253                     elicit error messages:
254
255                       chmod g+x,+l file
256                       chmod g+s,+l file
257
258
259                     Only the owner of a file or directory (or the super-user)
260                     can  change  that  file's  or  directory's mode. Only the
261                     super-user can set the  sticky  bit  on  a  non-directory
262                     file.  If you are not super-user, chmod masks the sticky-
263                     bit but does not return an error. In order to turn  on  a
264                     file's  set-group-ID  bit,  your own group ID must corre‐
265                     spond to the file's and group execution must be set.
266
267
268   ACL Operation
269       An ACL Operation command line has the following format:
270
271         chmod [options] A[number]- file ...
272         chmod [options] A-acl_specification file ...
273         chmod [options] A[index]{+|=}acl_specification file ...
274
275
276
277
278       Where acl_specification is a comma-separated list (with no  intervening
279       white space) of an ACL specification of the form:
280
281       A[index]+acl_specification    Prepends the access control entries (ACE)
282                                     specified  in  acl_specification  to  the
283                                     beginning of the file's ACL. Depending on
284                                     the file system, the ACL can be reordered
285                                     when  applied  to the file. If "optional"
286                                     number is specified  then  new  ACEs  are
287                                     inserted before specified number.
288
289
290       A-                            Removes  all ACEs for current ACL on file
291                                     and replaces current  ACL  with  new  ACL
292                                     that  represents only the current mode of
293                                     the file.
294
295
296       Aindex-                       Removes ACE specified by index number.
297
298
299       A-acl_specification           Removes ACEs specified by  acl_specifica‐
300                                     tion,  if  they  exist  in current file's
301                                     ACL.
302
303
304       A=acl_specification           Replaces  a   files   entire   ACL   with
305                                     acl_specification.
306
307
308       A[index]=acl_specification    Replaces  ACEs  starting  at  a  specific
309                                     index number in the current  ACL  on  the
310                                     file.  If  multiple  ACEs  are specified,
311                                     then each subsequent ACE in  acl_specifi‐
312                                     cation  replaces the corresponding ACE in
313                                     the current ACL.
314
315
316
317       POSIX-draft ACL Specification (as supported by UFS)
318
319
320       POSIX-draft ACLs (as supported by UFS) are specified as colon (:) sepa‐
321       rated fields of the following.
322
323       user::perms
324
325           File owner permissions.
326
327
328       user:username:perms
329
330           Permissions for a specific user.
331
332
333       group::perms
334
335           File group owner permissions.
336
337
338       group:groupname:perms
339
340           Permissions for a specific group.
341
342
343       other::perms
344
345           Permissions  for  user other than the file owner or members of file
346           group owner.
347
348
349       mask:perms
350
351           The ACL mask. The mask  entry  specifies  the  maximum  permissions
352           allowed for user (other than that the owner) and for groups.
353
354
355       default:user::perms
356
357           Default file owner permissions.
358
359
360       default:user:username:perms
361
362           Default permissions for a specific user.
363
364
365       default:group::perms
366
367           Default file group owner permissions.
368
369
370       default:group:groupname:perms
371
372           Default permissions for a specific group.
373
374
375       default:other:perms
376
377           Default  permissions  for user other than the file owner or members
378           of the file group owner.
379
380
381       default:mask:perms
382
383           Default ACL mask.
384
385
386
387       The above specification allows for ACLs to be specified such as:
388
389         user:tom:rw-,mask:rwx,group:staff:r-x
390
391
392
393
394       NFSv4 ACL Specification (as supported by NFSv4 and ZFS)
395
396
397       NFSv4 ACLs provide richer ACL semantics. They provide  both  allow  and
398       deny  entries, finer grained permissions, and enhanced inheritance con‐
399       trol.
400
401
402       NFSv4 ACLs are specified as colon (:) separated fields of  the  follow‐
403       ing.
404
405       owner@:<perms>[:inheritance flags]:<allow|deny>
406
407           Permissions for file owner.
408
409
410       group@:<perms>[:inheritance flags]:<allow|deny>
411
412           Permissions for file group owner.
413
414
415       everyone@:<perms>[:inheritance flags]:<allow|deny>
416
417           Permissions for everyone, including file owner and group owner.
418
419
420       user:<username>:<perms>[:inheritance flags]:<allow|deny>
421
422           Permissions for a specific user.
423
424
425       usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
426
427           Permissions for a specific user, but user is specified by SID.
428
429
430       group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
431
432           Permissions for a specific group.
433
434
435       groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
436
437           Permissions for a specific group, but group is specified by SID.
438
439
440       sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
441
442           Permissions  for  a  specific SID, but it doesn't matter if it is a
443           user or a group.
444
445
446
447       Permissions can be specified in three different chmod ACL formats: ver‐
448       bose, compact, or positional. The verbose format uses words to indicate
449       that the permissions are separated with a forward slash (/)  character.
450       Compact  format  uses the permission letters and positional format uses
451       the permission letters or the hyphen (-) to identify no permissions.
452
453
454       The permissions for verbose mode and their abbreviated form  in  paren‐
455       theses for compact and positional mode are described as follows:
456
457       read_data (r)           Permission to read the data of a file.
458
459
460       list_directory (r)      Permission to list the contents of a directory.
461
462
463       write_data (w)          Permission to modify a file's data. anywhere in
464                               the file's offset range.
465
466
467       add_file (w)            Permission to add a new file to a directory.
468
469
470       append_data (p)         The ability to modify a file's data,  but  only
471                               starting at EOF.
472
473                               Currently, this permission is not supported.
474
475
476       add_subdirectory (p)    Permission to create a subdirectory to a direc‐
477                               tory.
478
479
480       read_xattr (R)          Ability to read the extended  attributes  of  a
481                               file.
482
483
484       write_xattr (W)         Ability  to create extended attributes or write
485                               to the extended attribute directory.
486
487
488       execute (x)             Permission to execute a file.
489
490
491       read_attributes (a)     The ability to read basic attributes (non-ACLs)
492                               of a file.
493
494
495       write_attributes (A)    Permission  to change the times associated with
496                               a file or directory to an arbitrary value.
497
498
499       delete (d)              Permission to delete a file.
500
501
502       delete_child (D)        Permission to delete a file within a directory.
503
504
505       read_acl (c)            Permission to read the ACL of a file.
506
507
508       write_acl (C)           Permission to write the ACL of a file.
509
510
511       write_owner (o)         Permission to change the owner of a file.
512
513
514       synchronize (s)         Permission to access  file  locally  at  server
515                               with synchronize reads and writes.
516
517                               Currently, this permission is not supported.
518
519
520
521       Using  the  compact  ACL  format, permissions are specified by using 14
522       unique letters to indicate permissions.
523
524
525       Using the positional ACL format, permissions  are  specified  as  posi‐
526       tional  arguments  similar  to  the ls -V format. The hyphen (-), which
527       indicates that no permission is granted at that position, can be  omit‐
528       ted and only the required letters have to be specified.
529
530
531       The  letters  above  are listed in the order they would be specified in
532       positional notation.
533
534
535       Permissions can be specified with these letters in the following way:
536
537         rwx--D--------
538
539
540
541
542       The hyphens can be removed to compact the string as follows:
543
544         rwxD
545
546
547
548
549       Several special permission sets or aliases are also supported. The fol‐
550       lowing  permission  sets are used the same way that verbose permissions
551       are specified.
552
553       full_set      All permissions.
554
555
556       modify_set    All permissions except write_acl and write_owner.
557
558
559       read_set      read_data, read_acl, read_attributes, and read_xattr.
560
561
562       write_set     write_data,    append_data,     write_attributes,     and
563                     write_xattr
564
565
566
567       The  optional  inheritance flags can be specified in the three formats.
568       The first format uses words to indicate the various  inheritance  flags
569       separated with a forward slash (/) character.
570
571       file_inherit (f)    Inherit to all newly created files.
572
573
574       dir_inherit (d)     Inherit to all newly created directories.
575
576
577       inherit_only (i)    When  placed  on  a  directory, do not apply to the
578                           directory, only to newly created files and directo‐
579                           ries.  This  flag requires that either file_inherit
580                           and or dir_inherit is also specified.
581
582
583       no_propagate (n)    Indicates that ACL entries should be  inherited  to
584                           objects in a directory, but inheritance should stop
585                           after descending one level. This flag is  dependent
586                           upon  either  file_inherit  and or dir_inherit also
587                           being specified.
588
589
590
591       The inheritance flags listed can also be specified in the compact  for‐
592       mat  or  as  positional arguments similar to the ls -V format. A hyphen
593       character indicates that the inheritance flag at that position  is  not
594       specified in the positional ACL format.
595
596
597       The inheritance flags can be specified with these letters in any of the
598       following equivalent ways.
599
600         file_inherit/dir_inherit/no_propagate
601
602
603
604         fd-n--
605
606
607
608         fdn
609
610
611
612
613       With this inheritance model, an ACL entry can be specified such as:
614
615         user:tom:read_data/write_data/read_attributes:file_inherit:allow
616         user:fred:read_data:file_inherit/dir_inherit:deny
617         user:bob:read_data:allow
618
619
620
621   Attribute Operation
622       An attribute operation command line has the following format:
623
624         chmod [options] attribute_specification_list file ...
625
626
627
628
629       where attribute_specification_list is the character  S  followed  by  a
630       comma-separated  list  of  one  or  more attribute_specifications. Each
631       attribute_specification is of the form:
632
633         [operator]attribute_specifier
634
635
636
637
638       An operator is one of the following:
639
640       +    Each attribute specified by the associated attribute_specifier  is
641            adjusted to match the value specified by the attribute_specifier.
642
643
644       -    Each  attribute specified by the associated attribute_specifier is
645            adjusted to match the  inverse  of  the  value  specified  by  the
646            attribute_specifier.
647
648
649       =    Each  attribute specified by the associated attribute_specifier is
650            adjusted to match the value specified by the  attribute_specifier.
651            Any  boolean read-write extended system attributes associated with
652            the current file that are not specified by attribute_specifier  is
653            cleared.
654
655
656
657       If  an  operator  is not specified in an attribute_specification, chmod
658       behaves as if + had been specified.
659
660
661       An attribute_specifier takes one of the following forms:
662
663       a
664
665           Set all boolean read-write extended  system  attributes  associated
666           with the current file.
667
668
669       c[compact_attribute_list]
670       c'{'compact_attribute_list'}'
671
672           Set each boolean read-write extended system attribute identified by
673           compact_attribute_list.
674
675
676       v[verbose_attribute_setting]
677       v['{'verbose_attribute_setting_list'}']
678
679           Set each boolean read-write extended system attribute identified by
680           verbose_attribute_setting.
681
682
683
684       A  compact_attribute_list  is a list of zero or more adjacent attribute
685       abbreviation characters from  list of Attribute Names and  Abbreviation
686       Characters  later  in  this  section. An arbitrary number of hyphen (-)
687       characters can be  included  in  a  compact_attribute_list.  These  are
688       ignored.
689
690
691       A  verbose_attribute_setting  is  an  attribute  name from the  list of
692       Attribute Names and Abbreviation  Characters  later  in  this  section,
693       optionally,  immediately  preceded by no. If the attribute name is used
694       without no, the attribute is set; otherwise the attribute is cleared.
695
696
697       A verbose_attribute_setting_list is zero or more  comma-separated  ver‐
698       bose_attribute_settings.
699
700
701       Multiple  operations  specified  for a file are accumulated and are all
702       set for a file operand as a single attribute setting operation.  If  an
703       attribute  is  specified  more  than  once  in  an attribute_specifica‐
704       tion_list, the last specified operation is applied.
705
706
707       The following is a list of Attribute Names and Abbreviation Characters:
708
709       Attribute Name    Abbreviation Character
710
711
712       hidden            H
713
714
715       system            S
716
717
718       readonly          R
719
720
721       archive           A
722
723
724       nounlink          u
725
726
727       immutable         i
728
729
730       appendonly        a
731
732
733       nodump            d
734
735
736       av_quarantined    q
737
738
739       av_modified       m
740
741

OPTIONS

743       The following options are supported:
744
745       -f                    Force. chmod does not complain  if  it  fails  to
746                             change the mode of a file.
747
748
749       -R                    Recursively  descend through directory arguments,
750                             setting the mode for  each  file.  When  symbolic
751                             links  are  encountered,  the  mode of the target
752                             file is changed, but no recursion takes place.
753
754
755       -@ named_attribute    Perform the  attribute  operation  on  the  named
756                             extended  attribute  file  of  each  file operand
757                             instead of the file operand itself.  If  multiple
758                             -@  operations are supplied, the attribute speci‐
759                             fication mode is applied to  each  of  the  named
760                             attribute files.
761
762                             A  named attribute of * carries meaning to chmod,
763                             and is considered to mean all extended  attribute
764                             files  associated  with a file operand. This does
765                             not refer to the special files . and ...
766
767                             A named attribute of .. carries  special  meaning
768                             to  chmod, and is considered to mean the file op‐
769                             erand itself. This  allows  chmod,  in  a  single
770                             call,  to  apply the attribute specification mode
771                             to the specified named attribute file of the file
772                             operand and the file operand itself.
773
774

OPERANDS

776       The following operands are supported:
777
778       absolute-mode
779       symbolic-mode-list
780
781           Represents the change to be made to the file mode bits of each file
782           named by one of the file operands. See Absolute Mode  and  Symbolic
783           Mode in the DESCRIPTION section of this manual page for more infor‐
784           mation.
785
786
787       acl_operation
788
789           Represents the modification to be performed on the file's ACL.  See
790           ACL Operation in the DESCRIPTION section for more information.
791
792           acl_operation is one of the following:
793
794             A[number] -
795             A-acl_specification
796             A[index]{+|=}acl_specification
797
798
799
800
801       attribute_specification_list
802
803           Represents  the modification to performed on the file's attributes.
804           See Attribute Operation in the DESCRIPTION section of  this  manual
805           page for more information.
806
807
808       file
809
810           A path name of a file whose file mode bits are to be modified.
811
812

USAGE

814       See  largefile(5)  for  the  description  of the behavior of chmod when
815       encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
816

EXAMPLES

818       Example 1 Denying execute Permission
819
820
821       The following example denies execute permission to everyone:
822
823
824         % chmod a-x file
825
826
827
828       Example 2 Allowing read-only Permission
829
830
831       The following example allows only read permission to everyone:
832
833
834         % chmod 444 file
835
836
837
838       Example 3 Making a File readable and writable
839
840
841       The following example makes a file readable and writable by  the  group
842       and others:
843
844
845         % chmod go+rw file
846         % chmod 066 file
847
848
849
850       Example 4 Locking a File From Access
851
852
853       The following example locks a file from access:
854
855
856         $ chmod +l file
857
858
859
860       Example 5 Granting read, write, execute, and set group-ID Permission on
861       a File
862
863
864       The following example grants everyone read, write, and execute  permis‐
865       sions on the file, and turns on the set group-ID:
866
867
868         $ chmod a=rwx,g+s file
869         $ chmod 2777 file
870
871
872
873       Example 6 Prepending a New ACL Entry on a ZFS File
874
875
876       The following example prepends a new ACL entry on a ZFS file.
877
878
879
880       First, display the current ACL:
881
882
883         $ ls -v file.3
884         -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3
885               0:owner@:execute:deny
886               1:owner@:read_data/write_data/append_data/write_xattr/
887                  write_attributes/write_acl/write_owner:allow
888               2:group@:write_data/append_data/execute:deny
889               3:group@:read_data:allow
890               4:everyone@:write_data/append_data/write_xattr/execute/
891                 write_attributes/write_acl/write_owner:deny
892               5:everyone@:read_data/read_xattr/read_attributes/read_acl/
893                  synchronize:allow
894
895
896
897
898       Issue the following command:
899
900
901         $ chmod A+user:lp:read_data:deny file.3
902
903
904
905
906       Display the new ACL:
907
908
909         $ ls -v file.3
910         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
911               0:user:lp:read_data:deny
912               1:owner@:execute:deny
913               2:owner@:read_data/write_data/append_data/write_xattr/
914                   write_attributes/write_acl/write_owner:allow
915               3:group@:write_data/append_data/execute:deny
916               4:group@:read_data:allow
917               5:everyone@:write_data/append_data/write_xattr/execute/
918                   write_attributes/write_acl/write_owner:deny
919               6:everyone@:read_data/read_xattr/read_attributes/read_acl/
920                   synchronize:allow
921
922
923
924       Example 7 Prepending a New POSIX-draft ACL Entry on a UFS File
925
926
927       The  following  example  prepends  a new POSIX-draft ACL entry on a UFS
928       file.
929
930
931
932       First, display the current ACL:
933
934
935         $ ls -v file.2
936         -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2
937               0:user::rw-
938               1:group::r--           #effective:r--
939               2:mask:r--
940               3:other:r--
941
942
943
944
945       Issue the following command:
946
947
948         $ chmod A+user:lp:-wx file.2
949
950
951
952
953       Display the new ACL:
954
955
956         $ ls -v file.2
957         -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2
958               0:user::rw-
959               1:user:lp:-wx          #effective:---
960               2:group::r--           #effective:r--
961               3:mask:r--
962               4:other:r--
963
964
965
966       Example 8 Inserting an ACL Entry in a Specific Position on a ZFS file
967
968
969       The following example inserts an ACL entry in a specific position on  a
970       ZFS file system. It also illustrates the compact ACL format.
971
972
973
974       First, display the ACL to pick a location to insert a new ACE.
975
976
977         % ls -V file.1
978         -rw-r--r--+  1 root     root           0 Oct  6 12:16 file.1
979              user:lp:rw------------:------:allow
980               owner@:--x-----------:------:deny
981               owner@:rw-p---A-W-Co-:------:allow
982               group@:-wxp----------:------:deny
983               group@:r-------------:------:allow
984            everyone@:-wxp---A-W-Co-:------:deny
985            everyone@:r-----a-R-c--s:------:allow
986
987
988
989
990       Next,  insert  a  new entry in location 3.   This  causes  the  entries
991       that  are currently in position 3 - 6 to be pushed down.
992
993
994
995       Issue the following command:
996
997
998         $ chmod A3+user:marks:r:deny file.1
999
1000
1001
1002
1003       Display the new ACL:
1004
1005
1006         $ ls -V file.1
1007         -rw-r--r--+  1 root     staff          0 Feb  3 14:13 file.1
1008              user:lp:rw------------:------:allow
1009               owner@:--x-----------:------:deny
1010               owner@:rw-p---A-W-Co-:------:allow
1011           user:marks:r-------------:------:deny
1012               group@:-wxp----------:------:deny
1013               group@:r-------------:------:allow
1014            everyone@:-wxp---A-W-Co-:------:deny
1015            everyone@:r-----a-R-c--s:------:allow
1016
1017
1018
1019       Example 9 Inserting a POSIX-draft ACL in a Specific Position on  a  UFS
1020       File
1021
1022
1023       The  file system reorders ACLs when they are stored in the file system.
1024       The following example illustrates this behavior.
1025
1026
1027         $ ls -v file.1
1028         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
1029               0:user::rw-
1030               1:user:lp:rw-          #effective:r--
1031               2:group::r--           #effective:r--
1032               3:mask:r--
1033               4:other:r--
1034
1035
1036
1037
1038       Now, insert an entry at index position 3.  The command works,  but  the
1039       file system reorders the ACL.
1040
1041
1042         $ chmod A3+user:marks:rw- file.1
1043         $ ls -v file.1
1044         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
1045               0:user::rw-
1046               1:user:lp:rw-           #effective:r--
1047               2:user:marks:rw-        #effective:r--
1048               3:group::r--            #effective:r--
1049               4:mask:r--
1050               5:other:r--
1051
1052
1053
1054
1055       Rather  than  inserting  the  ACL  entry in position 3 as requested, it
1056       actually ends up in position 2.
1057
1058
1059       Example 10 Removing an ACL Entry on a ZFS File
1060
1061
1062       The following example removes the lp entry from an ACL:
1063
1064
1065         $ ls -v file.3
1066         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
1067               0:user:lp:read_data:deny
1068               1:owner@:execute:deny
1069               2:owner@:read_data/write_data/append_data/write_xattr/
1070                  write_attributes/write_acl/write_owner:allow
1071               3:group@:write_data/append_data/execute:deny
1072               4:group@:read_data:allow
1073               5:everyone@:write_data/append_data/write_xattr/execute/
1074                  write_attributes/write_acl/write_owner:deny
1075               6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1076                  synchronize:allow
1077
1078
1079
1080         $ chmod A-user:lp:read_data:deny file.3
1081         $ ls -v file.3
1082         -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3
1083               0:owner@:execute:deny
1084               1:owner@:read_data/write_data/append_data/write_xattr/
1085                  write_attributes/write_acl/write_owner:allow
1086               2:group@:write_data/append_data/execute:deny
1087               3:group@:read_data:allow
1088               4:everyone@:write_data/append_data/write_xattr/execute/
1089                  write_attributes/write_acl/write_owner:deny
1090               5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1091                  synchronize:allow
1092
1093
1094
1095       Example 11 Removing a POSIX-draft ACL on a UFS File
1096
1097
1098       The following example removes the lp entry from an ACL:
1099
1100
1101         $ ls -v file.2
1102         -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2
1103               0:user::rw-
1104               1:user:lp:-wx           #effective:---
1105               2:group::r--            #effective:r--
1106               3:mask:r--
1107               4:other:r--
1108
1109
1110
1111         $ chmod A-user:lp:-wx file.2
1112         $ ls -v file.2
1113         -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2
1114               0:user::rw-
1115               1:group::r--            #effective:r--
1116               2:mask:r--
1117               3:other:r--
1118
1119
1120
1121       Example 12 Removing a Specific ACL Entry by Index Number on a ZFS File
1122
1123
1124       Consider the following ACL:
1125
1126
1127         $ ls -v file
1128             0:group:staff:read_data/write_data/execute/read_acl:allow
1129             1:user:bin:read_data:deny
1130             2:user:bin:read_data:allow
1131             3:owner@:write_data/append_data:deny
1132             4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1133                 /write_owner:allow
1134             5:group@:write_data/append_data:deny
1135             6:group@:read_data/execute:allow
1136             7:everyone@:write_data/append_data/write_xattr/write_attributes
1137                 /write_acl/write_owner:deny
1138             8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1139                 /synchronize:allow
1140
1141
1142
1143
1144       Remove the second user entry for bin.
1145
1146
1147         $ chmod A2- file
1148         $ ls -v file
1149             0:group:staff:read_data/write_data/execute/read_acl:allow
1150             1:user:bin:read_data:deny
1151             2:owner@:write_data/append_data:deny
1152             3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1153                /write_owner:allow
1154             4:group@:write_data/append_data:deny
1155             5:group@:read_data/execute:allow
1156             6:everyone@:write_data/append_data/write_xattr/write_attributes
1157                /write_acl/write_owner:deny
1158             7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1159                /synchronize:allow
1160
1161
1162
1163       Example 13 Removing a Specific POSIX-draft ACL Entry on a UFS File
1164
1165
1166       The following example removes the lp entry by  index  number  from  the
1167       following ACL:
1168
1169
1170         $ ls -v file.1
1171         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
1172               0:user::rw-
1173               1:user:lp:rw-              #effective:r--
1174               2:group::r--               #effective:r--
1175               3:mask:r--
1176               4:other:r--
1177
1178               $ chmod A1- file.1
1179               $ ls -v
1180         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
1181               0:user::rw-
1182               1:group::r--               #effective:r--
1183               2:mask:r--
1184               3:other:r--
1185
1186
1187
1188       Example 14 Removing All ACLs From a File
1189
1190
1191       The following command works with either NFSv4/ZFS or POSIX-draft ACLs.
1192
1193
1194
1195       Consider the following ACL:
1196
1197
1198         $ ls -v file.3
1199         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
1200               0:user:lp:read_data/write_data:allow
1201               1:user:marks:read_acl:allow
1202               2:owner@:execute:deny
1203               3:owner@:read_data/write_data/append_data/write_xattr/
1204                  write_attributes/write_acl/write_owner:allow
1205               4:group@:write_data/append_data/execute:deny
1206               5:group@:read_data:allow
1207               6:everyone@:write_data/append_data/write_xattr/execute/
1208                  write_attributes/write_acl/write_owner:deny
1209               7:everyone@:read_data/read_xattr/read_attributes/read_acl/
1210                  synchronize:allow
1211
1212
1213
1214
1215       The  existing  ACL  is  effectively removed and is replaced with an ACL
1216       that represents the permission bits of the file.
1217
1218
1219         $ chmod A- file.3
1220         $ ls -v file.3
1221         -rw-r--r--  1 marks    staff          0 Oct  9 15:49 file.3
1222              0:owner@:execute:deny
1223              1:owner@:read_data/write_data/append_data/write_xattr/
1224                 write_attributes/write_acl/write_owner:allow
1225              2:group@:write_data/append_data/execute:deny
1226              3:group@:read_data:allow
1227              4:everyone@:write_data/append_data/write_xattr/execute/
1228                 write_attributes/write_acl/write_owner:deny
1229              5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1230                synchronize:allow
1231
1232
1233
1234       Example 15 Replacing an Entire ACL Entry on a ZFS File
1235
1236
1237       Use the following chmod syntax if you want to replace  an  ACL  in  its
1238       entirety:
1239
1240
1241         $ chmod A=owner@:read_data/write_data:allow,group@:read_data/
1242                        write_data:allow,user:lp:read_data:allow file.4
1243         $ ls -v file.4
1244         -rw-rw----+  1 marks    staff          0 Oct  9 16:12 file.4
1245                0:owner@:read_data/write_data:allow
1246                1:group@:read_data/write_data:allow
1247                2:user:lp:read_data:allow
1248
1249
1250
1251       Example 16 Replacing an Entire POSIX-draft ACL on a UFS File
1252
1253
1254       This operation is a little more complicated.  The replacement ACL needs
1255       the necessary entries to represent the file owner,  file  group  owner,
1256       other, mask and any additional entries you wish to set.
1257
1258
1259         $ chmod A=user::rw-,group::rw-,other::---,mask:r--,
1260                       user:lp:r-- file.3
1261         $ ls -v file.3
1262         -rw-r-----+  1 root     root           0 Oct  9 16:14 file.3
1263                 0:user::rw-
1264                 1:user:lp:r--        #effective:r--
1265                 2:group::rw-         #effective:r--
1266                 3:mask:r--
1267                 4:other:---
1268
1269
1270
1271       Example 17 Replacing a Specific Entry on a ZFS File
1272
1273
1274       Consider the following ACL.
1275
1276
1277         $ ls -v file.5
1278         -rw-r--r--+  1 marks    staff          0 Oct  9 16:18 file.5
1279              0:user:marks:read_data:allow
1280              1:owner@:execute:deny
1281              2:owner@:read_data/write_data/append_data/write_xattr/
1282                 write_attributes/write_acl/write_owner:allow
1283              3:group@:write_data/append_data/execute:deny
1284              4:group@:read_data:allow
1285              5:everyone@:write_data/append_data/write_xattr/execute/
1286                 write_attributes/write_acl/write_owner:deny
1287              6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1288                 synchronize:allow
1289
1290
1291
1292
1293       Now, change the allow access to a deny for user marks:
1294
1295
1296         $ chmod A0=user:marks:read_data:deny file.5
1297         $ ls -v file.5
1298         -rw-r--r--+  1 marks   staff          0 Aug 23 09:11 file.5
1299         0:user:marks:read_data:deny
1300         1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
1301              /write_acl/write_owner:allow
1302         2:group@:write_data/append_data/execute:deny
1303         3:group@:read_data:allow
1304         4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
1305              /write_acl/write_owner:deny
1306         5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
1307              :allow
1308
1309
1310
1311       Example 18 Replacing a Specific POSIX-draft ACL on a UFS File
1312
1313
1314       Consider the following ACL.
1315
1316
1317         $ ls -v file.4
1318         -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4
1319                 0:user::rw-
1320                 1:user:lp:rwx         #effective:r--
1321                 2:group::r--          #effective:r--
1322                 3:mask:r--
1323                 4:other:r--
1324
1325
1326
1327
1328       Now, change the permission on lp from rwx to r--:
1329
1330
1331         $ chmod A1=user:lp:r-- file.4
1332
1333         $ ls -v file
1334         -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4
1335                 0:user::rw-
1336                 1:user:lp:r--         #effective:r--
1337                 2:group::r--          #effective:r--
1338                 3:mask:r--
1339                 4:other:r--
1340
1341
1342
1343       Example 19 Setting ACL Inheritance Flags on a ZFS File
1344
1345
1346       You  can  only set inheritance flags on ZFS files. When setting ACLs on
1347       directories,  several inheritance flags can be optionally set.
1348
1349
1350
1351       Suppose you have an ACL entry for user lp that you want to  be   inher‐
1352       ited  to newly created files in a directory.  First, you need to create
1353       an inheritable ACL entry on the directory:
1354
1355
1356         $ chmod A+user:lp:read_data:file_inherit:allow test.dir
1357         $ ls -dv test.dir
1358         drwxr-xr-x+  2 marks   staff          2 Aug 23 09:08 test.dir/
1359         0:user:lp:read_data:file_inherit:allow
1360         1:owner@::deny
1361         2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
1362              /append_data/write_xattr/execute/write_attributes/write_acl
1363              /write_owner:allow
1364         3:group@:add_file/write_data/add_subdirectory/append_data:deny
1365         4:group@:list_directory/read_data/execute:allow
1366         5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
1367              /write_attributes/write_acl/write_owner:deny
1368         6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
1369              /read_acl/synchronize:allow
1370
1371
1372
1373
1374       The lp entry is inherited to  newly  created  files  in  the  directory
1375       test.dir.
1376
1377
1378         $ touch test.dir/file.test
1379         $ ls -v test.dir/file.test
1380         -rw-r--r--+  1 marks    staff          0 Oct  9 16:29 test.dir/file.test
1381              0:user:lp::deny
1382              1:user:lp:read_data:allow
1383              2:owner@:execute:deny
1384              3:owner@:read_data/write_data/append_data/write_xattr/
1385                  write_attributes/write_acl/write_owner:allow
1386              4:group@:write_data/append_data/execute:deny
1387              5:group@:read_data:allow
1388              6:everyone@:write_data/append_data/write_xattr/execute/
1389                  write_attributes/write_acl/write_owner:deny
1390              7:everyone@:read_data/read_xattr/read_attributes/read_acl/
1391          synchronize:allow
1392
1393
1394
1395
1396       The user lp entry is inherited to the newly created file. Multiple com‐
1397       binations of the inheritance flags can be specified.  For  example,  if
1398       you  wanted the lp entry to also be inherited to  directories, then the
1399       following command can be used:
1400
1401
1402         $ chmod A+user:lp:read_data:file_inherit/\
1403               dir_inherit:allow test.dir
1404
1405
1406
1407       Example 20 Replacing System Attributes of a ZFS File
1408
1409
1410       The following examples replace system attributes of a ZFS file:
1411
1412
1413         $ chmod S=v{archive,hidden,readonly,system,appendonly,\
1414              nonodump,immutable,noav_modified,noav_quarantined,\
1415              nounlink} file1
1416
1417
1418
1419
1420       or
1421
1422
1423         $ chmod S=c{AHRSaiu} file1
1424
1425
1426
1427
1428       or
1429
1430
1431         $ chmod S=c{AHRSa-i--u} file1
1432
1433
1434
1435
1436       or
1437
1438
1439         $ chmod S=cAHRSaiu file1
1440
1441
1442
1443
1444       or
1445
1446
1447         $ chmod -@ '..' S=cAHRSaiu file1
1448
1449
1450
1451
1452       Assuming appropriate privileges, this results in the  following  system
1453       attributes  of  file1  being  set:  archive,  hidden, readonly, system,
1454       appendonly, immutable, and nounlink. Assuming  appropriate  privileges,
1455       the  following system attributes of file1 are cleared: nodump, av_modi‐
1456       fied, and av_quarantined.
1457
1458
1459       Example 21 Clearing All System Attributes of a ZFS File
1460
1461
1462       The following examples clears all system attributes of a ZFS file:
1463
1464
1465         $ chmod S-a file1
1466
1467
1468
1469
1470       or
1471
1472
1473         $ chmod -@ '..' S-a file1
1474
1475
1476
1477
1478       Assuming  appropriate  privileges,  all   boolean   read-write   system
1479       attributes are cleared on file1.
1480
1481
1482       Example  22  Setting  a System Attribute of a Named Attribute File of a
1483       ZFS File
1484
1485
1486       The following example sets a system attribute of a named attribute file
1487       of a ZFS file, but not of the file itself:
1488
1489
1490         $ chmod -@ myattr S+vhidden file1
1491
1492
1493
1494
1495       This  results  in  the  hidden system attribute being set for the named
1496       attribute file myattr of file1, but not the file itself.
1497
1498
1499       Example 23 Setting a System Attribute of All Named Attribute File of  a
1500       ZFS File
1501
1502
1503       The  following  example  sets a system attribute of all named attribute
1504       files of a ZFS file, but not of the file itself:
1505
1506
1507         $ chmod -@ '*' S+a file1
1508
1509
1510
1511       Example 24 Setting a System Attribute of All Named Attribute Files of a
1512       ZFS File
1513
1514
1515       The  following  example  sets a system attribute of all named attribute
1516       files of a ZFS file, as well as of the file itself:
1517
1518
1519         $ chmod -@ '..' -@ '*' S+vhidden file1
1520
1521
1522
1523
1524       This results in the hidden system attribute being  set  for  all  named
1525       attribute files of file1, as well as the file itself.
1526
1527
1528       Example 25 Recursively Descending Through a Directory Hierarchy
1529
1530
1531       The  following example recursively descends through a directory hierar‐
1532       chy, and sets all system attributes of all named attribute  files,  the
1533       ZFS file operands, as well as of the directory itself:
1534
1535
1536         $ chmod -R -@ '..' -@ '*' S+a directory1
1537
1538
1539
1540
1541       This  results  in  the  hidden system attribute being set for all named
1542       attribute files of all regular files and directories within the  direc‐
1543       tory hierarchy of directory1, as well as of directory1 itself.
1544
1545
1546       Example  26  Setting  the  hidden and system System Attributes of a ZFS
1547       File
1548
1549
1550       The following examples set the hidden and system system attributes of a
1551       ZFS file:
1552
1553
1554         $ chmod S+cHS file1
1555
1556
1557
1558
1559       or
1560
1561
1562         $ chmod S+vhidden,+vsystem file1
1563
1564
1565
1566
1567       or
1568
1569
1570         $ chmod S+v{hidden,system} file1
1571
1572
1573
1574
1575       or
1576
1577
1578         $ chmod S+c{-HS--------} file1
1579
1580
1581
1582
1583       or
1584
1585
1586         $ chmod S-v{nohidden,nosystem} file1
1587
1588
1589
1590
1591       or
1592
1593
1594         $ chmod S-v{hidden,system},+v{hidden,system} file1
1595
1596
1597
1598       Example 27 Clearing All System Attributes of a ZFS File
1599
1600
1601       The following example clears all system attributes of a ZFS file:
1602
1603
1604         $ chmod S-a file1
1605
1606
1607
1608
1609       or
1610
1611
1612         $ chmod S=v{} file1
1613
1614
1615
1616
1617       In  the  following two examples, the last attribute operation specified
1618       takes precedence.
1619
1620
1621
1622       In this example, the replacement attribute name list  ({})  clears  all
1623       system attributes for file1:
1624
1625
1626         $ chmod S+cHS,=v{} file1
1627
1628
1629
1630
1631       In  this example, the clear attributes operation (-a) clears all system
1632       attributes of file1:
1633
1634
1635         $ chmod S+vhidden,+vsystem,-a file1
1636
1637
1638
1639       Example  28  Setting  the  Values  of  All  Boolean  read-write  System
1640       Attributes of a File
1641
1642
1643       The  following example sets the values of all boolean read-write system
1644       attributes of a file to the  same  as  the  boolean  read-write  system
1645       attributes of another file:
1646
1647
1648         $ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2
1649
1650
1651
1652
1653       Assuming  appropriate privileges and that file1 and file2 have the same
1654       supported system attributes, all system attributes of  file1  that  are
1655       set  are  also  set  on  file2. All system attributes of file1 that are
1656       cleared are also cleared on file2.
1657
1658

ENVIRONMENT VARIABLES

1660       See environ(5) for descriptions of the following environment  variables
1661       that  affect  the  execution  of chmod: LANG, LC_ALL, LC_CTYPE, LC_MES‐
1662       SAGES, and NLSPATH.
1663

EXIT STATUS

1665       The following exit values are returned:
1666
1667       0     Successful completion.
1668
1669
1670       >0    An error occurred.
1671
1672

ATTRIBUTES

1674       See attributes(5) for descriptions of the following attributes:
1675
1676
1677
1678
1679       ┌─────────────────────────────┬─────────────────────────────┐
1680       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
1681       ├─────────────────────────────┼─────────────────────────────┤
1682       │Availability                 │SUNWcsu                      │
1683       ├─────────────────────────────┼─────────────────────────────┤
1684       │CSI                          │Enabled                      │
1685       ├─────────────────────────────┼─────────────────────────────┤
1686       │Interface Stability          │Committed                    │
1687       └─────────────────────────────┴─────────────────────────────┘
1688

SEE ALSO

1690       getfacl(1),  ls(1),   setfacl(1),   chmod(2),   fgetattr(3C),   acl(5),
1691       attributes(5), environ(5), fsattr(5), largefile(5), standards(5)
1692

NOTES

1694       Absolute  changes  do not work for the set-group-ID bit of a directory.
1695       You must use g+s or g-s.
1696
1697
1698       chmod permits you to produce useless modes so  long  as  they  are  not
1699       illegal  (for  instance, making a text file executable). chmod does not
1700       check the file type to see if mandatory locking is meaningful.
1701
1702
1703       If the filesystem is mounted with the nosuid option,  setuid  execution
1704       is not allowed.
1705
1706
1707       If  you  use chmod to change the file group owner permissions on a file
1708       with ACL entries, both the file group owner  permissions  and  the  ACL
1709       mask are changed to the new permissions. Be aware that the new ACL mask
1710       permissions can change the effective permissions for  additional  users
1711       and  groups  who  have  ACL  entries on the file. Use the getfacl(1) or
1712       ls(1)command to make sure the appropriate permissions are set  for  all
1713       ACL entries.
1714
1715
1716
1717SunOS 5.11                        11 Dec 2008                         chmod(1)
Impressum