access permissions (file modes)
chmod [-fv] [-R [-H | -L | -P]] mode file ...
chmod [-fv] [-R [-H | -L | -P]] [-a | +a | =a] ACE file ...
chmod [-fhv] [-R [-H | -L | -P]] [ACL_Option] file ...
-R Recurse: Change the mode of file hierarchies rooted in the files
instead of just the files themselves.
-R -H Follow symbolic links on the command line
(by default Symbolic links within the tree are not followed.)
-R -L All symbolic links are followed.
-R -P No symbolic links are followed. (default)
-f Do not display a diagnostic message if chmod could not modify the
mode for file.
-h If the file is a symbolic link, change the mode of the link
itself rather than the file that the link points to.
-v Verbose, show filenames as the mode is modified *
-v -v Very Verbose: display both old and new modes of the file
in both octal and symbolic notation *
-E Read the ACL information from stdin, as a sequential list of ACEs,
separated by newlines. If the information parses correctly,
the existing information is replaced.
-C Returns false if any of the named files have ACLs in non-canonical
-N Remove the ACL from the named file(s).
+a mode Insert a new ACL entry
+a# mode Insert a new ACL entry with specific ordering
-a mode Delete an ACL entry
=a# mode Rewrite an Individual entry
-i Remove the 'inherited' bit from all entries in the named file(s) ACLs.
-I Remove all inherited entries from the named file(s) ACL(s).
changes the permissions of each given file according
to mode, which can be
either an octal number representing the bit pattern for the new permissions or a
symbolic representation of changes to make, (+-=
-v option is non-standard and its use in scripts is not recommended.
one to four octal digits
Any omitted digits are assumed to be leading zeros.
The first digit = selects attributes for the set user ID (4)
and set group ID (2)
and save text image (1)
The second digit = permissions for the user who owns the
file: read (4),
and execute (1)
The third digit = permissions for other users in the file's group:
and execute (1)
The fourth digit = permissions for other users NOT in the file's group: read (4),
and execute (1)
octal (0-7) value is calculated by adding up the values for each digit
User (rwx) = 4+2+1 = 7
Group(rx) = 4+1 = 5
World (rx) = 4+1 = 5
chmod mode = 0755
read permission to everyone:
chmod 444 file
Allow everyone to read, and execute the file:
chmod 755 file
a file readable and writable by the group and others:
chmod 066 file
format of a symbolic mode is [who...][[+-=][perm...]...][,...]
Multiple symbolic operations can be given, separated by commas.
a combination of the letters `ugoa' controls which users'
access to the file will be changed:
User who owns it
users in the file's Group
users not in the file's group
users, this is equivalent to (ugo)
If none of these are given, the effect is as if (a)
were given, but bits that are set in the umask are not affected.
The operator '+'
causes the permissions selected to be added to the existing permissions of each
causes them to be removed; and '='
causes them to be the only permissions that the file has.
if = is
specified with no who then
all (owner, group and other) will be cleared.
The letters 'rwxXstugo' select the new permissions for
the affected users:
(or access for directories)
only if the file is a directory or already has execute permission for some
user or group ID on execution
permission (users not in the file's group)
execute permission to everyone:
chmod a-x file
Allow read permission to everyone:
chmod a+r file
Make a file readable and writable by the group and others:
chmod go+rw file
a shell script executable by the user/owner
chmod u+x myscript.sh
Allow everyone to read, write, and execute the file and turn on the set
chmod =rwx,g+s file
- Access Control List manipulation
file has one ACL, containing an ordered list of entries. Each entry refers to a
user or group, and grants or denies a set of permissions.
the item. Deletion may be granted by either this permission on an object or the
delete_child right on the containing directory.
an objects basic attributes. This is implicitly granted if the object can be
looked up and not explicitly denied.
an object's basic attributes.
an object's extended security information (ACL).
an object's security information (ownership, mode,ACL).
an object's ownership.
up files by name.
a contained object. See the file delete permission above.
filesystem object permissions:
for writing, but in a fashion that only allows writes into areas of the file not
the file as a script or program.
ACL inheritance permissions:
subdirectory inheritance; this causes the directory_inherit flag to be cleared,
preventing further subdirectories from also inheriting the entry.
entry is inherited by created items but not considered when processing the ACL.
cases where a user and a group exist with the same name, the user/group name can
be prefixed with "user:" or "group:" in order to specify the
type of name.
chmod +a "admin allow write" myfile.txt
$ chmod +a "guest deny read" myfile.txt
$ chmod +a "admin allow delete" myfile.txt
$ chmod +ai "others allow read" myfile.txt
$ chmod +a# 2 "others deny read" myfile.txt
$ chmod -a# 1 myfile.txt
$ chmod -a "admin allow write" myfile.txt
$ chmod =a# 1 "admin allow write,chown"
the owner of a file or the super-user is permitted to change the mode of a file.
return status is zero if the mode is successfully changed, non-zero otherwise.
chmod is applied to a directory:
read = list files in the directory
write = add new files to the directory
execute = access files in the directory
chmod never changes the permissions of symbolic links. This is not a problem
since the permissions of symbolic links are never used. However, for each
symbolic link listed on the command line, chmod changes the permissions of the
pointed-to file. In contrast, chmod ignores symbolic links encountered during
recursive directory traversals.