change file modes or Access Control Lists (ACL)
chmod [-fv ] [-R [-H | -L | -P] mode file …
chmod [-fv ] [-R [-H | -L | -P] [-a | +a | =a] ACL file …
chmod [-fhv] [-R [-H | -L | -P] [-E] file …
chmod [-fhv] [-R [-H | -L | -P] [-C] file …
chmod [-fhv] [-R [-H | -L | -P] [-N] file …
Modifies the file mode bits and Access Control Lists (ACLs)
-f force (?)Do not display a message if modify fails for file.
| -R Recursively change the modes of the file hierarchies rooted in file s .
-H, -L and -P are ignored without -R , override each other and the results are the last specified.
•Symbolic link behavor ( with -R )
| -H symbolic links on the command line are followed.
Symbolic links encountered in the tree traversal are not followed by default.
| -L followed.
| -P NOT followed.Default.
| | | |
| -h change the mode of the link itself rather than the target .
| -v
-v -v verbose showing filenames as the mode is modified.
Specified more than once, the old and new modes of the file will also be displayed,
in both octal and symbolic notation.
chmod -v -v a+r shop.txt
shop.txt: 0100700 [-rwx------ ] -> 0100744 [-rwxr--r-- ]
| | | | |
Only the owner of a file or the super-user is permitted to change the mode of a file.
DIAGNOSTICS
Exits 0 on success ; 1 if cannot access target or syntax is incorrect.
Modes
Absolute which is the octal sum of:
4000 set-user-ID-on-execution.
Executable with this bit set will run with
effective uid set to the uid of the file owner.
Directories with the set-user-id bit set
will force all files and sub-directories created in them to be owned by the directory
owner and not by the uid of the creating process, if the underlying file system supports
this feature: see chmod(2) and the suiddir option to mount(8).
| 2000 set-group-ID-on-execution.
Executable with this bit set will run with effective gid set to the gid of the file owner.
| 1000 sticky bit See chmod(2) and sticky(8).
| 0400 read by owner.
| 0200 write by owner.
| 0100 execution by owner, for files.
allow search by owner , for directories.
| 0040 read by group members.
| 0020 write by group members.
| 0010 execution by group members.
Search group members in the directory.
| 0004 read by others.
| 0002 write by others.
| 0001 execution by others.
others search in the directory.
| | | | | | | | | | | | |
For example, the absolute mode that permits read, write and execute by the owner, read and execute by
group members, read and execute by others, and no set-uid or set-gid behaviour is 755
(400+200+100+040+010+004+001).
Symbolic
mode ::= clause [, clause …]
clause ::= [who …] [action …]
who ::= a | u | g | o |␀
action ::= op [permission …]
op ::= + | - | =
permission ::= r | w | x | X | s | t
Where who
is u
ser, g
roup, o
ther (not owner) and
a
ll (equivalent to ugo
).
The permission
flags:
r read
| w write
| x executable for file ; searchable for directory
| X eXecute/search if the file is a directory or any of the execute/search flags are
set in the original (unmodified) mode. X is only meaningful with +
| u user
| g group
| o others not owner!
| ␀ all who not prohibited by umask
|
s set-user-ID-on-execution and set-group-ID-on-execution bits.
| t sticky bit.
| | | | | | | | | | |
ls -l
-rw------- 1 5595 Feb 22 12:31 .bash_history
-rwxr----- 1 27 Dec 15 16:31 .profile
+ If no value is supplied for who, permission is set.
If no value is supplied for permission, +
has no effect.
Otherwise, mode for who and permision values are set.
- If no value is supplied for who,
Otherwise, the mode specified who and perm values are cleared.
= The mode bits specified by the who value are cleared, or, if no who value is specified, the
user, group and other mode bits are cleared.
if no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is
clear, is set.
Otherwise, the mode bits represented by the specified who and perm values are set.
Each clause specifies one or more operations to be performed on the mode bits, and each operation is
applied to the mode bits in the order specified.
Operations of other only with s
or t
, are ignored.
Examples of Valid Modes
644 make a file readable by anyone and writable by the user(owner) only.
| go-w deny write permission to group and others.
| =rw,+X set the read and write permissions to the usual defaults, but retain any execute permissions that are currently set.
| +X make a directory or file searchable/executable by everyone if it is already searchable/executable by anyone.
| 755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone and writable by the user only.
| go= clear all mode bits for group and others.
| g=u-w set the group bits equal to the user bits, but clear the group write bit.
| | | | | | |
| |
Errors
chmod: Unable to change file mode on com.teamviewer.teamviewer.plist: Operation not permitted
File may be owned by root
and System Integrity Protection is enabled.
Access Control List
The Access Control List is an extension to symbolic mode.
A file or directory may have an ACL, containing an ordered list of entries.
Each entry refers to a user or group, and allows or denies a set of actions.
ACL ::= group|user allow|deny action
Actions
For all filesystem objects:
|
delete Deletion may be allowed/denied by either this permission on an object or the
delete_child right on the containing directory.
| readattr implicitly allowed if the object can be looked up and not explicitly denied.
| readextattr
| writeattr
| writeextattr
| readsecurity
| writesecurity
| chown Change ownership (root only)
| Operations applicable to directories:
| list
| search Look up files by name.
| add_file
| add_subdirectory
| delete_child Delete a contained object. See the file delete permission .
| for non-directory objects:
| read
| write
| append
| execute
| Inheritance is controlled on directories with
| file_inherit Inherit to files.
| directory_inherit Inherit to directories.
| limit_inherit
Clears directory_inherit in the entry that is inherited, preventing further nested subdirectories from also inheriting the entry. only relevant to entries inherited by subdirectories
| only_inherit The entry is inherited by created items but not considered when processing the ACL.
| | | | | | | | | | | | | | | | | | | | | |
If the user and group are the same (example mail mail
) , prefix the user/group with "user:" or "group:"
+a ACL Adds into the canonical location.
local deny, local allow, inherited deny, inherited allow
By default, chmod adds entries to the top of the local deny and local allow .
Entries refering to an existing user/group are combined.
Examples
> /bin/chmod +a "everyone deny delete" sacredFile # ( root can still delete!)
ls -l displays + when ACL entries are present
ls -le displays the ACL entries
drwx------+ 108 dgerman staff 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
ls -dle Documents # Can not click on finder
drwxr-xr-x+ 31 dgerman staff 992 Jun 23 14:14 Documents/
0: group:admin allow list,search,readattr,readextattr,readsecurity
> ls -dle Documents #list the directory, long format, including ACL
drwx------+ 108 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
> ls -le # file1 initially has no ACL
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
> chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
> chmod +a "guest deny read" file1 # Add in the proper order
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
> chmod +a "admin allow delete" file1 # Add DELETE to existing write entry
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
| Specific entries are references by index
+a# i Adds entry at a specific location
Examples
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
> chmod +a# 2 "others deny read" file1
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
| +ai user permission access Adds Inherited entries
Examples
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
> chmod +ai "others allow read" file1
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
| +ai# i | Add inherited entries at a specific location.
These modes allow non-canonical ACL ordering to be constructed.
| -a# i user premission action REMOVES matching entries.
If the entry lists a subset of rights allowed by an entry, only the rights listed are removed.
Inheritance is not considered .
Examples > ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
> chmod -a# 1 file1 # remove entry 1 ,i.e guest deny read
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
> chmod -a "admin allow write" file1
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
| =a# i rewrite Individual entries , but don't add entries.
Examples
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
> chmod =a# 1 "admin allow write,chown"
> ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
| -E Existing information is replaced with lines of ACL information from stdin.
| -i file [… Removes inherited entries
| -I file [… Removes inherited entries
| -N file [… Removes the ACL
| -C file [… Checks if any of files have ACLs in non-canonical order.Returns false
| | | | | | | | | | | |
compatibility
-v
is non-standard
t
is not included in IEEE Std 1003.2 (POSIX.2
)
SEE ALSO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7),
chown(8), mount(8), sticky(8)