chmod

change file or directory mode access permission


The mode of a new file is set based on the umask

chmod [Options]… symbolic-mode file … chmod [Options]… m m m file …

--reference=reffile use reffile's mode

`-R --recursive`
`-f --silent, --quiet`	suppress most error messages
`-v --verbose`	show files processed
`-c† --changes`	show files changed
`--help`
`--version`

Symbolic-Mode options:
[ugoa [+-=][rwx Xst]
ugoa specifies which users' access to the file will be changed:

who

user who owns it
group members
other users i.e. not the user who owns it and not users in the file's group
all ( i.e. ugo)

Default: all user's flags (which are not inhibited by umask).

how

+ adds to the existing modes
- removes modes
= sets modes

access

Read
Write
Xecute or special

rwxXst select the modes for the specified users:

read , write, execute
eXecute only if the file is a directory or already has execute permission for some user
set user or group ID on execution^†
t Save program text on swap device ( perhaps a performance enhancer )

For a directory mode means: read:list files, write:add, execute:access

Examples

chmod a-w file

chmod a+r file

chmod g+rw file

chmod =rx,g+s file

Numeric mode:

(1-4 digits)

first digit

special attributes

usually not used

SetUID	4000
SetGID	2000
save Text Image	1000

second digit

owner

read	400
write	200
execute	100

third digit

group

read	040
write	020
execute	010

fourth digit

other
users NOT in the file's group

read	004
write	002
execute	001

The mode is calculated by adding the values.
User (owner) (rwx) = 400+200+100= 700 ; Group(rx) = 40+10 = 50; Other (x) = 1 results in: mode = 751
Setting mode to 777 should be avoided as this permits anyone to modify the file.

Allow the user read+write+execute, group members read+execute, others no access
chmod 750 file ls -l file -rwxr-x--- 1 dgerman team2 978 22 May 19:10 file
user read,write,execute , group read+write , others no access
chmod 760 file ls -l file -rwxrw---- 1 dgerman team2 978 22 May 19:10 file

For symbolic links: the mode is not changed since they are not used. The mode of the target file is changed except during recursive directory traversals.

This page documents the GNU version of chmod.

see also:
ls -l lists current permissions for -- u (owner) rwx -- g (group) rwx -- O (Other) rwx --
chgrp - Change group ownership
chown - Change file owner and group
umask - sets "allowed" filter
Windows equivalent commands:
ATTRIB - Change file attributes
CACLS - Change AccessControlList settings
XCACLS - Change file permissions

and for us Mac ers

Fat file system only supports readonly, hidden, sys and archive. see ATTRIB.exe ATTRIB [ +| attribute ] [pathname] [/S [/D]] [/L] Display or change file attributes.

     +    : Turn an attribute ON
     -    : Clear an attribute OFF

pathname Drive and/or filename e.g. C:\*.txt

/S Search the pathname including all subfolders.

/D Process folders as well

/L Work on the attributes of the symbolic link versus the target of the Symbolic link.

attributes
        
        R Read-only (1)
        
A Archive (32)
        
S System (4)
        
H Hidden (2)

extended attributes

`B`	SMB Blob Attribute (Windows 10)
`E`	Encrypted
`C`	Compressed (128:read-only)
`I`	Not content-indexed
`N`	Normal (0: cannot be used for file selection)
`O`	Offline
`P`	Pinned Attribute (Windows 10) This refers to the "Always available on this device" setting for OneDrive files.
`U`	Unpinned Attribute (Windows 10)
`T`	Temporary
`X`	No scrub file attribute (Windows 8+)
`V`	Integrity attribute (Windows 8+)

The numeric values can be used when changing attributes with VBS/WSH If no attribute is specified attrib will return the current attribute settings. Used with just the /S option ATTRIB will quickly search for a particular filename. In older versions of Windows, Explorer would display 'p' to indicate a 'sparse' file.

Hidden and System attributes take priority. If a file has both the Hidden and System attributes set, you can clear both attributes only with a single ATTRIB command.

For example, to clear the Hidden and System attributes for the RECORD.TXT file, type: ATTRIB -S -H RECORD.TXT

If a file has the System or Hidden attribute set, you must clear that attribute before you can change any other attributes with ATTRIB. Wildcards You can use wildcards (? and *) with the pathname parameter to display or change the attributes for a group of files.

Directory Attributes You can display or change some attributes for a directory/folder.

The Read-only attribute (R) does not apply to a folder. This is because a unlike a file, a folder object does not contain any content that can be edited. The Name of a folder can be changed but that is a rename operation not an edit of the contents.

The Read-only attribute of a folder can be set or cleared in Windows Explorer as a fast method of setting/clearing the Read-only attribute of all files within the folder. It does not actually set the attribute on the folder itself.

To use ATTRIB with a directory, you must explicitly specify the directory name; you cannot use wildcards to work with directories. So the following command would affect only files, not directories: ATTRIB +H C:*.*

To hide the directory C:\SECRET: ATTRIB +H C:\SECRET

Detect whether a path points to a file or a directory by reading the Extended Attribute for 'Directory' (as listed below).

The System attribute is used by Windows to determine that a folder is a special folder, such as My Documents, Favorites, Fonts, etc.

Archive attribute The Archive attribute (A) is used to mark files that have changed since they were previously backed up. The (A) flag is automatically updated by Windows as the file is saved. If the (A) flag is present - the file is new or has been changed since the last backup. The MSBACKUP, RESTORE, and XCOPY commands use these Archive attributes, as do most 3rd party backup solutions.

Temporary attribute DFSR will not replicate files if they have the Temporary attribute set. The temporary attribute can be removed by using PowerShell to subtract 0x100: PS C:\> Get-childitem D:\Data -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}}

Extended Attributes are only available on NTFS volumes. File attributes can be read with FSUTIL usn readdata filename.ext Constants - the following attribute values are returned by the GetFileAttributes function:

Constant Dec Hex

`(R) Read-only file.`	Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories. FILE_ATTRIBUTE_READONLY 1 0x1
`(H) Hidden.`	The file or directory is hidden. It is not included in an ordinary directory listing. FILE_ATTRIBUTE_HIDDEN 2 0x2
`(S) System.`	A file or directory that the operating system uses a part of, or uses exclusively. FILE_ATTRIBUTE_SYSTEM 4 0x4
`Directory.`	The handle that identifies a directory. FILE_ATTRIBUTE_DIRECTORY 16 0x10
`(A) Archive.`	A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal . FILE_ATTRIBUTE_ARCHIVE 32 0x20
`Device.`	This value is reserved for system use. FILE_ATTRIBUTE_DEVICE 64 0x40 Normal. A file that does not have other attributes set. This pseudo attribute is considered to be set if all other attributes (including the extended attributes) are reset. FILE_ATTRIBUTE_NORMAL 128 0x80
`(T) Temporary.`	A file that is being used for temporary storage. The OS will prefer cache memory for files marked as temporary. FILE_ATTRIBUTE_TEMPORARY 256 0x100 Sparse file. A file that is a sparse file. A sparse file has an attribute that causes the I/O subsystem to allocate only meaningful (nonzero) data. Nonzero data is allocated on disk, and non-meaningful data (large strings of data composed of zeros) is not. FILE_ATTRIBUTE_SPARSE_FILE 512 0x200
`Reparse point.`	A file or directory that has an associated reparse point, or a file that is a symbolic link. FILE_ATTRIBUTE_REPARSE_POINT 1024 0x400
`(C) Compressed`	file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories. FILE_ATTRIBUTE_COMPRESSED 2048 0x800
`(O) Offline.`	The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute. FILE_ATTRIBUTE_OFFLINE 4096 0x1000
`(I) Not Indexed.`	The file or directory is not to be indexed by the content indexing service. FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 8192 0x2000
`(E) Encrypted`	file or directory. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories. FILE_ATTRIBUTE_ENCRYPTED 16,384 0x4000 Integrity. The directory or user data stream is configured with 'integrity' (only supported on ReFS volumes) which gives ReFS the ability to reliably detect file corruption.. It is not included in an ordinary directory listing. FILE_ATTRIBUTE_INTEGRITY_STREAM 32,768 0x8000
`Virtual.`	This value is reserved for system use. FILE_ATTRIBUTE_VIRTUAL 65,536 0x10000
`(X) No Scrub.`	The user data stream not to be read by the background data integrity scanner (AKA scrubber) for proactive error correction. When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing. FILE_ATTRIBUTE_NO_SCRUB_DATA 131,072 0x20000
`(U) UnPinned.`	FILE_ATTRIBUTE_UNPINNED 1,048,576 0x00100000
`(P) Pinned.`	This refers to the "Always available on this device" setting for OneDrive files. FILE_ATTRIBUTE_PINNED 524,288 0x00080000
`(M) Recall on Data Access.`	When this attribute is set, it means that the file or directory is not fully present locally. For a file that means that not all of its data is on local storage (e.g. it may be sparse with some data still in remote storage). For a directory it means that some of the directory contents are being virtualized from another location. Reading the file / enumerating the directory will be more expensive than normal, e.g. it will cause at least some of the file/directory content to be fetched from a remote store. Only kernel-mode callers can set this bit. FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 4,194,304 0x00400000 For example, a file attribute of 0x120 indicates the Temporary + Archive attributes are set (0x100 + 0x20 = 0x120.)

Related commands:

CACLS - Change file permissions.
An alternative way to display extended attributes is using FOR parameter attributes
FSUTIL - File and Volume utilities.
Show superhidden file extensions.
Q326549 - Read-only & System attributes for folders.
PowerShell equivalent:(Get-Item 'example.txt').Attributes / Get-ItemProperty / Set-ItemProperty - Example script
Equivalent bash command (Linux): chmod - Change access permissions.