Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
CHMOD(1)		Darwin General Commands	Manual		      CHMOD(1)

NAME
     chmod -- change file modes	or Access Control Lists

SYNOPSIS
     chmod [-fv] [-R [-H | -L |	-P]] mode file ...
     chmod [-fv] [-R [-H | -L |	-P]] [-a | +a |	=a] ACE	file ...
     chmod [-fv] [-R [-H | -L |	-P]] [-E] file ...
     chmod [-fv] [-R [-H | -L |	-P]] [-C] file ...

DESCRIPTION
     The chmod utility modifies	the file mode bits of the listed files as
     specified by the mode operand. It may also	be used	to modify the Access
     Control Lists (ACLs) associated with the listed files.

     The generic options are as	follows:

     -H	     If	the -R option is specified, symbolic links on the command line
	     are followed.  (Symbolic links encountered	in the tree traversal
	     are not followed by default.)

     -L	     If	the -R option is specified, all	symbolic links are followed.

     -P	     If	the -R option is specified, no symbolic	links are followed.
	     This is the default.

     -R	     Change the	modes of the file hierarchies rooted in	the files
	     instead of	just the files themselves.

     -f	     Do	not display a diagnostic message if chmod could	not modify the
	     mode for file.

     -v	     Cause chmod to be verbose,	showing	filenames as the mode is modi-
	     fied.  If the -v flag is specified	more than once,	the old	and
	     new modes of the file will	also be	printed, in both octal and
	     symbolic notation.

     The -H, -L	and -P options are ignored unless the -R option	is specified.
     In	addition, these	options	override each other and	the command's actions
     are determined by the last	one specified.

     Only the owner of a file or the super-user	is permitted to	change the
     mode of a file.

DIAGNOSTICS
     The chmod utility exits 0 on success, and >0 if an	error occurs.

MODES
     Modes may be absolute or symbolic.	 An absolute mode is an	octal number
     constructed from the sum of one or	more of	the following values:

	   4000	   (the	set-user-ID-on-execution bit) Executable files with
		   this	bit set	will run with effective	uid set	to the uid of
		   the file owner.  Directories	with the set-user-id bit set
		   will	force all files	and sub-directories created in them to
		   be owned by the directory owner and not by the uid of the
		   creating process, if	the underlying file system supports
		   this	feature: see chmod(2) and the suiddir option to
		   mount(8).
	   2000	   (the	set-group-ID-on-execution bit) Executable files	with
		   this	bit set	will run with effective	gid set	to the gid of
		   the file owner.
	   1000	   (the	sticky bit) See	chmod(2) and sticky(8).
	   0400	   Allow read by owner.
	   0200	   Allow write by owner.
	   0100	   For files, allow execution by owner.	 For directories,
		   allow the owner to search in	the directory.
	   0040	   Allow read by group members.
	   0020	   Allow write by group	members.
	   0010	   For files, allow execution by group members.	 For directo-
		   ries, allow group members to	search in the directory.
	   0004	   Allow read by others.
	   0002	   Allow write by others.
	   0001	   For files, allow execution by others.  For directories
		   allow others	to search in the directory.

     For example, the absolute mode that permits read, write and execute by
     the owner,	read and execute by group members, read	and execute by others,
     and no set-uid or set-gid behaviour is 755	(400+200+100+040+010+004+001).

     The symbolic mode is described by the following grammar:

	   mode		::= clause [, clause ...]
	   clause	::= [who ...] [action ...] action
	   action	::= op [perm ...]
	   who		::= a |	u | g |	o
	   op		::= + |	- | =
	   perm		::= r |	s | t |	w | x |	X | u |	g | o

     The who symbols ``u'', ``g'', and ``o'' specify the user, group, and
     other parts of the	mode bits, respectively.  The who symbol ``a'' is
     equivalent	to ``ugo''.

     The perm symbols represent	the portions of	the mode bits as follows:

	   r	   The read bits.
	   s	   The set-user-ID-on-execution	and set-group-ID-on-execution
		   bits.
	   t	   The sticky bit.
	   w	   The write bits.
	   x	   The execute/search bits.
	   X	   The execute/search bits if the file is a directory or any
		   of the execute/search bits are set in the original (unmodi-
		   fied) mode.	Operations with	the perm symbol	``X'' are only
		   meaningful in conjunction with the op symbol	``+'', and are
		   ignored in all other	cases.
	   u	   The user permission bits in the original mode of the	file.
	   g	   The group permission	bits in	the original mode of the file.
	   o	   The other permission	bits in	the original mode of the file.

     The op symbols represent the operation performed, as follows:

     +	   If no value is supplied for perm, the ``+'' operation has no
	   effect.  If no value	is supplied for	who, each permission bit spec-
	   ified in perm, for which the	corresponding bit in the file mode
	   creation mask is clear, is set.  Otherwise, the mode	bits repre-
	   sented by the specified who and perm	values are set.

     -	   If no value is supplied for perm, the ``-'' operation has no
	   effect.  If no value	is supplied for	who, each permission bit spec-
	   ified in perm, for which the	corresponding bit in the file mode
	   creation mask is clear, is cleared.	Otherwise, the mode bits rep-
	   resented by the specified who and perm values are cleared.

     =	   The mode bits specified by the who value are	cleared, or, if	no who
	   value is specified, the owner, group	and other mode bits are
	   cleared.  Then, if no value is supplied for who, each permission
	   bit specified in perm, for which the	corresponding bit in the file
	   mode	creation mask is clear,	is set.	 Otherwise, the	mode bits rep-
	   resented by the specified who and perm values are set.

     Each clause specifies one or more operations to be	performed on the mode
     bits, and each operation is applied to the	mode bits in the order speci-
     fied.

     Operations	upon the other permissions only	(specified by the symbol ``o''
     by	itself), in combination	with the perm symbols ``s'' or ``t'', are
     ignored.

EXAMPLES OF VALID MODES
     644	   make	a file readable	by anyone and writable by the owner
		   only.

     go-w	   deny	write permission to group and others.

     =rw,+X	   set the read	and write permissions to the usual defaults,
		   but retain any execute permissions that are currently set.

     +X		   make	a directory or file searchable/executable by everyone
		   if it is already searchable/executable by anyone.

     755
     u=rwx,go=rx
     u=rwx,go=u-w  make	a file readable/executable by everyone and writable by
		   the owner only.

     go=	   clear all mode bits for group and others.

     g=u-w	   set the group bits equal to the user	bits, but clear	the
		   group write bit.

ACL MANIPULATION OPTIONS
     ACLs are manipulated using	extensions to the symbolic mode	grammar.  Each
     file has one ACL, containing an ordered list of entries.  Each entry
     refers to a user or group,	and grants or denies a set of permissions.

     The following permissions are applicable to all filesystem	objects:
	   delete  Delete the item.  Deletion may be granted by	either this
		   permission on an object or the delete_child right on	the
		   containing directory.
	   readattr
		   Read	an objects basic attributes.  This is implicitly
		   granted if the object can be	looked up and not explicitly
		   denied.
	   writeattr
		   Write an object's basic attributes.
	   readextattr
		   Read	extended attributes.
	   writeextattr
		   Write extended attributes.
	   readsecurity
		   Read	an object's extended security information (ACL).
	   writesecurity
		   Write an object's security information (ownership, mode,
		   ACL).
	   chown   Change an object's ownership.

     The following permissions are applicable to directories:
	   list	   List	entries.
	   search  Look	up files by name.
	   add_file
		   Add a file.
	   add_subdirectory
		   Add a subdirectory.
	   delete_child
		   Delete a contained object.  See the file delete permission
		   above.

     The following permissions are applicable to non-directory filesystem
     objects:
	   read	   Open	for reading.
	   write   Open	for writing.
	   append  Open	for writing, but in a fashion that only	allows writes
		   into	areas of the file not previously written.
	   execute
		   Execute the file as a script	or program.

     ACL inheritance is	controlled with	the following permissions words, which
     may only be applied to directories:
	   file_inherit
		   Inherit to files.
	   directory_inherit
		   Inherit to directories.
	   limit_inherit
		   This	flag is	only relevant to entries inherited by subdi-
		   rectories; it causes	the directory_inherit flag to be
		   cleared in the entry	that is	inherited, preventing further
		   nested subdirectories from also inheriting the entry.
	   only_inherit
		   The entry is	inherited by created items but not considered
		   when	processing the ACL.

     The ACL manipulation options are as follows:

     +a	     The +a mode parses	a new ACL entry	from the next argument on the
	     commandline and inserts it	into the canonical location in the
	     ACL. If the supplied entry	refers to an identity already listed,
	     the two entries are combined.

	     Examples
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
	      #	chmod +a "admin	allow write" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: admin allow write
	      #	chmod +a "guest	deny read" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write
	      #	chmod +a "admin	allow delete" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write,delete

	     The +a mode strives to maintain correct canonical form for	the
	     ACL.
			      local deny
			      local allow
			      inherited	deny
			      inherited	allow

	     By	default, chmod adds entries to the top of the local deny and
	     local allow lists.	Inherited entries are added by using the +ai
	     mode.

	     Examples
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write,delete
		3: juser inherited deny	delete
		4: admin inherited allow delete
		5: backup inherited deny read
		6: admin inherited allow write-security
	      #	chmod +ai "others allow	write" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write,delete
		3: juser inherited deny	delete
		4: others inherited allow read
		5: admin inherited allow delete
		6: backup inherited deny read
		7: admin inherited allow write-security

     +a#     When a specific ordering is required, the exact location at which
	     an	entry will be inserted is specified with the +a# mode.

	     Examples
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write
	      #	chmod +a# 2 "others deny read" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: others deny read
		3: admin allow write

	     The +ai# mode may be used to insert inherited entries at a	spe-
	     cific location. Note that these modes allow non-canonical ACL
	     ordering to be constructed.

     -a	     The -a mode is used to delete ACL entries.	All entries exactly
	     matching the supplied entry will be deleted. If the entry lists a
	     subset of rights granted by an entry, only	the rights listed are
	     removed. Entries may also be deleted by index using the -a# mode.

	     Examples
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: guest deny read
		2: admin allow write,delete
	      #	chmod -a# 1 file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: admin allow write,delete
	      #	chmod -a "admin	allow write" file1
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: admin allow delete

	     Inheritance is not	considered when	processing the -a mode;	rights
	     and entries will be removed regardless of their inherited state.

     =a#     Individual	entries	are rewritten using the	=a# mode.

	     Examples
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: admin allow delete
	      #	chmod =a# 1 "admin allow write,chown"
	      #	ls -le
	      -rw-r--r--+ 1 juser  wheel  0 Apr	28 14:06 file1
		owner: juser
		1: admin allow write,chown

	     This mode may not be used to add new entries.

     -E	     Reads the ACL information from stdin, as a	sequential list	of
	     ACEs, separated by	newlines.  If the information parses cor-
	     rectly, the existing information is replaced.

     -C	     Returns false if any of the named files have ACLs in non-canoni-
	     cal order.

     -i	     Removes the 'inherited' bit from all entries in the named file(s)
	     ACLs.

     -I	     Removes all inherited entries from	the named file(s) ACL(s).

COMPATIBILITY
     The -v option is non-standard and its use in scripts is not recommended.

SEE ALSO
     chflags(1), install(1), chmod(2), stat(2),	umask(2), fts(3), setmode(3),
     symlink(7), chown(8), mount(8), sticky(8)

STANDARDS
     The chmod utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compat-
     ible with the exception of	the perm symbol	``t'' which is not included in
     that standard.

HISTORY
     A chmod command appeared in Version 1 AT&T	UNIX.

Darwin 8.0.1			 July 08, 2004			  Darwin 8.0.1

NAME | SYNOPSIS | DESCRIPTION | DIAGNOSTICS | MODES | EXAMPLES OF VALID MODES | ACL MANIPULATION OPTIONS | COMPATIBILITY | SEE ALSO | STANDARDS | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=chmod&manpath=Darwin+8.0.1%2fppc>

home | help