1chmod(1) User Commands chmod(1)
2
3
4
6 chmod - change the permissions mode of a file
7
9 chmod [-fR] absolute-mode file...
10
11
12 chmod [-fR] symbolic-mode-list file...
13
14
15 chmod [-fR] acl_operation file...
16
17
18 chmod [-fR] [-@ named_attribute]...attribute_specification_list file...
19
20
22 The chmod utility changes or assigns the mode of a file.
23
24
25 chmod can also be used to modify Access Control Lists (ACLs) on files
26 and directories, and to modify boolean read-write system attributes on
27 regular files, directories, and opaque extended attribute files.
28
29 Absolute Mode
30 An absolute mode command line has the following format:
31
32
33 chmod [options] absolute-mode file . . .
34
35
36 where absolute-mode is specified using octal numbers nnnn defined as
37 follows:
38
39 n a number from 0 to 7. An absolute mode is constructed from the OR
40 of any of the following modes:
41
42 4000 Set user ID on execution.
43
44
45 20#0 Set group ID on execution if # is 7, 5, 3, or 1.
46
47 Enable mandatory locking if # is 6, 4, 2, or 0.
48
49 For directories, files are created with BSD semantics
50 for propagation of the group ID. With this option,
51 files and subdirectories created in the directory
52 inherit the group ID of the directory, rather than of
53 the current process. For directories, the set-gid bit
54 can only be set or cleared by using symbolic mode.
55
56
57 1000 Turn on sticky bit. See chmod(2).
58
59
60 0400 Allow read by owner.
61
62
63 0200 Allow write by owner.
64
65
66 0100 Allow execute (search in directory) by owner.
67
68
69 0700 Allow read, write, and execute (search) by owner.
70
71
72 0040 Allow read by group.
73
74
75 0020 Allow write by group.
76
77
78 0010 Allow execute (search in directory) by group.
79
80
81 0070 Allow read, write, and execute (search) by group.
82
83
84 0004 Allow read by others.
85
86
87 0002 Allow write by others.
88
89
90 0001 Allow execute (search in directory) by others.
91
92
93 0007 Allow read, write, and execute (search) by others.
94
95
96
97
98 For directories, the setgid bit cannot be set (or cleared) in absolute
99 mode; it must be set (or cleared) in symbolic mode using g+s (or g-s).
100
101 Symbolic Mode
102 A symbolic mode command line has the following format:
103
104
105 chmod [options] symbolic-mode-list file . . .
106
107
108 where symbolic-mode-list is a comma-separated list (with no intervening
109 white space) of symbolic mode expressions of the form:
110
111
112 [who] operator [permissions]
113
114
115 Operations are performed in the order given. Multiple permissions let‐
116 ters following a single operator cause the corresponding operations to
117 be performed simultaneously.
118
119 who zero or more of the characters u, g, o, and a specifying
120 whose permissions are to be changed or assigned:
121
122 u user's permissions
123
124
125 g group's permissions
126
127
128 o others' permissions
129
130
131 a all permissions (user, group, and other)
132
133 If who is omitted, it defaults to a, but the setting of
134 the file mode creation mask (see umask in sh(1) or csh(1)
135 for more information) is taken into account. When who is
136 omitted, chmod does not override the restrictions of your
137 user mask.
138
139
140 operator either +, −, or =, signifying how permissions are to be
141 changed:
142
143 + Add permissions.
144
145 If permissions are omitted, nothing is added.
146
147 If who is omitted, add the file mode bits repre‐
148 sented by permissions, except for the those with
149 corresponding bits in the file mode creation
150 mask.
151
152 If who is present, add the file mode bits repre‐
153 sented by the permissions.
154
155
156 − Take away permissions.
157
158 If permissions are omitted, do nothing.
159
160 If who is omitted, clear the file mode bits rep‐
161 resented by permissions, except for those with
162 corresponding bits in the file mode creation
163 mask.
164
165 If who is present, clear the file mode bits rep‐
166 resented by permissions.
167
168
169 = Assign permissions absolutely.
170
171 If who is omitted, clear all file mode bits; if
172 who is present, clear the file mode bits repre‐
173 sented by who.
174
175 If permissions are omitted, do nothing else.
176
177 If who is omitted, add the file mode bits repre‐
178 sented by permissions, except for the those with
179 corresponding bits in the file mode creation
180 mask.
181
182 If who is present, add the file mode bits repre‐
183 sented by permissions.
184
185 Unlike other symbolic operations, = has an absolute
186 effect in that it resets all other bits represented by
187 who. Omitting permissions is useful only with = to take
188 away all permissions.
189
190
191 permission any compatible combination of the following letters:
192
193 l mandatory locking
194
195
196 r read permission
197
198
199 s user or group set-ID
200
201
202 t sticky bit
203
204
205 w write permission
206
207
208 x execute permission
209
210
211 X execute permission if the file is a directory or
212 if there is execute permission for one of the
213 other user classes
214
215
216 u,g,o indicate that permission is to be taken from the
217 current user, group or other mode respectively.
218
219 Permissions to a file can vary depending on your user
220 identification number (UID) or group identification num‐
221 ber (GID). Permissions are described in three sequences
222 each having three characters:
223
224
225
226
227 User Group Other
228 rwx rwx rwx
229
230 This example (user, group, and others all have permission
231 to read, write, and execute a given file) demonstrates
232 two categories for granting permissions: the access class
233 and the permissions themselves.
234
235 The letter s is only meaningful with u or g, and t only
236 works with u.
237
238 Mandatory file and record locking (l) refers to a file's
239 ability to have its reading or writing permissions locked
240 while a program is accessing that file.
241
242 In a directory which has the set-group-ID bit set
243 (reflected as either -----s--- or -----l--- in the output
244 of 'ls -ld'), files and subdirectories are created with
245 the group-ID of the parent directory—not that of current
246 process.
247
248 It is not possible to permit group execution and enable a
249 file to be locked on execution at the same time. In addi‐
250 tion, it is not possible to turn on the set-group-ID bit
251 and enable a file to be locked on execution at the same
252 time. The following examples, therefore, are invalid and
253 elicit error messages:
254
255 chmod g+x,+l file
256 chmod g+s,+l file
257
258
259 Only the owner of a file or directory (or the super-user)
260 can change that file's or directory's mode. Only the
261 super-user can set the sticky bit on a non-directory
262 file. If you are not super-user, chmod masks the sticky-
263 bit but does not return an error. In order to turn on a
264 file's set-group-ID bit, your own group ID must corre‐
265 spond to the file's and group execution must be set.
266
267
268 ACL Operation
269 An ACL Operation command line has the following format:
270
271 chmod [options] A[number]- file ...
272 chmod [options] A-acl_specification file ...
273 chmod [options] A[index]{+|=}acl_specification file ...
274
275
276
277
278 Where acl_specification is a comma-separated list (with no intervening
279 white space) of an ACL specification of the form:
280
281 A[index]+acl_specification Prepends the access control entries (ACE)
282 specified in acl_specification to the
283 beginning of the file's ACL. Depending on
284 the file system, the ACL can be reordered
285 when applied to the file. If "optional"
286 number is specified then new ACEs are
287 inserted before specified number.
288
289
290 A- Removes all ACEs for current ACL on file
291 and replaces current ACL with new ACL
292 that represents only the current mode of
293 the file.
294
295
296 Aindex- Removes ACE specified by index number.
297
298
299 A-acl_specification Removes ACEs specified by acl_specifica‐
300 tion, if they exist in current file's
301 ACL.
302
303
304 A=acl_specification Replaces a files entire ACL with
305 acl_specification.
306
307
308 A[index]=acl_specification Replaces ACEs starting at a specific
309 index number in the current ACL on the
310 file. If multiple ACEs are specified,
311 then each subsequent ACE in acl_specifi‐
312 cation replaces the corresponding ACE in
313 the current ACL.
314
315
316
317 POSIX-draft ACL Specification (as supported by UFS)
318
319
320 POSIX-draft ACLs (as supported by UFS) are specified as colon (:) sepa‐
321 rated fields of the following.
322
323 user::perms
324
325 File owner permissions.
326
327
328 user:username:perms
329
330 Permissions for a specific user.
331
332
333 group::perms
334
335 File group owner permissions.
336
337
338 group:groupname:perms
339
340 Permissions for a specific group.
341
342
343 other::perms
344
345 Permissions for user other than the file owner or members of file
346 group owner.
347
348
349 mask:perms
350
351 The ACL mask. The mask entry specifies the maximum permissions
352 allowed for user (other than that the owner) and for groups.
353
354
355 default:user::perms
356
357 Default file owner permissions.
358
359
360 default:user:username:perms
361
362 Default permissions for a specific user.
363
364
365 default:group::perms
366
367 Default file group owner permissions.
368
369
370 default:group:groupname:perms
371
372 Default permissions for a specific group.
373
374
375 default:other:perms
376
377 Default permissions for user other than the file owner or members
378 of the file group owner.
379
380
381 default:mask:perms
382
383 Default ACL mask.
384
385
386
387 The above specification allows for ACLs to be specified such as:
388
389 user:tom:rw-,mask:rwx,group:staff:r-x
390
391
392
393
394 NFSv4 ACL Specification (as supported by NFSv4 and ZFS)
395
396
397 NFSv4 ACLs provide richer ACL semantics. They provide both allow and
398 deny entries, finer grained permissions, and enhanced inheritance con‐
399 trol.
400
401
402 NFSv4 ACLs are specified as colon (:) separated fields of the follow‐
403 ing.
404
405 owner@:<perms>[:inheritance flags]:<allow|deny>
406
407 Permissions for file owner.
408
409
410 group@:<perms>[:inheritance flags]:<allow|deny>
411
412 Permissions for file group owner.
413
414
415 everyone@:<perms>[:inheritance flags]:<allow|deny>
416
417 Permissions for everyone, including file owner and group owner.
418
419
420 user:<username>:<perms>[:inheritance flags]:<allow|deny>
421
422 Permissions for a specific user.
423
424
425 usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
426
427 Permissions for a specific user, but user is specified by SID.
428
429
430 group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
431
432 Permissions for a specific group.
433
434
435 groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
436
437 Permissions for a specific group, but group is specified by SID.
438
439
440 sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
441
442 Permissions for a specific SID, but it doesn't matter if it is a
443 user or a group.
444
445
446
447 Permissions can be specified in three different chmod ACL formats: ver‐
448 bose, compact, or positional. The verbose format uses words to indicate
449 that the permissions are separated with a forward slash (/) character.
450 Compact format uses the permission letters and positional format uses
451 the permission letters or the hyphen (-) to identify no permissions.
452
453
454 The permissions for verbose mode and their abbreviated form in paren‐
455 theses for compact and positional mode are described as follows:
456
457 read_data (r) Permission to read the data of a file.
458
459
460 list_directory (r) Permission to list the contents of a directory.
461
462
463 write_data (w) Permission to modify a file's data. anywhere in
464 the file's offset range.
465
466
467 add_file (w) Permission to add a new file to a directory.
468
469
470 append_data (p) The ability to modify a file's data, but only
471 starting at EOF.
472
473 Currently, this permission is not supported.
474
475
476 add_subdirectory (p) Permission to create a subdirectory to a direc‐
477 tory.
478
479
480 read_xattr (R) Ability to read the extended attributes of a
481 file.
482
483
484 write_xattr (W) Ability to create extended attributes or write
485 to the extended attribute directory.
486
487
488 execute (x) Permission to execute a file.
489
490
491 read_attributes (a) The ability to read basic attributes (non-ACLs)
492 of a file.
493
494
495 write_attributes (A) Permission to change the times associated with
496 a file or directory to an arbitrary value.
497
498
499 delete (d) Permission to delete a file.
500
501
502 delete_child (D) Permission to delete a file within a directory.
503
504
505 read_acl (c) Permission to read the ACL of a file.
506
507
508 write_acl (C) Permission to write the ACL of a file.
509
510
511 write_owner (o) Permission to change the owner of a file.
512
513
514 synchronize (s) Permission to access file locally at server
515 with synchronize reads and writes.
516
517 Currently, this permission is not supported.
518
519
520
521 Using the compact ACL format, permissions are specified by using 14
522 unique letters to indicate permissions.
523
524
525 Using the positional ACL format, permissions are specified as posi‐
526 tional arguments similar to the ls -V format. The hyphen (-), which
527 indicates that no permission is granted at that position, can be omit‐
528 ted and only the required letters have to be specified.
529
530
531 The letters above are listed in the order they would be specified in
532 positional notation.
533
534
535 Permissions can be specified with these letters in the following way:
536
537 rwx--D--------
538
539
540
541
542 The hyphens can be removed to compact the string as follows:
543
544 rwxD
545
546
547
548
549 Several special permission sets or aliases are also supported. The fol‐
550 lowing permission sets are used the same way that verbose permissions
551 are specified.
552
553 full_set All permissions.
554
555
556 modify_set All permissions except write_acl and write_owner.
557
558
559 read_set read_data, read_acl, read_attributes, and read_xattr.
560
561
562 write_set write_data, append_data, write_attributes, and
563 write_xattr
564
565
566
567 The optional inheritance flags can be specified in the three formats.
568 The first format uses words to indicate the various inheritance flags
569 separated with a forward slash (/) character.
570
571 file_inherit (f) Inherit to all newly created files.
572
573
574 dir_inherit (d) Inherit to all newly created directories.
575
576
577 inherit_only (i) When placed on a directory, do not apply to the
578 directory, only to newly created files and directo‐
579 ries. This flag requires that either file_inherit
580 and or dir_inherit is also specified.
581
582
583 no_propagate (n) Indicates that ACL entries should be inherited to
584 objects in a directory, but inheritance should stop
585 after descending one level. This flag is dependent
586 upon either file_inherit and or dir_inherit also
587 being specified.
588
589
590
591 The inheritance flags listed can also be specified in the compact for‐
592 mat or as positional arguments similar to the ls -V format. A hyphen
593 character indicates that the inheritance flag at that position is not
594 specified in the positional ACL format.
595
596
597 The inheritance flags can be specified with these letters in any of the
598 following equivalent ways.
599
600 file_inherit/dir_inherit/no_propagate
601
602
603
604 fd-n--
605
606
607
608 fdn
609
610
611
612
613 With this inheritance model, an ACL entry can be specified such as:
614
615 user:tom:read_data/write_data/read_attributes:file_inherit:allow
616 user:fred:read_data:file_inherit/dir_inherit:deny
617 user:bob:read_data:allow
618
619
620
621 Attribute Operation
622 An attribute operation command line has the following format:
623
624 chmod [options] attribute_specification_list file ...
625
626
627
628
629 where attribute_specification_list is the character S followed by a
630 comma-separated list of one or more attribute_specifications. Each
631 attribute_specification is of the form:
632
633 [operator]attribute_specifier
634
635
636
637
638 An operator is one of the following:
639
640 + Each attribute specified by the associated attribute_specifier is
641 adjusted to match the value specified by the attribute_specifier.
642
643
644 - Each attribute specified by the associated attribute_specifier is
645 adjusted to match the inverse of the value specified by the
646 attribute_specifier.
647
648
649 = Each attribute specified by the associated attribute_specifier is
650 adjusted to match the value specified by the attribute_specifier.
651 Any boolean read-write extended system attributes associated with
652 the current file that are not specified by attribute_specifier is
653 cleared.
654
655
656
657 If an operator is not specified in an attribute_specification, chmod
658 behaves as if + had been specified.
659
660
661 An attribute_specifier takes one of the following forms:
662
663 a
664
665 Set all boolean read-write extended system attributes associated
666 with the current file.
667
668
669 c[compact_attribute_list]
670 c'{'compact_attribute_list'}'
671
672 Set each boolean read-write extended system attribute identified by
673 compact_attribute_list.
674
675
676 v[verbose_attribute_setting]
677 v['{'verbose_attribute_setting_list'}']
678
679 Set each boolean read-write extended system attribute identified by
680 verbose_attribute_setting.
681
682
683
684 A compact_attribute_list is a list of zero or more adjacent attribute
685 abbreviation characters from list of Attribute Names and Abbreviation
686 Characters later in this section. An arbitrary number of hyphen (-)
687 characters can be included in a compact_attribute_list. These are
688 ignored.
689
690
691 A verbose_attribute_setting is an attribute name from the list of
692 Attribute Names and Abbreviation Characters later in this section,
693 optionally, immediately preceded by no. If the attribute name is used
694 without no, the attribute is set; otherwise the attribute is cleared.
695
696
697 A verbose_attribute_setting_list is zero or more comma-separated ver‐
698 bose_attribute_settings.
699
700
701 Multiple operations specified for a file are accumulated and are all
702 set for a file operand as a single attribute setting operation. If an
703 attribute is specified more than once in an attribute_specifica‐
704 tion_list, the last specified operation is applied.
705
706
707 The following is a list of Attribute Names and Abbreviation Characters:
708
709 Attribute Name Abbreviation Character
710
711
712 hidden H
713
714
715 system S
716
717
718 readonly R
719
720
721 archive A
722
723
724 nounlink u
725
726
727 immutable i
728
729
730 appendonly a
731
732
733 nodump d
734
735
736 av_quarantined q
737
738
739 av_modified m
740
741
743 The following options are supported:
744
745 -f Force. chmod does not complain if it fails to
746 change the mode of a file.
747
748
749 -R Recursively descend through directory arguments,
750 setting the mode for each file. When symbolic
751 links are encountered, the mode of the target
752 file is changed, but no recursion takes place.
753
754
755 -@ named_attribute Perform the attribute operation on the named
756 extended attribute file of each file operand
757 instead of the file operand itself. If multiple
758 -@ operations are supplied, the attribute speci‐
759 fication mode is applied to each of the named
760 attribute files.
761
762 A named attribute of * carries meaning to chmod,
763 and is considered to mean all extended attribute
764 files associated with a file operand. This does
765 not refer to the special files . and ...
766
767 A named attribute of .. carries special meaning
768 to chmod, and is considered to mean the file op‐
769 erand itself. This allows chmod, in a single
770 call, to apply the attribute specification mode
771 to the specified named attribute file of the file
772 operand and the file operand itself.
773
774
776 The following operands are supported:
777
778 absolute-mode
779 symbolic-mode-list
780
781 Represents the change to be made to the file mode bits of each file
782 named by one of the file operands. See Absolute Mode and Symbolic
783 Mode in the DESCRIPTION section of this manual page for more infor‐
784 mation.
785
786
787 acl_operation
788
789 Represents the modification to be performed on the file's ACL. See
790 ACL Operation in the DESCRIPTION section for more information.
791
792 acl_operation is one of the following:
793
794 A[number] -
795 A-acl_specification
796 A[index]{+|=}acl_specification
797
798
799
800
801 attribute_specification_list
802
803 Represents the modification to performed on the file's attributes.
804 See Attribute Operation in the DESCRIPTION section of this manual
805 page for more information.
806
807
808 file
809
810 A path name of a file whose file mode bits are to be modified.
811
812
814 See largefile(5) for the description of the behavior of chmod when
815 encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
816
818 Example 1 Denying execute Permission
819
820
821 The following example denies execute permission to everyone:
822
823
824 % chmod a-x file
825
826
827
828 Example 2 Allowing read-only Permission
829
830
831 The following example allows only read permission to everyone:
832
833
834 % chmod 444 file
835
836
837
838 Example 3 Making a File readable and writable
839
840
841 The following example makes a file readable and writable by the group
842 and others:
843
844
845 % chmod go+rw file
846 % chmod 066 file
847
848
849
850 Example 4 Locking a File From Access
851
852
853 The following example locks a file from access:
854
855
856 $ chmod +l file
857
858
859
860 Example 5 Granting read, write, execute, and set group-ID Permission on
861 a File
862
863
864 The following example grants everyone read, write, and execute permis‐
865 sions on the file, and turns on the set group-ID:
866
867
868 $ chmod a=rwx,g+s file
869 $ chmod 2777 file
870
871
872
873 Example 6 Prepending a New ACL Entry on a ZFS File
874
875
876 The following example prepends a new ACL entry on a ZFS file.
877
878
879
880 First, display the current ACL:
881
882
883 $ ls -v file.3
884 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
885 0:owner@:execute:deny
886 1:owner@:read_data/write_data/append_data/write_xattr/
887 write_attributes/write_acl/write_owner:allow
888 2:group@:write_data/append_data/execute:deny
889 3:group@:read_data:allow
890 4:everyone@:write_data/append_data/write_xattr/execute/
891 write_attributes/write_acl/write_owner:deny
892 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
893 synchronize:allow
894
895
896
897
898 Issue the following command:
899
900
901 $ chmod A+user:lp:read_data:deny file.3
902
903
904
905
906 Display the new ACL:
907
908
909 $ ls -v file.3
910 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
911 0:user:lp:read_data:deny
912 1:owner@:execute:deny
913 2:owner@:read_data/write_data/append_data/write_xattr/
914 write_attributes/write_acl/write_owner:allow
915 3:group@:write_data/append_data/execute:deny
916 4:group@:read_data:allow
917 5:everyone@:write_data/append_data/write_xattr/execute/
918 write_attributes/write_acl/write_owner:deny
919 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
920 synchronize:allow
921
922
923
924 Example 7 Prepending a New POSIX-draft ACL Entry on a UFS File
925
926
927 The following example prepends a new POSIX-draft ACL entry on a UFS
928 file.
929
930
931
932 First, display the current ACL:
933
934
935 $ ls -v file.2
936 -rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
937 0:user::rw-
938 1:group::r-- #effective:r--
939 2:mask:r--
940 3:other:r--
941
942
943
944
945 Issue the following command:
946
947
948 $ chmod A+user:lp:-wx file.2
949
950
951
952
953 Display the new ACL:
954
955
956 $ ls -v file.2
957 -rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
958 0:user::rw-
959 1:user:lp:-wx #effective:---
960 2:group::r-- #effective:r--
961 3:mask:r--
962 4:other:r--
963
964
965
966 Example 8 Inserting an ACL Entry in a Specific Position on a ZFS file
967
968
969 The following example inserts an ACL entry in a specific position on a
970 ZFS file system. It also illustrates the compact ACL format.
971
972
973
974 First, display the ACL to pick a location to insert a new ACE.
975
976
977 % ls -V file.1
978 -rw-r--r--+ 1 root root 0 Oct 6 12:16 file.1
979 user:lp:rw------------:------:allow
980 owner@:--x-----------:------:deny
981 owner@:rw-p---A-W-Co-:------:allow
982 group@:-wxp----------:------:deny
983 group@:r-------------:------:allow
984 everyone@:-wxp---A-W-Co-:------:deny
985 everyone@:r-----a-R-c--s:------:allow
986
987
988
989
990 Next, insert a new entry in location 3. This causes the entries
991 that are currently in position 3 - 6 to be pushed down.
992
993
994
995 Issue the following command:
996
997
998 $ chmod A3+user:marks:r:deny file.1
999
1000
1001
1002
1003 Display the new ACL:
1004
1005
1006 $ ls -V file.1
1007 -rw-r--r--+ 1 root staff 0 Feb 3 14:13 file.1
1008 user:lp:rw------------:------:allow
1009 owner@:--x-----------:------:deny
1010 owner@:rw-p---A-W-Co-:------:allow
1011 user:marks:r-------------:------:deny
1012 group@:-wxp----------:------:deny
1013 group@:r-------------:------:allow
1014 everyone@:-wxp---A-W-Co-:------:deny
1015 everyone@:r-----a-R-c--s:------:allow
1016
1017
1018
1019 Example 9 Inserting a POSIX-draft ACL in a Specific Position on a UFS
1020 File
1021
1022
1023 The file system reorders ACLs when they are stored in the file system.
1024 The following example illustrates this behavior.
1025
1026
1027 $ ls -v file.1
1028 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1029 0:user::rw-
1030 1:user:lp:rw- #effective:r--
1031 2:group::r-- #effective:r--
1032 3:mask:r--
1033 4:other:r--
1034
1035
1036
1037
1038 Now, insert an entry at index position 3. The command works, but the
1039 file system reorders the ACL.
1040
1041
1042 $ chmod A3+user:marks:rw- file.1
1043 $ ls -v file.1
1044 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1045 0:user::rw-
1046 1:user:lp:rw- #effective:r--
1047 2:user:marks:rw- #effective:r--
1048 3:group::r-- #effective:r--
1049 4:mask:r--
1050 5:other:r--
1051
1052
1053
1054
1055 Rather than inserting the ACL entry in position 3 as requested, it
1056 actually ends up in position 2.
1057
1058
1059 Example 10 Removing an ACL Entry on a ZFS File
1060
1061
1062 The following example removes the lp entry from an ACL:
1063
1064
1065 $ ls -v file.3
1066 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
1067 0:user:lp:read_data:deny
1068 1:owner@:execute:deny
1069 2:owner@:read_data/write_data/append_data/write_xattr/
1070 write_attributes/write_acl/write_owner:allow
1071 3:group@:write_data/append_data/execute:deny
1072 4:group@:read_data:allow
1073 5:everyone@:write_data/append_data/write_xattr/execute/
1074 write_attributes/write_acl/write_owner:deny
1075 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1076 synchronize:allow
1077
1078
1079
1080 $ chmod A-user:lp:read_data:deny file.3
1081 $ ls -v file.3
1082 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
1083 0:owner@:execute:deny
1084 1:owner@:read_data/write_data/append_data/write_xattr/
1085 write_attributes/write_acl/write_owner:allow
1086 2:group@:write_data/append_data/execute:deny
1087 3:group@:read_data:allow
1088 4:everyone@:write_data/append_data/write_xattr/execute/
1089 write_attributes/write_acl/write_owner:deny
1090 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1091 synchronize:allow
1092
1093
1094
1095 Example 11 Removing a POSIX-draft ACL on a UFS File
1096
1097
1098 The following example removes the lp entry from an ACL:
1099
1100
1101 $ ls -v file.2
1102 -rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
1103 0:user::rw-
1104 1:user:lp:-wx #effective:---
1105 2:group::r-- #effective:r--
1106 3:mask:r--
1107 4:other:r--
1108
1109
1110
1111 $ chmod A-user:lp:-wx file.2
1112 $ ls -v file.2
1113 -rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
1114 0:user::rw-
1115 1:group::r-- #effective:r--
1116 2:mask:r--
1117 3:other:r--
1118
1119
1120
1121 Example 12 Removing a Specific ACL Entry by Index Number on a ZFS File
1122
1123
1124 Consider the following ACL:
1125
1126
1127 $ ls -v file
1128 0:group:staff:read_data/write_data/execute/read_acl:allow
1129 1:user:bin:read_data:deny
1130 2:user:bin:read_data:allow
1131 3:owner@:write_data/append_data:deny
1132 4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1133 /write_owner:allow
1134 5:group@:write_data/append_data:deny
1135 6:group@:read_data/execute:allow
1136 7:everyone@:write_data/append_data/write_xattr/write_attributes
1137 /write_acl/write_owner:deny
1138 8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1139 /synchronize:allow
1140
1141
1142
1143
1144 Remove the second user entry for bin.
1145
1146
1147 $ chmod A2- file
1148 $ ls -v file
1149 0:group:staff:read_data/write_data/execute/read_acl:allow
1150 1:user:bin:read_data:deny
1151 2:owner@:write_data/append_data:deny
1152 3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1153 /write_owner:allow
1154 4:group@:write_data/append_data:deny
1155 5:group@:read_data/execute:allow
1156 6:everyone@:write_data/append_data/write_xattr/write_attributes
1157 /write_acl/write_owner:deny
1158 7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1159 /synchronize:allow
1160
1161
1162
1163 Example 13 Removing a Specific POSIX-draft ACL Entry on a UFS File
1164
1165
1166 The following example removes the lp entry by index number from the
1167 following ACL:
1168
1169
1170 $ ls -v file.1
1171 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1172 0:user::rw-
1173 1:user:lp:rw- #effective:r--
1174 2:group::r-- #effective:r--
1175 3:mask:r--
1176 4:other:r--
1177
1178 $ chmod A1- file.1
1179 $ ls -v
1180 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1181 0:user::rw-
1182 1:group::r-- #effective:r--
1183 2:mask:r--
1184 3:other:r--
1185
1186
1187
1188 Example 14 Removing All ACLs From a File
1189
1190
1191 The following command works with either NFSv4/ZFS or POSIX-draft ACLs.
1192
1193
1194
1195 Consider the following ACL:
1196
1197
1198 $ ls -v file.3
1199 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
1200 0:user:lp:read_data/write_data:allow
1201 1:user:marks:read_acl:allow
1202 2:owner@:execute:deny
1203 3:owner@:read_data/write_data/append_data/write_xattr/
1204 write_attributes/write_acl/write_owner:allow
1205 4:group@:write_data/append_data/execute:deny
1206 5:group@:read_data:allow
1207 6:everyone@:write_data/append_data/write_xattr/execute/
1208 write_attributes/write_acl/write_owner:deny
1209 7:everyone@:read_data/read_xattr/read_attributes/read_acl/
1210 synchronize:allow
1211
1212
1213
1214
1215 The existing ACL is effectively removed and is replaced with an ACL
1216 that represents the permission bits of the file.
1217
1218
1219 $ chmod A- file.3
1220 $ ls -v file.3
1221 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
1222 0:owner@:execute:deny
1223 1:owner@:read_data/write_data/append_data/write_xattr/
1224 write_attributes/write_acl/write_owner:allow
1225 2:group@:write_data/append_data/execute:deny
1226 3:group@:read_data:allow
1227 4:everyone@:write_data/append_data/write_xattr/execute/
1228 write_attributes/write_acl/write_owner:deny
1229 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1230 synchronize:allow
1231
1232
1233
1234 Example 15 Replacing an Entire ACL Entry on a ZFS File
1235
1236
1237 Use the following chmod syntax if you want to replace an ACL in its
1238 entirety:
1239
1240
1241 $ chmod A=owner@:read_data/write_data:allow,group@:read_data/
1242 write_data:allow,user:lp:read_data:allow file.4
1243 $ ls -v file.4
1244 -rw-rw----+ 1 marks staff 0 Oct 9 16:12 file.4
1245 0:owner@:read_data/write_data:allow
1246 1:group@:read_data/write_data:allow
1247 2:user:lp:read_data:allow
1248
1249
1250
1251 Example 16 Replacing an Entire POSIX-draft ACL on a UFS File
1252
1253
1254 This operation is a little more complicated. The replacement ACL needs
1255 the necessary entries to represent the file owner, file group owner,
1256 other, mask and any additional entries you wish to set.
1257
1258
1259 $ chmod A=user::rw-,group::rw-,other::---,mask:r--,
1260 user:lp:r-- file.3
1261 $ ls -v file.3
1262 -rw-r-----+ 1 root root 0 Oct 9 16:14 file.3
1263 0:user::rw-
1264 1:user:lp:r-- #effective:r--
1265 2:group::rw- #effective:r--
1266 3:mask:r--
1267 4:other:---
1268
1269
1270
1271 Example 17 Replacing a Specific Entry on a ZFS File
1272
1273
1274 Consider the following ACL.
1275
1276
1277 $ ls -v file.5
1278 -rw-r--r--+ 1 marks staff 0 Oct 9 16:18 file.5
1279 0:user:marks:read_data:allow
1280 1:owner@:execute:deny
1281 2:owner@:read_data/write_data/append_data/write_xattr/
1282 write_attributes/write_acl/write_owner:allow
1283 3:group@:write_data/append_data/execute:deny
1284 4:group@:read_data:allow
1285 5:everyone@:write_data/append_data/write_xattr/execute/
1286 write_attributes/write_acl/write_owner:deny
1287 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1288 synchronize:allow
1289
1290
1291
1292
1293 Now, change the allow access to a deny for user marks:
1294
1295
1296 $ chmod A0=user:marks:read_data:deny file.5
1297 $ ls -v file.5
1298 -rw-r--r--+ 1 marks staff 0 Aug 23 09:11 file.5
1299 0:user:marks:read_data:deny
1300 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
1301 /write_acl/write_owner:allow
1302 2:group@:write_data/append_data/execute:deny
1303 3:group@:read_data:allow
1304 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
1305 /write_acl/write_owner:deny
1306 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
1307 :allow
1308
1309
1310
1311 Example 18 Replacing a Specific POSIX-draft ACL on a UFS File
1312
1313
1314 Consider the following ACL.
1315
1316
1317 $ ls -v file.4
1318 -rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
1319 0:user::rw-
1320 1:user:lp:rwx #effective:r--
1321 2:group::r-- #effective:r--
1322 3:mask:r--
1323 4:other:r--
1324
1325
1326
1327
1328 Now, change the permission on lp from rwx to r--:
1329
1330
1331 $ chmod A1=user:lp:r-- file.4
1332
1333 $ ls -v file
1334 -rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
1335 0:user::rw-
1336 1:user:lp:r-- #effective:r--
1337 2:group::r-- #effective:r--
1338 3:mask:r--
1339 4:other:r--
1340
1341
1342
1343 Example 19 Setting ACL Inheritance Flags on a ZFS File
1344
1345
1346 You can only set inheritance flags on ZFS files. When setting ACLs on
1347 directories, several inheritance flags can be optionally set.
1348
1349
1350
1351 Suppose you have an ACL entry for user lp that you want to be inher‐
1352 ited to newly created files in a directory. First, you need to create
1353 an inheritable ACL entry on the directory:
1354
1355
1356 $ chmod A+user:lp:read_data:file_inherit:allow test.dir
1357 $ ls -dv test.dir
1358 drwxr-xr-x+ 2 marks staff 2 Aug 23 09:08 test.dir/
1359 0:user:lp:read_data:file_inherit:allow
1360 1:owner@::deny
1361 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
1362 /append_data/write_xattr/execute/write_attributes/write_acl
1363 /write_owner:allow
1364 3:group@:add_file/write_data/add_subdirectory/append_data:deny
1365 4:group@:list_directory/read_data/execute:allow
1366 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
1367 /write_attributes/write_acl/write_owner:deny
1368 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
1369 /read_acl/synchronize:allow
1370
1371
1372
1373
1374 The lp entry is inherited to newly created files in the directory
1375 test.dir.
1376
1377
1378 $ touch test.dir/file.test
1379 $ ls -v test.dir/file.test
1380 -rw-r--r--+ 1 marks staff 0 Oct 9 16:29 test.dir/file.test
1381 0:user:lp::deny
1382 1:user:lp:read_data:allow
1383 2:owner@:execute:deny
1384 3:owner@:read_data/write_data/append_data/write_xattr/
1385 write_attributes/write_acl/write_owner:allow
1386 4:group@:write_data/append_data/execute:deny
1387 5:group@:read_data:allow
1388 6:everyone@:write_data/append_data/write_xattr/execute/
1389 write_attributes/write_acl/write_owner:deny
1390 7:everyone@:read_data/read_xattr/read_attributes/read_acl/
1391 synchronize:allow
1392
1393
1394
1395
1396 The user lp entry is inherited to the newly created file. Multiple com‐
1397 binations of the inheritance flags can be specified. For example, if
1398 you wanted the lp entry to also be inherited to directories, then the
1399 following command can be used:
1400
1401
1402 $ chmod A+user:lp:read_data:file_inherit/\
1403 dir_inherit:allow test.dir
1404
1405
1406
1407 Example 20 Replacing System Attributes of a ZFS File
1408
1409
1410 The following examples replace system attributes of a ZFS file:
1411
1412
1413 $ chmod S=v{archive,hidden,readonly,system,appendonly,\
1414 nonodump,immutable,noav_modified,noav_quarantined,\
1415 nounlink} file1
1416
1417
1418
1419
1420 or
1421
1422
1423 $ chmod S=c{AHRSaiu} file1
1424
1425
1426
1427
1428 or
1429
1430
1431 $ chmod S=c{AHRSa-i--u} file1
1432
1433
1434
1435
1436 or
1437
1438
1439 $ chmod S=cAHRSaiu file1
1440
1441
1442
1443
1444 or
1445
1446
1447 $ chmod -@ '..' S=cAHRSaiu file1
1448
1449
1450
1451
1452 Assuming appropriate privileges, this results in the following system
1453 attributes of file1 being set: archive, hidden, readonly, system,
1454 appendonly, immutable, and nounlink. Assuming appropriate privileges,
1455 the following system attributes of file1 are cleared: nodump, av_modi‐
1456 fied, and av_quarantined.
1457
1458
1459 Example 21 Clearing All System Attributes of a ZFS File
1460
1461
1462 The following examples clears all system attributes of a ZFS file:
1463
1464
1465 $ chmod S-a file1
1466
1467
1468
1469
1470 or
1471
1472
1473 $ chmod -@ '..' S-a file1
1474
1475
1476
1477
1478 Assuming appropriate privileges, all boolean read-write system
1479 attributes are cleared on file1.
1480
1481
1482 Example 22 Setting a System Attribute of a Named Attribute File of a
1483 ZFS File
1484
1485
1486 The following example sets a system attribute of a named attribute file
1487 of a ZFS file, but not of the file itself:
1488
1489
1490 $ chmod -@ myattr S+vhidden file1
1491
1492
1493
1494
1495 This results in the hidden system attribute being set for the named
1496 attribute file myattr of file1, but not the file itself.
1497
1498
1499 Example 23 Setting a System Attribute of All Named Attribute File of a
1500 ZFS File
1501
1502
1503 The following example sets a system attribute of all named attribute
1504 files of a ZFS file, but not of the file itself:
1505
1506
1507 $ chmod -@ '*' S+a file1
1508
1509
1510
1511 Example 24 Setting a System Attribute of All Named Attribute Files of a
1512 ZFS File
1513
1514
1515 The following example sets a system attribute of all named attribute
1516 files of a ZFS file, as well as of the file itself:
1517
1518
1519 $ chmod -@ '..' -@ '*' S+vhidden file1
1520
1521
1522
1523
1524 This results in the hidden system attribute being set for all named
1525 attribute files of file1, as well as the file itself.
1526
1527
1528 Example 25 Recursively Descending Through a Directory Hierarchy
1529
1530
1531 The following example recursively descends through a directory hierar‐
1532 chy, and sets all system attributes of all named attribute files, the
1533 ZFS file operands, as well as of the directory itself:
1534
1535
1536 $ chmod -R -@ '..' -@ '*' S+a directory1
1537
1538
1539
1540
1541 This results in the hidden system attribute being set for all named
1542 attribute files of all regular files and directories within the direc‐
1543 tory hierarchy of directory1, as well as of directory1 itself.
1544
1545
1546 Example 26 Setting the hidden and system System Attributes of a ZFS
1547 File
1548
1549
1550 The following examples set the hidden and system system attributes of a
1551 ZFS file:
1552
1553
1554 $ chmod S+cHS file1
1555
1556
1557
1558
1559 or
1560
1561
1562 $ chmod S+vhidden,+vsystem file1
1563
1564
1565
1566
1567 or
1568
1569
1570 $ chmod S+v{hidden,system} file1
1571
1572
1573
1574
1575 or
1576
1577
1578 $ chmod S+c{-HS--------} file1
1579
1580
1581
1582
1583 or
1584
1585
1586 $ chmod S-v{nohidden,nosystem} file1
1587
1588
1589
1590
1591 or
1592
1593
1594 $ chmod S-v{hidden,system},+v{hidden,system} file1
1595
1596
1597
1598 Example 27 Clearing All System Attributes of a ZFS File
1599
1600
1601 The following example clears all system attributes of a ZFS file:
1602
1603
1604 $ chmod S-a file1
1605
1606
1607
1608
1609 or
1610
1611
1612 $ chmod S=v{} file1
1613
1614
1615
1616
1617 In the following two examples, the last attribute operation specified
1618 takes precedence.
1619
1620
1621
1622 In this example, the replacement attribute name list ({}) clears all
1623 system attributes for file1:
1624
1625
1626 $ chmod S+cHS,=v{} file1
1627
1628
1629
1630
1631 In this example, the clear attributes operation (-a) clears all system
1632 attributes of file1:
1633
1634
1635 $ chmod S+vhidden,+vsystem,-a file1
1636
1637
1638
1639 Example 28 Setting the Values of All Boolean read-write System
1640 Attributes of a File
1641
1642
1643 The following example sets the values of all boolean read-write system
1644 attributes of a file to the same as the boolean read-write system
1645 attributes of another file:
1646
1647
1648 $ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2
1649
1650
1651
1652
1653 Assuming appropriate privileges and that file1 and file2 have the same
1654 supported system attributes, all system attributes of file1 that are
1655 set are also set on file2. All system attributes of file1 that are
1656 cleared are also cleared on file2.
1657
1658
1660 See environ(5) for descriptions of the following environment variables
1661 that affect the execution of chmod: LANG, LC_ALL, LC_CTYPE, LC_MES‐
1662 SAGES, and NLSPATH.
1663
1665 The following exit values are returned:
1666
1667 0 Successful completion.
1668
1669
1670 >0 An error occurred.
1671
1672
1674 See attributes(5) for descriptions of the following attributes:
1675
1676
1677
1678
1679 ┌─────────────────────────────┬─────────────────────────────┐
1680 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
1681 ├─────────────────────────────┼─────────────────────────────┤
1682 │Availability │SUNWcsu │
1683 ├─────────────────────────────┼─────────────────────────────┤
1684 │CSI │Enabled │
1685 ├─────────────────────────────┼─────────────────────────────┤
1686 │Interface Stability │Committed │
1687 └─────────────────────────────┴─────────────────────────────┘
1688
1690 getfacl(1), ls(1), setfacl(1), chmod(2), fgetattr(3C), acl(5),
1691 attributes(5), environ(5), fsattr(5), largefile(5), standards(5)
1692
1694 Absolute changes do not work for the set-group-ID bit of a directory.
1695 You must use g+s or g-s.
1696
1697
1698 chmod permits you to produce useless modes so long as they are not
1699 illegal (for instance, making a text file executable). chmod does not
1700 check the file type to see if mandatory locking is meaningful.
1701
1702
1703 If the filesystem is mounted with the nosuid option, setuid execution
1704 is not allowed.
1705
1706
1707 If you use chmod to change the file group owner permissions on a file
1708 with ACL entries, both the file group owner permissions and the ACL
1709 mask are changed to the new permissions. Be aware that the new ACL mask
1710 permissions can change the effective permissions for additional users
1711 and groups who have ACL entries on the file. Use the getfacl(1) or
1712 ls(1)command to make sure the appropriate permissions are set for all
1713 ACL entries.
1714
1715
1716
1717SunOS 5.11 11 Dec 2008 chmod(1)