Programming Tutorials

Change access permissions (file modes)

Syntax

      chmod [-fv] [-R [-H | -L | -P]] mode file ...

      chmod [-fv] [-R [-H | -L | -P]] [-a | +a | =a] ACE file ...

      chmod [-fhv] [-R [-H | -L | -P]] [ACL_Option] file ...

Options
   -R         Recurse: Change the mode of file hierarchies rooted in the files
              instead of just the files themselves.

   -R -H      Follow symbolic links on the command line
              (by default Symbolic links within the tree are not followed.)	       
   -R -L      All symbolic links are followed.
   -R -P      No symbolic links are followed. (default)
	     
   -f         Do not display a diagnostic message if chmod could not modify the
              mode for file.

   -h         If the file is a symbolic link, change the mode of the link
              itself rather than the file that the link points to.

   -v         Verbose, show filenames as the mode is modified *

   -v -v      Very Verbose: display both old and new modes of the file
              in both octal and symbolic notation *

ACL_Options
   -E         Read the ACL information from stdin, as a sequential list of ACEs,
              separated by newlines.  If the information parses correctly,
              the existing information is replaced.

   -C         Returns false if any of the named files have ACLs in non-canonical
              order.

   -N         Remove the ACL from the named file(s).

ACL_manipulation_options
   +a mode    Insert a new ACL entry 
   +a# mode   Insert a new ACL entry with specific ordering
   -a mode    Delete an ACL entry
   =a# mode   Rewrite an Individual entry
   -i         Remove the 'inherited' bit from all entries in the named file(s) ACLs.
   -I         Remove all inherited entries from the named file(s) ACL(s).

chmod changes the permissions of each given file according to mode, which can be either an octal number representing the bit pattern for the new permissions or a symbolic representation of changes to make, (+-= rwxXstugoa)

* The -v option is non-standard and its use in scripts is not recommended.

Numeric (absolute) mode:

From one to four octal digits
Any omitted digits are assumed to be leading zeros. 

The first digit = selects attributes for the set user ID (4) and set group ID (2) and save text image (1)
The second digit = permissions for the user who owns the file: read (4), write (2), and execute (1)
The third digit = permissions for other users in the file's group: read (4), write (2), and execute (1)
The fourth digit = permissions for other users NOT in the file's group: read (4), write (2), and execute (1)

The octal (0-7) value is calculated by adding up the values for each digit
User (rwx) = 4+2+1 = 7
Group(rx) = 4+1 = 5
World (rx) = 4+1 = 5
chmod mode = 0755

Numeric Mode Examples:

Allow read permission to everyone:
$ chmod 444 file

Allow everyone to read, and execute the file: 
$ chmod 755 file

Make a file readable and writable by the group and others:
$ chmod 066 file

Symbolic Mode

The format of a symbolic mode is [who...][[+-=][perm...]...][,...]

Multiple symbolic operations can be given, separated by commas.

who - a combination of the letters `ugoa' controls which users' access to the file will be changed:

u The User who owns it 
g other users in the file's Group 
o Other users not in the file's group 
a All users, this is equivalent to (ugo) 
If none of these are given, the effect is as if (a) were given, but bits that are set in the umask are not affected.

+-= 
The operator '+' causes the permissions selected to be added to the existing permissions of each file;
'-' causes them to be removed; and '=' causes them to be the only permissions that the file has.
if = is specified with no who then all (owner, group and other) will be cleared.

perm
The letters 'rwxXstugo' select the new permissions for the affected users:

r Read 
w Write
x Execute/search (or access for directories) 
X Execute/search only if the file is a directory or already has execute permission for some user 
s Set user or group ID on execution
t The sticky bit
u User permission
g Group permission
o Other permission (users not in the file's group)

Symbolic Mode Examples:

Deny execute permission to everyone: 
$ chmod a-x file

Allow read permission to everyone:
$ chmod a+r file

Make a file readable and writable by the group and others: 
$ chmod go+rw file

Make a shell script executable by the user/owner 
$ chmod u+x myscript.sh

Allow everyone to read, write, and execute the file and turn on the set group-ID: 
$ chmod =rwx,g+s file

ACL - Access Control List manipulation

Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions.

Filesystem object permissions:

delete Delete the item. Deletion may be granted by either this permission on an object or the delete_child right on the containing directory.
readattr Read an objects basic attributes. This is implicitly granted if the object can be looked up and not explicitly denied.
writeattr Write an object's basic attributes.
readextattr Read extended attributes.
writeextattr Write extended attributes.
readsecurity Read an object's extended security information (ACL).
writesecurity Write an object's security information (ownership, mode,ACL).
chown Change an object's ownership.

Directory permissions:

list List entries.
search Look up files by name.
add_file Add a file.
add_subdirectory Add a subdirectory.
delete_child Delete a contained object. See the file delete permission above.

Non-directory filesystem object permissions:

read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes into areas of the file not previously written.
execute Execute the file as a script or program.

Directory ACL inheritance permissions:

file_inherit Inherit to files.
directory_inherit Inherit to directories.
limit_inherit for subdirectory inheritance; this causes the directory_inherit flag to be cleared, preventing further subdirectories from also inheriting the entry.
only_inherit The entry is inherited by created items but not considered when processing the ACL.

In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specify the type of name.

ACL Examples

$ chmod +a "admin allow write" myfile.txt
$ chmod +a "guest deny read" myfile.txt
$ chmod +a "admin allow delete" myfile.txt
$ chmod +ai "others allow read" myfile.txt
$ chmod +a# 2 "others deny read" myfile.txt
$ chmod -a# 1 myfile.txt
$ chmod -a "admin allow write" myfile.txt
$ chmod =a# 1 "admin allow write,chown"

Notes:

Only the owner of a file or the super-user is permitted to change the mode of a file.

The return status is zero if the mode is successfully changed, non-zero otherwise.

When chmod is applied to a directory: 
read = list files in the directory
write = add new files to the directory 
execute = access files in the directory 

chmod never changes the permissions of symbolic links. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals.