👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

OpenSolaris 2009.06 - man page for chmod (opensolaris section 1)

chmod(1)				  User Commands 				 chmod(1)

NAME
       chmod - change the permissions mode of a file

SYNOPSIS
       chmod [-fR] absolute-mode file...

       chmod [-fR] symbolic-mode-list file...

       chmod [-fR] acl_operation file...

       chmod [-fR] [-@ named_attribute]...attribute_specification_list file...

DESCRIPTION
       The chmod utility changes or assigns the mode of a file.

       chmod can also be used to modify Access Control Lists (ACLs) on files and directories, and
       to modify boolean read-write system attributes on regular files, directories,  and  opaque
       extended attribute files.

   Absolute Mode
       An absolute mode command line has the following format:

       chmod [options] absolute-mode file . . .

       where absolute-mode is specified using octal numbers nnnn defined as follows:

       n    a  number from 0 to 7. An absolute mode is constructed from the OR of any of the fol-
	    lowing modes:

	    4000	Set user ID on execution.

	    20#0	Set group ID on execution if # is 7, 5, 3, or 1.

			Enable mandatory locking if # is 6, 4, 2, or 0.

			For directories, files are created with BSD semantics for propagation  of
			the  group  ID. With this option, files and subdirectories created in the
			directory inherit the group ID of the directory, rather than of the  cur-
			rent process. For directories, the set-gid bit can only be set or cleared
			by using symbolic mode.

	    1000	Turn on sticky bit. See chmod(2).

	    0400	Allow read by owner.

	    0200	Allow write by owner.

	    0100	Allow execute (search in directory) by owner.

	    0700	Allow read, write, and execute (search) by owner.

	    0040	Allow read by group.

	    0020	Allow write by group.

	    0010	Allow execute (search in directory) by group.

	    0070	Allow read, write, and execute (search) by group.

	    0004	Allow read by others.

	    0002	Allow write by others.

	    0001	Allow execute (search in directory) by others.

	    0007	Allow read, write, and execute (search) by others.

       For directories, the setgid bit cannot be set (or cleared) in absolute mode;  it  must  be
       set (or cleared) in symbolic mode using g+s (or g-s).

   Symbolic Mode
       A symbolic mode command line has the following format:

       chmod [options] symbolic-mode-list file . . .

       where  symbolic-mode-list  is  a comma-separated list (with no intervening white space) of
       symbolic mode expressions of the form:

       [who] operator [permissions]

       Operations are performed in the order given. Multiple permissions letters following a sin-
       gle operator cause the corresponding operations to be performed simultaneously.

       who	     zero  or  more of the characters u, g, o, and a specifying whose permissions
		     are to be changed or assigned:

		     u	  user's permissions

		     g	  group's permissions

		     o	  others' permissions

		     a	  all permissions (user, group, and other)

		     If who is omitted, it defaults to a, but the setting of the file  mode  cre-
		     ation mask (see umask in sh(1) or csh(1) for more information) is taken into
		     account. When who is omitted, chmod does not override  the  restrictions  of
		     your user mask.

       operator      either +, -, or =, signifying how permissions are to be changed:

		     +	     Add permissions.

			     If permissions are omitted, nothing is added.

			     If  who  is  omitted,  add the file mode bits represented by permis-
			     sions, except for the those with corresponding bits in the file mode
			     creation mask.

			     If who is present, add the file mode bits represented by the permis-
			     sions.

		     -	     Take away permissions.

			     If permissions are omitted, do nothing.

			     If who is omitted, clear the file mode bits represented  by  permis-
			     sions,  except  for  those  with corresponding bits in the file mode
			     creation mask.

			     If who is present, clear the file mode bits represented  by  permis-
			     sions.

		     =	     Assign permissions absolutely.

			     If  who  is  omitted,  clear  all file mode bits; if who is present,
			     clear the file mode bits represented by who.

			     If permissions are omitted, do nothing else.

			     If who is omitted, add the file mode  bits  represented  by  permis-
			     sions, except for the those with corresponding bits in the file mode
			     creation mask.

			     If who is present, add the file mode  bits  represented  by  permis-
			     sions.

		     Unlike other symbolic operations, = has an absolute effect in that it resets
		     all other bits represented by who. Omitting permissions is useful only  with
		     = to take away all permissions.

       permission    any compatible combination of the following letters:

		     l	      mandatory locking

		     r	      read permission

		     s	      user or group set-ID

		     t	      sticky bit

		     w	      write permission

		     x	      execute permission

		     X	      execute  permission  if the file is a directory or if there is exe-
			      cute permission for one of the other user classes

		     u,g,o    indicate that permission is to be  taken	from  the  current  user,
			      group or other mode respectively.

		     Permissions  to a file can vary depending on your user identification number
		     (UID) or group identification number (GID).  Permissions  are  described  in
		     three sequences each having three characters:

		     User		  Group 		Other
		     rwx		  rwx			rwx

		     This  example  (user,  group, and others all have permission to read, write,
		     and execute a given file) demonstrates two categories for	granting  permis-
		     sions: the access class and the permissions themselves.

		     The letter s is only meaningful with u or g, and t only works with u.

		     Mandatory file and record locking (l) refers to a file's ability to have its
		     reading or writing permissions locked while  a  program  is  accessing  that
		     file.

		     In  a  directory  which  has  the	set-group-ID bit set (reflected as either
		     -----s--- or -----l--- in the output of 'ls -ld'), files and  subdirectories
		     are  created  with the group-ID of the parent directory--not that of current
		     process.

		     It is not possible to permit group execution and enable a file to be  locked
		     on  execution  at	the same time. In addition, it is not possible to turn on
		     the set-group-ID bit and enable a file to be locked on execution at the same
		     time.  The  following examples, therefore, are invalid and elicit error mes-
		     sages:

		       chmod g+x,+l file
		       chmod g+s,+l file

		     Only the owner of a file or directory (or the super-user)	can  change  that
		     file's  or directory's mode. Only the super-user can set the sticky bit on a
		     non-directory file. If you are not super-user, chmod  masks  the  sticky-bit
		     but does not return an error. In order to turn on a file's set-group-ID bit,
		     your own group ID must correspond to the file's and group execution must  be
		     set.

   ACL Operation
       An ACL Operation command line has the following format:

	 chmod [options] A[number]- file ...
	 chmod [options] A-acl_specification file ...
	 chmod [options] A[index]{+|=}acl_specification file ...

       Where  acl_specification is a comma-separated list (with no intervening white space) of an
       ACL specification of the form:

       A[index]+acl_specification    Prepends the  access  control  entries  (ACE)  specified  in
				     acl_specification	to  the  beginning  of	the  file's  ACL.
				     Depending on the file system, the ACL can be reordered  when
				     applied  to the file. If "optional" number is specified then
				     new ACEs are inserted before specified number.

       A-			     Removes all ACEs for current ACL on file and  replaces  cur-
				     rent  ACL with new ACL that represents only the current mode
				     of the file.

       Aindex-			     Removes ACE specified by index number.

       A-acl_specification	     Removes ACEs specified by acl_specification, if  they  exist
				     in current file's ACL.

       A=acl_specification	     Replaces a files entire ACL with acl_specification.

       A[index]=acl_specification    Replaces  ACEs  starting  at  a specific index number in the
				     current ACL on the file. If  multiple  ACEs  are  specified,
				     then  each  subsequent ACE in acl_specification replaces the
				     corresponding ACE in the current ACL.

       POSIX-draft ACL Specification (as supported by UFS)

       POSIX-draft ACLs (as supported by UFS) are specified as colon (:) separated fields of  the
       following.

       user::perms

	   File owner permissions.

       user:username:perms

	   Permissions for a specific user.

       group::perms

	   File group owner permissions.

       group:groupname:perms

	   Permissions for a specific group.

       other::perms

	   Permissions for user other than the file owner or members of file group owner.

       mask:perms

	   The ACL mask. The mask entry specifies the maximum permissions allowed for user (other
	   than that the owner) and for groups.

       default:user::perms

	   Default file owner permissions.

       default:user:username:perms

	   Default permissions for a specific user.

       default:group::perms

	   Default file group owner permissions.

       default:group:groupname:perms

	   Default permissions for a specific group.

       default:other:perms

	   Default permissions for user other than the file owner or members of  the  file  group
	   owner.

       default:mask:perms

	   Default ACL mask.

       The above specification allows for ACLs to be specified such as:

	 user:tom:rw-,mask:rwx,group:staff:r-x

       NFSv4 ACL Specification (as supported by NFSv4 and ZFS)

       NFSv4  ACLs  provide richer ACL semantics. They provide both allow and deny entries, finer
       grained permissions, and enhanced inheritance control.

       NFSv4 ACLs are specified as colon (:) separated fields of the following.

       owner@:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for file owner.

       group@:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for file group owner.

       everyone@:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for everyone, including file owner and group owner.

       user:<username>:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for a specific user.

       usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for a specific user, but user is specified by SID.

       group:<groupname>:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for a specific group.

       groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for a specific group, but group is specified by SID.

       sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

	   Permissions for a specific SID, but it doesn't matter if it is a user or a group.

       Permissions can be specified in three different chmod ACL formats:  verbose,  compact,  or
       positional.  The  verbose format uses words to indicate that the permissions are separated
       with a forward slash (/) character. Compact format uses the permission letters  and  posi-
       tional format uses the permission letters or the hyphen (-) to identify no permissions.

       The permissions for verbose mode and their abbreviated form in parentheses for compact and
       positional mode are described as follows:

       read_data (r)	       Permission to read the data of a file.

       list_directory (r)      Permission to list the contents of a directory.

       write_data (w)	       Permission to modify a file's data. anywhere in the file's  offset
			       range.

       add_file (w)	       Permission to add a new file to a directory.

       append_data (p)	       The ability to modify a file's data, but only starting at EOF.

			       Currently, this permission is not supported.

       add_subdirectory (p)    Permission to create a subdirectory to a directory.

       read_xattr (R)	       Ability to read the extended attributes of a file.

       write_xattr (W)	       Ability	to  create  extended  attributes or write to the extended
			       attribute directory.

       execute (x)	       Permission to execute a file.

       read_attributes (a)     The ability to read basic attributes (non-ACLs) of a file.

       write_attributes (A)    Permission to change the times associated with a file or directory
			       to an arbitrary value.

       delete (d)	       Permission to delete a file.

       delete_child (D)        Permission to delete a file within a directory.

       read_acl (c)	       Permission to read the ACL of a file.

       write_acl (C)	       Permission to write the ACL of a file.

       write_owner (o)	       Permission to change the owner of a file.

       synchronize (s)	       Permission to access file locally at server with synchronize reads
			       and writes.

			       Currently, this permission is not supported.

       Using the compact ACL format, permissions are specified by  using  14  unique  letters  to
       indicate permissions.

       Using the positional ACL format, permissions are specified as positional arguments similar
       to the ls -V format. The hyphen (-), which indicates that no permission is granted at that
       position, can be omitted and only the required letters have to be specified.

       The letters above are listed in the order they would be specified in positional notation.

       Permissions can be specified with these letters in the following way:

	 rwx--D--------

       The hyphens can be removed to compact the string as follows:

	 rwxD

       Several	special  permission  sets or aliases are also supported. The following permission
       sets are used the same way that verbose permissions are specified.

       full_set      All permissions.

       modify_set    All permissions except write_acl and write_owner.

       read_set      read_data, read_acl, read_attributes, and read_xattr.

       write_set     write_data, append_data, write_attributes, and write_xattr

       The optional inheritance flags can be specified in the three  formats.  The  first  format
       uses  words  to	indicate the various inheritance flags separated with a forward slash (/)
       character.

       file_inherit (f)    Inherit to all newly created files.

       dir_inherit (d)	   Inherit to all newly created directories.

       inherit_only (i)    When placed on a directory, do not apply to	the  directory,  only  to
			   newly  created  files  and directories. This flag requires that either
			   file_inherit and or dir_inherit is also specified.

       no_propagate (n)    Indicates that ACL entries should be inherited to objects in a  direc-
			   tory,  but  inheritance  should  stop after descending one level. This
			   flag is dependent upon either file_inherit  and  or	dir_inherit  also
			   being specified.

       The  inheritance flags listed can also be specified in the compact format or as positional
       arguments similar to the ls -V format. A hyphen character indicates that  the  inheritance
       flag at that position is not specified in the positional ACL format.

       The  inheritance flags can be specified with these letters in any of the following equiva-
       lent ways.

	 file_inherit/dir_inherit/no_propagate

	 fd-n--

	 fdn

       With this inheritance model, an ACL entry can be specified such as:

	 user:tom:read_data/write_data/read_attributes:file_inherit:allow
	 user:fred:read_data:file_inherit/dir_inherit:deny
	 user:bob:read_data:allow

   Attribute Operation
       An attribute operation command line has the following format:

	 chmod [options] attribute_specification_list file ...

       where attribute_specification_list is the character S followed by a  comma-separated  list
       of one or more attribute_specifications. Each attribute_specification is of the form:

	 [operator]attribute_specifier

       An operator is one of the following:

       +    Each  attribute  specified by the associated attribute_specifier is adjusted to match
	    the value specified by the attribute_specifier.

       -    Each attribute specified by the associated attribute_specifier is adjusted	to  match
	    the inverse of the value specified by the attribute_specifier.

       =    Each  attribute  specified by the associated attribute_specifier is adjusted to match
	    the value specified by the attribute_specifier. Any boolean read-write extended  sys-
	    tem   attributes  associated  with	the  current  file  that  are  not  specified  by
	    attribute_specifier is cleared.

       If an operator is not specified in an attribute_specification, chmod behaves as if  +  had
       been specified.

       An attribute_specifier takes one of the following forms:

       a

	   Set	all  boolean  read-write  extended  system attributes associated with the current
	   file.

       c[compact_attribute_list]
       c'{'compact_attribute_list'}'

	   Set	each  boolean  read-write  extended   system   attribute   identified	by   com-
	   pact_attribute_list.

       v[verbose_attribute_setting]
       v['{'verbose_attribute_setting_list'}']

	   Set	 each	boolean   read-write   extended   system  attribute  identified  by  ver-
	   bose_attribute_setting.

       A compact_attribute_list is a list of zero or more adjacent attribute abbreviation charac-
       ters  from   list of Attribute Names and Abbreviation Characters later in this section. An
       arbitrary number of hyphen (-) characters can be  included  in  a  compact_attribute_list.
       These are ignored.

       A  verbose_attribute_setting  is  an  attribute name from the  list of Attribute Names and
       Abbreviation Characters later in this section, optionally, immediately preceded by no.  If
       the  attribute  name  is used without no, the attribute is set; otherwise the attribute is
       cleared.

       A verbose_attribute_setting_list is zero or  more  comma-separated  verbose_attribute_set-
       tings.

       Multiple  operations specified for a file are accumulated and are all set for a file oper-
       and as a single attribute setting operation. If an attribute is specified more  than  once
       in an attribute_specification_list, the last specified operation is applied.

       The following is a list of Attribute Names and Abbreviation Characters:

       Attribute Name	 Abbreviation Character

       hidden		 H

       system		 S

       readonly 	 R

       archive		 A

       nounlink 	 u

       immutable	 i

       appendonly	 a

       nodump		 d

       av_quarantined	 q

       av_modified	 m

OPTIONS
       The following options are supported:

       -f		     Force.  chmod  does not complain if it fails to change the mode of a
			     file.

       -R		     Recursively descend through directory arguments,  setting	the  mode
			     for  each file. When symbolic links are encountered, the mode of the
			     target file is changed, but no recursion takes place.

       -@ named_attribute    Perform the attribute operation on the named extended attribute file
			     of each file operand instead of the file operand itself. If multiple
			     -@ operations are supplied,  the  attribute  specification  mode  is
			     applied to each of the named attribute files.

			     A	named  attribute of * carries meaning to chmod, and is considered
			     to mean all extended attribute files associated with a file operand.
			     This does not refer to the special files . and ...

			     A	named  attribute  of  .. carries special meaning to chmod, and is
			     considered to mean the file operand itself. This allows chmod, in	a
			     single call, to apply the attribute specification mode to the speci-
			     fied named attribute file of the file operand and the  file  operand
			     itself.

OPERANDS
       The following operands are supported:

       absolute-mode
       symbolic-mode-list

	   Represents  the  change  to be made to the file mode bits of each file named by one of
	   the file operands. See Absolute Mode and Symbolic Mode in the DESCRIPTION  section  of
	   this manual page for more information.

       acl_operation

	   Represents  the  modification  to be performed on the file's ACL. See ACL Operation in
	   the DESCRIPTION section for more information.

	   acl_operation is one of the following:

	     A[number] -
	     A-acl_specification
	     A[index]{+|=}acl_specification

       attribute_specification_list

	   Represents the modification to performed on the file's attributes. See Attribute Oper-
	   ation in the DESCRIPTION section of this manual page for more information.

       file

	   A path name of a file whose file mode bits are to be modified.

USAGE
       See  largefile(5)  for  the  description  of the behavior of chmod when encountering files
       greater than or equal to 2 Gbyte ( 2^31 bytes).

EXAMPLES
       Example 1 Denying execute Permission

       The following example denies execute permission to everyone:

	 % chmod a-x file

       Example 2 Allowing read-only Permission

       The following example allows only read permission to everyone:

	 % chmod 444 file

       Example 3 Making a File readable and writable

       The following example makes a file readable and writable by the group and others:

	 % chmod go+rw file
	 % chmod 066 file

       Example 4 Locking a File From Access

       The following example locks a file from access:

	 $ chmod +l file

       Example 5 Granting read, write, execute, and set group-ID Permission on a File

       The following example grants everyone read, write, and execute permissions  on  the  file,
       and turns on the set group-ID:

	 $ chmod a=rwx,g+s file
	 $ chmod 2777 file

       Example 6 Prepending a New ACL Entry on a ZFS File

       The following example prepends a new ACL entry on a ZFS file.

       First, display the current ACL:

	 $ ls -v file.3
	 -rw-r--r--   1 marks	 staff		0 Oct  9 15:49 file.3
	       0:owner@:execute:deny
	       1:owner@:read_data/write_data/append_data/write_xattr/
		  write_attributes/write_acl/write_owner:allow
	       2:group@:write_data/append_data/execute:deny
	       3:group@:read_data:allow
	       4:everyone@:write_data/append_data/write_xattr/execute/
		 write_attributes/write_acl/write_owner:deny
	       5:everyone@:read_data/read_xattr/read_attributes/read_acl/
		  synchronize:allow

       Issue the following command:

	 $ chmod A+user:lp:read_data:deny file.3

       Display the new ACL:

	 $ ls -v file.3
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 15:49 file.3
	       0:user:lp:read_data:deny
	       1:owner@:execute:deny
	       2:owner@:read_data/write_data/append_data/write_xattr/
		   write_attributes/write_acl/write_owner:allow
	       3:group@:write_data/append_data/execute:deny
	       4:group@:read_data:allow
	       5:everyone@:write_data/append_data/write_xattr/execute/
		   write_attributes/write_acl/write_owner:deny
	       6:everyone@:read_data/read_xattr/read_attributes/read_acl/
		   synchronize:allow

       Example 7 Prepending a New POSIX-draft ACL Entry on a UFS File

       The following example prepends a new POSIX-draft ACL entry on a UFS file.

       First, display the current ACL:

	 $ ls -v file.2
	 -rw-r--r--   1 marks	 staff		0 Oct  9 15:52 file.2
	       0:user::rw-
	       1:group::r--	      #effective:r--
	       2:mask:r--
	       3:other:r--

       Issue the following command:

	 $ chmod A+user:lp:-wx file.2

       Display the new ACL:

	 $ ls -v file.2
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 15:52 file.2
	       0:user::rw-
	       1:user:lp:-wx	      #effective:---
	       2:group::r--	      #effective:r--
	       3:mask:r--
	       4:other:r--

       Example 8 Inserting an ACL Entry in a Specific Position on a ZFS file

       The following example inserts an ACL entry in a specific position on a ZFS file system. It
       also illustrates the compact ACL format.

       First, display the ACL to pick a location to insert a new ACE.

	 % ls -V file.1
	 -rw-r--r--+  1 root	 root		0 Oct  6 12:16 file.1
	      user:lp:rw------------:------:allow
	       owner@:--x-----------:------:deny
	       owner@:rw-p---A-W-Co-:------:allow
	       group@:-wxp----------:------:deny
	       group@:r-------------:------:allow
	    everyone@:-wxp---A-W-Co-:------:deny
	    everyone@:r-----a-R-c--s:------:allow

       Next, insert a new entry in location 3.	 This  causes  the  entries  that  are	currently
       in position 3 - 6 to be pushed down.

       Issue the following command:

	 $ chmod A3+user:marks:r:deny file.1

       Display the new ACL:

	 $ ls -V file.1
	 -rw-r--r--+  1 root	 staff		0 Feb  3 14:13 file.1
	      user:lp:rw------------:------:allow
	       owner@:--x-----------:------:deny
	       owner@:rw-p---A-W-Co-:------:allow
	   user:marks:r-------------:------:deny
	       group@:-wxp----------:------:deny
	       group@:r-------------:------:allow
	    everyone@:-wxp---A-W-Co-:------:deny
	    everyone@:r-----a-R-c--s:------:allow

       Example 9 Inserting a POSIX-draft ACL in a Specific Position on a UFS File

       The file system reorders ACLs when they are stored in the file system. The following exam-
       ple illustrates this behavior.

	 $ ls -v file.1
	 -rw-r--r--+  1 root	 root		0 Sep 29 16:10 file.1
	       0:user::rw-
	       1:user:lp:rw-	      #effective:r--
	       2:group::r--	      #effective:r--
	       3:mask:r--
	       4:other:r--

       Now, insert an entry at index position 3.  The command works, but the file system reorders
       the ACL.

	 $ chmod A3+user:marks:rw- file.1
	 $ ls -v file.1
	 -rw-r--r--+  1 root	 root		0 Sep 29 16:10 file.1
	       0:user::rw-
	       1:user:lp:rw-	       #effective:r--
	       2:user:marks:rw-        #effective:r--
	       3:group::r--	       #effective:r--
	       4:mask:r--
	       5:other:r--

       Rather  than  inserting	the  ACL entry in position 3 as requested, it actually ends up in
       position 2.

       Example 10 Removing an ACL Entry on a ZFS File

       The following example removes the lp entry from an ACL:

	 $ ls -v file.3
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 15:49 file.3
	       0:user:lp:read_data:deny
	       1:owner@:execute:deny
	       2:owner@:read_data/write_data/append_data/write_xattr/
		  write_attributes/write_acl/write_owner:allow
	       3:group@:write_data/append_data/execute:deny
	       4:group@:read_data:allow
	       5:everyone@:write_data/append_data/write_xattr/execute/
		  write_attributes/write_acl/write_owner:deny
	       6:everyone@:read_data/read_xattr/read_attributes/read_acl/
		  synchronize:allow

	 $ chmod A-user:lp:read_data:deny file.3
	 $ ls -v file.3
	 -rw-r--r--   1 marks	 staff		0 Oct  9 15:49 file.3
	       0:owner@:execute:deny
	       1:owner@:read_data/write_data/append_data/write_xattr/
		  write_attributes/write_acl/write_owner:allow
	       2:group@:write_data/append_data/execute:deny
	       3:group@:read_data:allow
	       4:everyone@:write_data/append_data/write_xattr/execute/
		  write_attributes/write_acl/write_owner:deny
	       5:everyone@:read_data/read_xattr/read_attributes/read_acl/
		  synchronize:allow

       Example 11 Removing a POSIX-draft ACL on a UFS File

       The following example removes the lp entry from an ACL:

	 $ ls -v file.2
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 15:52 file.2
	       0:user::rw-
	       1:user:lp:-wx	       #effective:---
	       2:group::r--	       #effective:r--
	       3:mask:r--
	       4:other:r--

	 $ chmod A-user:lp:-wx file.2
	 $ ls -v file.2
	 -rw-r--r--   1 marks	 staff		0 Oct  9 15:52 file.2
	       0:user::rw-
	       1:group::r--	       #effective:r--
	       2:mask:r--
	       3:other:r--

       Example 12 Removing a Specific ACL Entry by Index Number on a ZFS File

       Consider the following ACL:

	 $ ls -v file
	     0:group:staff:read_data/write_data/execute/read_acl:allow
	     1:user:bin:read_data:deny
	     2:user:bin:read_data:allow
	     3:owner@:write_data/append_data:deny
	     4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
		 /write_owner:allow
	     5:group@:write_data/append_data:deny
	     6:group@:read_data/execute:allow
	     7:everyone@:write_data/append_data/write_xattr/write_attributes
		 /write_acl/write_owner:deny
	     8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
		 /synchronize:allow

       Remove the second user entry for bin.

	 $ chmod A2- file
	 $ ls -v file
	     0:group:staff:read_data/write_data/execute/read_acl:allow
	     1:user:bin:read_data:deny
	     2:owner@:write_data/append_data:deny
	     3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
		/write_owner:allow
	     4:group@:write_data/append_data:deny
	     5:group@:read_data/execute:allow
	     6:everyone@:write_data/append_data/write_xattr/write_attributes
		/write_acl/write_owner:deny
	     7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
		/synchronize:allow

       Example 13 Removing a Specific POSIX-draft ACL Entry on a UFS File

       The following example removes the lp entry by index number from the following ACL:

	 $ ls -v file.1
	 -rw-r--r--+  1 root	 root		0 Sep 29 16:10 file.1
	       0:user::rw-
	       1:user:lp:rw-		  #effective:r--
	       2:group::r--		  #effective:r--
	       3:mask:r--
	       4:other:r--

	       $ chmod A1- file.1
	       $ ls -v
	 -rw-r--r--+  1 root	 root		0 Sep 29 16:10 file.1
	       0:user::rw-
	       1:group::r--		  #effective:r--
	       2:mask:r--
	       3:other:r--

       Example 14 Removing All ACLs From a File

       The following command works with either NFSv4/ZFS or POSIX-draft ACLs.

       Consider the following ACL:

	 $ ls -v file.3
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 15:49 file.3
	       0:user:lp:read_data/write_data:allow
	       1:user:marks:read_acl:allow
	       2:owner@:execute:deny
	       3:owner@:read_data/write_data/append_data/write_xattr/
		  write_attributes/write_acl/write_owner:allow
	       4:group@:write_data/append_data/execute:deny
	       5:group@:read_data:allow
	       6:everyone@:write_data/append_data/write_xattr/execute/
		  write_attributes/write_acl/write_owner:deny
	       7:everyone@:read_data/read_xattr/read_attributes/read_acl/
		  synchronize:allow

       The existing ACL is effectively removed and is replaced with an ACL  that  represents  the
       permission bits of the file.

	 $ chmod A- file.3
	 $ ls -v file.3
	 -rw-r--r--  1 marks	staff	       0 Oct  9 15:49 file.3
	      0:owner@:execute:deny
	      1:owner@:read_data/write_data/append_data/write_xattr/
		 write_attributes/write_acl/write_owner:allow
	      2:group@:write_data/append_data/execute:deny
	      3:group@:read_data:allow
	      4:everyone@:write_data/append_data/write_xattr/execute/
		 write_attributes/write_acl/write_owner:deny
	      5:everyone@:read_data/read_xattr/read_attributes/read_acl/
		synchronize:allow

       Example 15 Replacing an Entire ACL Entry on a ZFS File

       Use the following chmod syntax if you want to replace an ACL in its entirety:

	 $ chmod A=owner@:read_data/write_data:allow,group@:read_data/
			write_data:allow,user:lp:read_data:allow file.4
	 $ ls -v file.4
	 -rw-rw----+  1 marks	 staff		0 Oct  9 16:12 file.4
		0:owner@:read_data/write_data:allow
		1:group@:read_data/write_data:allow
		2:user:lp:read_data:allow

       Example 16 Replacing an Entire POSIX-draft ACL on a UFS File

       This  operation	is  a  little  more complicated.  The replacement ACL needs the necessary
       entries to represent the file owner, file group owner,  other,  mask  and  any  additional
       entries you wish to set.

	 $ chmod A=user::rw-,group::rw-,other::---,mask:r--,
		       user:lp:r-- file.3
	 $ ls -v file.3
	 -rw-r-----+  1 root	 root		0 Oct  9 16:14 file.3
		 0:user::rw-
		 1:user:lp:r--	      #effective:r--
		 2:group::rw-	      #effective:r--
		 3:mask:r--
		 4:other:---

       Example 17 Replacing a Specific Entry on a ZFS File

       Consider the following ACL.

	 $ ls -v file.5
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 16:18 file.5
	      0:user:marks:read_data:allow
	      1:owner@:execute:deny
	      2:owner@:read_data/write_data/append_data/write_xattr/
		 write_attributes/write_acl/write_owner:allow
	      3:group@:write_data/append_data/execute:deny
	      4:group@:read_data:allow
	      5:everyone@:write_data/append_data/write_xattr/execute/
		 write_attributes/write_acl/write_owner:deny
	      6:everyone@:read_data/read_xattr/read_attributes/read_acl/
		 synchronize:allow

       Now, change the allow access to a deny for user marks:

	 $ chmod A0=user:marks:read_data:deny file.5
	 $ ls -v file.5
	 -rw-r--r--+  1 marks	staff	       0 Aug 23 09:11 file.5
	 0:user:marks:read_data:deny
	 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
	      /write_acl/write_owner:allow
	 2:group@:write_data/append_data/execute:deny
	 3:group@:read_data:allow
	 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
	      /write_acl/write_owner:deny
	 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
	      :allow

       Example 18 Replacing a Specific POSIX-draft ACL on a UFS File

       Consider the following ACL.

	 $ ls -v file.4
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 16:21 file.4
		 0:user::rw-
		 1:user:lp:rwx	       #effective:r--
		 2:group::r--	       #effective:r--
		 3:mask:r--
		 4:other:r--

       Now, change the permission on lp from rwx to r--:

	 $ chmod A1=user:lp:r-- file.4

	 $ ls -v file
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 16:21 file.4
		 0:user::rw-
		 1:user:lp:r--	       #effective:r--
		 2:group::r--	       #effective:r--
		 3:mask:r--
		 4:other:r--

       Example 19 Setting ACL Inheritance Flags on a ZFS File

       You  can  only set inheritance flags on ZFS files. When setting ACLs on directories,  sev-
       eral inheritance flags can be optionally set.

       Suppose you have an ACL entry for user lp that you want to be  inherited to newly  created
       files  in  a  directory.  First, you need to create an inheritable ACL entry on the direc-
       tory:

	 $ chmod A+user:lp:read_data:file_inherit:allow test.dir
	 $ ls -dv test.dir
	 drwxr-xr-x+  2 marks	staff	       2 Aug 23 09:08 test.dir/
	 0:user:lp:read_data:file_inherit:allow
	 1:owner@::deny
	 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
	      /append_data/write_xattr/execute/write_attributes/write_acl
	      /write_owner:allow
	 3:group@:add_file/write_data/add_subdirectory/append_data:deny
	 4:group@:list_directory/read_data/execute:allow
	 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
	      /write_attributes/write_acl/write_owner:deny
	 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
	      /read_acl/synchronize:allow

       The lp entry is inherited to newly created files in the directory test.dir.

	 $ touch test.dir/file.test
	 $ ls -v test.dir/file.test
	 -rw-r--r--+  1 marks	 staff		0 Oct  9 16:29 test.dir/file.test
	      0:user:lp::deny
	      1:user:lp:read_data:allow
	      2:owner@:execute:deny
	      3:owner@:read_data/write_data/append_data/write_xattr/
		  write_attributes/write_acl/write_owner:allow
	      4:group@:write_data/append_data/execute:deny
	      5:group@:read_data:allow
	      6:everyone@:write_data/append_data/write_xattr/execute/
		  write_attributes/write_acl/write_owner:deny
	      7:everyone@:read_data/read_xattr/read_attributes/read_acl/
	  synchronize:allow

       The user lp entry is inherited to the newly created file.  Multiple  combinations  of  the
       inheritance  flags  can	be  specified. For example, if you wanted the lp entry to also be
       inherited to  directories, then the following command can be used:

	 $ chmod A+user:lp:read_data:file_inherit/\
	       dir_inherit:allow test.dir

       Example 20 Replacing System Attributes of a ZFS File

       The following examples replace system attributes of a ZFS file:

	 $ chmod S=v{archive,hidden,readonly,system,appendonly,\
	      nonodump,immutable,noav_modified,noav_quarantined,\
	      nounlink} file1

       or

	 $ chmod S=c{AHRSaiu} file1

       or

	 $ chmod S=c{AHRSa-i--u} file1

       or

	 $ chmod S=cAHRSaiu file1

       or

	 $ chmod -@ '..' S=cAHRSaiu file1

       Assuming appropriate privileges, this results in the following system attributes of  file1
       being  set: archive, hidden, readonly, system, appendonly, immutable, and nounlink. Assum-
       ing appropriate privileges, the following system attributes of file1 are cleared:  nodump,
       av_modified, and av_quarantined.

       Example 21 Clearing All System Attributes of a ZFS File

       The following examples clears all system attributes of a ZFS file:

	 $ chmod S-a file1

       or

	 $ chmod -@ '..' S-a file1

       Assuming  appropriate  privileges, all boolean read-write system attributes are cleared on
       file1.

       Example 22 Setting a System Attribute of a Named Attribute File of a ZFS File

       The following example sets a system attribute of a named attribute file of a ZFS file, but
       not of the file itself:

	 $ chmod -@ myattr S+vhidden file1

       This  results in the hidden system attribute being set for the named attribute file myattr
       of file1, but not the file itself.

       Example 23 Setting a System Attribute of All Named Attribute File of a ZFS File

       The following example sets a system attribute of all named attribute files of a ZFS  file,
       but not of the file itself:

	 $ chmod -@ '*' S+a file1

       Example 24 Setting a System Attribute of All Named Attribute Files of a ZFS File

       The  following example sets a system attribute of all named attribute files of a ZFS file,
       as well as of the file itself:

	 $ chmod -@ '..' -@ '*' S+vhidden file1

       This results in the hidden system attribute being set for all  named  attribute	files  of
       file1, as well as the file itself.

       Example 25 Recursively Descending Through a Directory Hierarchy

       The  following  example	recursively  descends through a directory hierarchy, and sets all
       system attributes of all named attribute files, the ZFS file operands, as well as  of  the
       directory itself:

	 $ chmod -R -@ '..' -@ '*' S+a directory1

       This results in the hidden system attribute being set for all named attribute files of all
       regular files and directories within the directory hierarchy of directory1, as well as  of
       directory1 itself.

       Example 26 Setting the hidden and system System Attributes of a ZFS File

       The following examples set the hidden and system system attributes of a ZFS file:

	 $ chmod S+cHS file1

       or

	 $ chmod S+vhidden,+vsystem file1

       or

	 $ chmod S+v{hidden,system} file1

       or

	 $ chmod S+c{-HS--------} file1

       or

	 $ chmod S-v{nohidden,nosystem} file1

       or

	 $ chmod S-v{hidden,system},+v{hidden,system} file1

       Example 27 Clearing All System Attributes of a ZFS File

       The following example clears all system attributes of a ZFS file:

	 $ chmod S-a file1

       or

	 $ chmod S=v{} file1

       In the following two examples, the last attribute operation specified takes precedence.

       In this example, the replacement attribute name list ({}) clears all system attributes for
       file1:

	 $ chmod S+cHS,=v{} file1

       In this example, the clear attributes operation	(-a)  clears  all  system  attributes  of
       file1:

	 $ chmod S+vhidden,+vsystem,-a file1

       Example 28 Setting the Values of All Boolean read-write System Attributes of a File

       The  following  example	sets  the values of all boolean read-write system attributes of a
       file to the same as the boolean read-write system attributes of another file:

	 $ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2

       Assuming appropriate privileges and that file1 and file2 have the  same	supported  system
       attributes,  all system attributes of file1 that are set are also set on file2. All system
       attributes of file1 that are cleared are also cleared on file2.

ENVIRONMENT VARIABLES
       See environ(5) for descriptions of the following environment  variables	that  affect  the
       execution of chmod: LANG, LC_ALL, LC_CTYPE, LC_MESSAGES, and NLSPATH.

EXIT STATUS
       The following exit values are returned:

       0     Successful completion.

       >0    An error occurred.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |CSI			     |Enabled			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO
       getfacl(1),  ls(1), setfacl(1), chmod(2), fgetattr(3C), acl(5), attributes(5), environ(5),
       fsattr(5), largefile(5), standards(5)

NOTES
       Absolute changes do not work for the set-group-ID bit of a directory. You must use g+s  or
       g-s.

       chmod  permits you to produce useless modes so long as they are not illegal (for instance,
       making a text file executable). chmod does not check the file type  to  see  if	mandatory
       locking is meaningful.

       If the filesystem is mounted with the nosuid option, setuid execution is not allowed.

       If  you	use  chmod to change the file group owner permissions on a file with ACL entries,
       both the file group owner permissions and the ACL mask are changed to the new permissions.
       Be  aware that the new ACL mask permissions can change the effective permissions for addi-
       tional users and groups who have ACL entries on the file. Use the getfacl(1) or	ls(1)com-
       mand to make sure the appropriate permissions are set for all ACL entries.

SunOS 5.11				   11 Dec 2008					 chmod(1)


All times are GMT -4. The time now is 12:48 AM.



All times are GMT -4. The time now is 12:48 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password