Mac OS X
linux chmod
chmod -- change file modes or Access Control Lists (ACL)
chmod [-fv ] [-R [-H | -L | -P] mode file …
chmod [-fv ] [-R [-H | -L | -P] [-a | +a | =a] ACE file …
chmod [-fhv] [-R [-H | -L | -P] [-E] file …
chmod [-fhv] [-R [-H | -L | -P] [-C] file …
chmod [-fhv] [-R [-H | -L | -P] [-N] file …
Modifies the file mode bits and Access Control Lists (ACLs)
-f | Do not display a message if modify fails for file.
| -R Change the modes of the file hierarchies rooted in the files instead of just the files the
-H, -L and -P are ignored without -R , override each other and the results are the last specified.
•Symbolic link behavor ( with -R)
| -H symbolic links on the command line are followed.
Symbolic links encountered in the tree traversal are not followed by default.
| -L | followed.
| -P | NOT followed.Default.
| | | |
| -h | change the mode of the link itself rather than the target
| -v verbose, showing filenames as the mode is modified.
Specified more than once, the old and new modes of the file will also be displayed,
in both octal and symbolic notation.
| | | | |
Only the owner of a file or the super-user is permitted to change the mode of a file.
DIAGNOSTICS
The chmod utility exits 0 on success, and >0 if an error occurs.
MODES
Modes may be absolute or symbolic. An absolute mode is an octal number constructed from the sum of one
or more of the following values:
4000| (the set-user-ID-on-execution bit) Executable files with this bit set will run with
effective uid set to the uid of the file owner. Directories with the set-user-id bit set
will force all files and sub-directories created in them to be owned by the directory
owner and not by the uid of the creating process, if the underlying file system supports
this feature: see chmod(2) and the suiddir option to mount(8).
| 2000| (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner.
| 1000| (the sticky bit) See chmod(2) and sticky(8).
| 0400| Allow read by owner.
| 0200| Allow write by owner.
| 0100| For files, allow execution by owner. For directories, allow the owner to search in the directory.
| 0040| Allow read by group members.
| 0020| Allow write by group members.
| 0010| For files, allow execution by group members. For directories, allow group members to search in the directory.
| 0004 | Allow read by others.
| 0002 | Allow write by others.
| 0001 | For files, allow execution by others. For directories allow others to search in the
directory.
| | | | | | | | | | | | |
For example, the absolute mode that permits read, write and execute by the owner, read and execute by
group members, read and execute by others, and no set-uid or set-gid behaviour is 755
(400+200+100+040+010+004+001).
The symbolic mode is described by the following grammar:
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g | o
The who symbols u, g, and o specify the user, group, and other mode bits,
a all is equivalent to ugo.
The perm symbols represent the portions of the mode (permission) bits:
r read bits.
w write bits.
x execute/search bits.
s set-user-ID-on-execution and set-group-ID-on-execution bits.
t sticky bit.
X execute/search bits if the file is a directory or any of the execute/search bits are
set in the original (unmodified) mode. Operations with the perm symbol X are only
meaningful in conjunction with the op symbol +, and are ignored in all other cases.
u user permission bits
g group permission bits
o other permission bits
ls -l
-rw------- 1 5595 Feb 22 12:31 .bash_history
-rwxr----- 1 27 Dec 15 16:31 .profile
The op symbols represent the operation performed:
+ If no value is supplied for perm, + has no effect.
If no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is clear, is set.
Otherwise, the mode bits represented by the specified who and perm values are set.
- If no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is clear, is cleared.
Otherwise, the mode bits represented by the specified who and perm values are cleared.
= The mode bits specified by the who value are cleared, or, if no who value is specified, the
owner, group and other mode bits are cleared.
if no value is supplied for who, each permission bit specified in perm, for which the corresponding bit in the file mode creation mask is
clear, is set.
Otherwise, the mode bits represented by the specified who and perm values are set.
Each clause specifies one or more operations to be performed on the mode bits, and each operation is
applied to the mode bits in the order specified.
Operations upon the other permissions only (specified by the symbol o by itself), in combination
with the perm symbols s or t, are ignored.
EXAMPLES OF VALID MODES
644 | make a file readable by anyone and writable by the owner only.
| go-w | deny write permission to group and others.
| =rw,+X| set the read and write permissions to the usual defaults, but retain any execute permissions that are currently set.
| +X | make a directory or file searchable/executable by everyone if it is already searchable/executable by anyone.
| 755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone and writable by the owner only.
| go= | clear all mode bits for group and others.
| g=u-w | set the group bits equal to the user bits, but clear the group write bit.
| | | | | | | | |
ACL MANIPULATION OPTIONS
Using extensions to the symbolic mode grammar.
Each file has one ACL, containing an ordered list of entries.
ls -l displays + when ACL entries are present
ls -le displays the ACL entries
drwx------+ 108 dgerman staff 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
Each entry refers to a user or group, and grants or denies a set of permissions.
If a user and a group have the same name (exmple mail) , the user/group name prefix with "user:" or "group:" in order to specify the type .
Applicable to all filesystem objects:
delete | Deletion may be granted by either this permission on an object or the
delete_child right on the containing directory.
| readattr| implicitly granted if the object can be looked up and not explicitly denied.
| readextattr|
| writeattr|
| writeextattr|
| readsecurity|
| writesecurity|
| chown | Change an object's ownership.
| | | | | | | | |
Applicable to directories:
list |
| search | Look up files by name.
| add_fil|
| add_subdirectory |
| delete_child | Delete a contained object. See the file delete permission above.
| | | | | |
Applicable to non-directory filesystem objects:
read | Open for reading.
| write | Open for writing.
| append | Open for writing, but only allow writes into areas of the file not
previously written
| execute
| Execute the file as a script or pro
| | | | |
ACL inheritance is controlled with the following permissions words,
which may only be applied to directories:
file_inherit | Inherit to files.
| directory_inherit | Inherit to directories.
| limit_inherit only relevant to entries inherited by subdirectories; it causes the directory_inherit flag to be cleared in the entry that is inherited,
preventing further nested
subdirectories from also inheriting the entry.
| only_inherit
| The entry is inherited by created items but not considered when processing the ACL.
| | | | |
+a inserts into the canonical location.
If the supplied entry refers to an identity already listed, the two entries are combined.
Examples
ls -dle Documents
drwx------+ 108 3672 Feb 9 20:09 Documents
0: group:everyone deny delete
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
+a maintains correct canonical form .
local deny, local allow, inherited deny, inherited allow
By default, chmod adds entries to the top of the local deny and local allow .
Inherited entries are added by using the +ai mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
| +a# | insert entry at a specific location
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
+ai# inserts inherited entries at a specific location. These
modes allow non-canonical ACL ordering to be constructed.!
| -a deletes matching ACL entries.
If the entry lists a subset of rights granted by an entry, only the rights listed are removed.
Entries may also be deleted by index using -a# .
Inheritance is not considered .
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
| =a# rewritten Individual entries , but may not add new entries.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
| -E | Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If
the information parses correctly, the existing information is replaced.
| -C | Returns false if any of the named files have ACLs in non-canonical order.
| -i | Removes the 'inherited' bit from all entries in the named file(s) ACLs.
| -I | Removes all inherited entries from the named file(s) ACL(s).
| -N | Removes the ACL from the named file(s).
| | | | | | | | | |
|
COMPATIBILITY
The -v option is non-standard and its use in scripts is not recommended.
SEE ALSO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7),
chown(8), mount(8), sticky(8)
STANDARDS
The chmod utility is expected to be IEEE Std 1003.2 (POSIX.2) compatible with the exception of the
perm symbol t which is not included in that standard.