2 .\" Sun Microsystems, Inc. gratefully acknowledges The Open Group for
3 .\" permission to reproduce portions of its copyrighted documentation.
4 .\" Original documentation from The Open Group can be obtained online at
5 .\" http://www.opengroup.org/bookstore/.
7 .\" The Institute of Electrical and Electronics Engineers and The Open
8 .\" Group, have given us permission to reprint portions of their
11 .\" In the following statement, the phrase ``this text'' refers to portions
12 .\" of the system documentation.
14 .\" Portions of this text are reprinted and reproduced in electronic form
15 .\" in the SunOS Reference Manual, from IEEE Std 1003.1, 2004 Edition,
16 .\" Standard for Information Technology -- Portable Operating System
17 .\" Interface (POSIX), The Open Group Base Specifications Issue 6,
18 .\" Copyright (C) 2001-2004 by the Institute of Electrical and Electronics
19 .\" Engineers, Inc and The Open Group. In the event of any discrepancy
20 .\" between these versions and the original IEEE and The Open Group
21 .\" Standard, the original IEEE and The Open Group Standard is the referee
22 .\" document. The original Standard can be obtained online at
23 .\" http://www.opengroup.org/unix/online.html.
25 .\" This notice shall appear on any product containing this material.
27 .\" The contents of this file are subject to the terms of the
28 .\" Common Development and Distribution License (the "License").
29 .\" You may not use this file except in compliance with the License.
31 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
32 .\" or http://www.opensolaris.org/os/licensing.
33 .\" See the License for the specific language governing permissions
34 .\" and limitations under the License.
36 .\" When distributing Covered Code, include this CDDL HEADER in each
37 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
38 .\" If applicable, add the following below this CDDL HEADER, with the
39 .\" fields enclosed by brackets "[]" replaced with your own identifying
40 .\" information: Portions Copyright [yyyy] [name of copyright owner]
43 .\" Copyright 1989 AT&T.
44 .\" Portions Copyright (c) 1992, X/Open Company Limited All Rights Reserved
45 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
46 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
48 .TH CHMOD 1 "Nov 24, 2014"
50 chmod \- change the permissions mode of a file
54 \fBchmod\fR [\fB-fR\fR] \fIabsolute-mode\fR \fIfile\fR ...
59 \fBchmod\fR [\fB-fR\fR] \fIsymbolic-mode-list\fR \fIfile\fR ...
64 \fBchmod\fR [\fB-fR\fR] \fIacl_operation\fR \fIfile\fR ...
69 \fBchmod\fR [\fB-fR\fR] [\fB-@\fR \fInamed_attribute\fR]...\fIattribute_specification_list\fR \fIfile\fR ...
74 The \fBchmod\fR utility changes or assigns the mode of a file.
77 \fBchmod\fR can also be used to modify Access Control Lists (ACLs) on files and
78 directories, and to modify boolean read-write system attributes on regular
79 files, directories, and opaque extended attribute files.
82 An absolute mode command line has the following format:
85 \fBchmod\fR [\fIoptions\fR] \fIabsolute-mode\fR \fIfile\fR ...
88 where \fIabsolute-mode\fR is specified using octal numbers \fInnnn\fR defined
96 a number from \fB0\fR to \fB7\fR. An absolute mode is constructed from the OR
97 of any of the following modes:
104 Set user \fBID\fR on execution.
110 \fB\fB20\fR\fI\|#\|\fR\fB0\fR\fR
113 Set group \fBID\fR on execution if \fI#\fR is \fB7\fR, \fB5\fR, \fB3\fR, or
116 Enable mandatory locking if \fI#\fR is \fB6\fR, \fB4\fR, \fB2\fR, or \fB0\fR.
118 For directories, files are created with BSD semantics for propagation of the
119 group ID. With this option, files and subdirectories created in the directory
120 inherit the group ID of the directory, rather than of the current process. For
121 directories, the set-gid bit can only be set or cleared by using symbolic mode.
130 Turn on sticky bit. See \fBchmod\fR(2).
148 Allow write by owner.
157 Allow execute (search in directory) by owner.
166 Allow read, write, and execute (search) by owner.
184 Allow write by group.
193 Allow execute (search in directory) by group.
202 Allow read, write, and execute (search) by group.
211 Allow read by others.
220 Allow write by others.
229 Allow execute (search in directory) by others.
238 Allow read, write, and execute (search) by others.
245 For directories, the \fBsetgid\fR bit cannot be set (or cleared) in absolute
246 mode; it must be set (or cleared) in symbolic mode using \fBg+s\fR (or
250 A symbolic mode command line has the following format:
253 \fBchmod\fR [\fIoptions\fR] \fIsymbolic-mode-list\fR \fIfile\fR ...
256 where \fIsymbolic-mode-list\fR is a comma-separated list (with no intervening
257 white space) of symbolic mode expressions of the form:
260 [\fBwho\fR] \fIoperator\fR [\fIpermissions\fR]
263 Operations are performed in the order given. Multiple \fIpermissions\fR letters
264 following a single operator cause the corresponding operations to be performed
272 zero or more of the characters \fBu\fR, \fBg\fR, \fBo\fR, and \fBa\fR
273 specifying whose permissions are to be changed or assigned:
307 all permissions (user, group, and other)
310 If \fBwho\fR is omitted, it defaults to \fBa\fR, but the setting of the file
311 mode creation mask (see \fBumask\fR in \fBsh\fR(1) or \fBcsh\fR(1) for more
312 information) is taken into account. When \fBwho\fR is omitted, \fBchmod\fR does
313 not override the restrictions of your user mask.
322 either \fB+\fR, \fB\(mi\fR, or \fB=\fR, signifying how permissions are to be
332 If \fIpermissions\fR are omitted, nothing is added.
334 If \fBwho\fR is omitted, add the file mode bits represented by
335 \fIpermissions\fR, \fIexcept\fR for the those with corresponding bits in the
336 file mode creation mask.
338 If \fBwho\fR is present, add the file mode bits represented by the
348 Take away permissions.
350 If \fIpermissions\fR are omitted, do nothing.
352 If \fBwho\fR is omitted, clear the file mode bits represented by
353 \fIpermissions\fR, \fIexcept\fR for those with corresponding bits in the file
356 If \fBwho\fR is present, clear the file mode bits represented by
366 Assign permissions absolutely.
368 If \fBwho\fR is omitted, clear all file mode bits; if \fBwho\fR is present,
369 clear the file mode bits represented by \fBwho\fR.
371 If \fIpermissions\fR are omitted, do nothing else.
373 If \fBwho\fR is omitted, add the file mode bits represented by
374 \fIpermissions\fR, \fIexcept\fR for the those with corresponding bits in the
375 file mode creation mask.
377 If \fBwho\fR is present, add the file mode bits represented by
381 Unlike other symbolic operations, \fB=\fR has an absolute effect in that it
382 resets all other bits represented by \fBwho\fR. Omitting \fIpermissions\fR is
383 useful only with \fB=\fR to take away all permissions.
389 \fB\fIpermission\fR\fR
392 any compatible combination of the following letters:
453 execute permission if the file is a directory or if there is execute permission
454 for one of the other user classes
460 \fB\fBu\fR,\fBg\fR,\fBo\fR\fR
463 indicate that \fIpermission\fR is to be taken from the current user, group or
464 other mode respectively.
467 Permissions to a file can vary depending on your user identification number
468 (UID) or group identification number (GID). Permissions are described in three
469 sequences each having three characters:
480 This example (user, group, and others all have permission to read, write, and
481 execute a given file) demonstrates two categories for granting permissions: the
482 access class and the permissions themselves.
484 The letter \fBs\fR is only meaningful with \fBu\fR or \fBg\fR, and \fBt\fR only
487 Mandatory file and record locking (\fBl\fR) refers to a file's ability to have
488 its reading or writing permissions locked while a program is accessing that
491 In a directory which has the set-group-ID bit set (reflected as either
492 \fB-----s---\fR or \fB-----l---\fR in the output of \fB\&'ls -ld'\fR), files
493 and subdirectories are created with the group-ID of the parent directory\(emnot
494 that of current process.
496 It is not possible to permit group execution and enable a file to be locked on
497 execution at the same time. In addition, it is not possible to turn on the
498 set-group-ID bit and enable a file to be locked on execution at the same time.
499 The following examples, therefore, are invalid and elicit error messages:
503 chmod g+x,+l \fIfile\fR
504 chmod g+s,+l \fIfile\fR
509 Only the owner of a file or directory (or the super-user) can change that
510 file's or directory's mode. Only the super-user can set the sticky bit on a
511 non-directory file. If you are not super-user, \fBchmod\fR masks the sticky-bit
512 but does not return an error. In order to turn on a file's set-group-ID bit,
513 your own group ID must correspond to the file's and group execution must be
519 An ACL Operation command line has the following format:
523 chmod [\fIoptions\fR] A[\fInumber\fR]- \fIfile\fR ...
524 chmod [\fIoptions\fR] A-\fIacl_specification\fR \fIfile\fR ...
525 chmod [\fIoptions\fR] A[\fIindex\fR]{+|=}\fIacl_specification\fR \fIfile\fR ...
532 Where \fIacl_specification\fR is a comma-separated list (with no intervening
533 white space) of an ACL specification of the form:
537 \fB\fBA[\fIindex\fR]+\fIacl_specification\fR\fR\fR
540 Prepends the access control entries (ACE) specified in \fIacl_specification\fR
541 to the beginning of the file's ACL. Depending on the file system, the ACL can
542 be reordered when applied to the file. If "optional" number is specified then
543 new ACEs are inserted before specified number.
552 Removes all ACEs for current ACL on file and replaces current ACL with new ACL
553 that represents only the current mode of the file.
559 \fB\fBA\fIindex\fR\fR-\fR
562 Removes ACE specified by \fIindex\fR number.
568 \fB\fBA-\fIacl_specification\fR\fR\fR
575 Removes ACEs specified by \fIacl_specification\fR, if they exist in current
582 \fB\fBA=\fIacl_specification\fR\fR\fR
585 Replaces a files entire ACL with \fIacl_specification\fR.
591 \fB\fBA[\fIindex\fR]=\fIacl_specification\fR\fR\fR
594 Replaces ACEs starting at a specific index number in the current ACL on the
595 file. If multiple ACEs are specified, then each subsequent ACE in
596 \fIacl_specification\fR replaces the corresponding ACE in the current ACL.
601 \fBPOSIX-draft ACL Specification (as supported by UFS)\fR
604 POSIX-draft ACLs (as supported by UFS) are specified as colon (\fB:\fR)
605 separated fields of the following.
613 File owner permissions.
619 \fBuser:\fIusername\fR:perms\fR
623 Permissions for a specific user.
633 File group owner permissions.
639 \fBgroup:\fIgroupname:\fRperms\fR
643 Permissions for a specific group.
653 Permissions for user other than the file owner or members of file group owner.
663 The ACL mask. The mask entry specifies the maximum permissions allowed for user
664 (other than that the owner) and for groups.
670 \fBdefault:user::perms\fR
674 Default file owner permissions.
680 \fBdefault:user:\fIusername\fR:perms\fR
684 Default permissions for a specific user.
690 \fBdefault:group::perms\fR
694 Default file group owner permissions.
700 \fBdefault:group:\fIgroupname\fR:perms\fR
704 Default permissions for a specific group.
710 \fBdefault:other:perms\fR
714 Default permissions for user other than the file owner or members of the file
721 \fBdefault:mask:perms\fR
730 The above specification allows for ACLs to be specified such as:
734 user:tom:rw-,mask:rwx,group:staff:r-x
741 \fBNFSv4 ACL Specification (as supported by NFSv4 and ZFS)\fR
744 NFSv4 ACLs provide richer ACL semantics. They provide both allow and deny
745 entries, finer grained permissions, and enhanced inheritance control.
748 NFSv4 ACLs are specified as colon (\fB:\fR) separated fields of the following.
752 \fBowner@:<perms>[:inheritance flags]:<allow|deny>\fR
756 Permissions for file owner.
762 \fBgroup@:<perms>[:inheritance flags]:<allow|deny>\fR
766 Permissions for file group owner.
772 \fBeveryone@:<perms>[:inheritance flags]:<allow|deny>\fR
776 Permissions for everyone, including file owner and group owner.
782 \fBuser:<username>:<perms>[:inheritance flags]:<allow|deny>\fR
786 Permissions for a specific user.
792 \fBusersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>\fR
796 Permissions for a specific user, but user is specified by SID.
802 \fBgroup:<groupname>:<perms>[:inheritance flags]:<allow|deny>\fR
806 Permissions for a specific group.
812 \fBgroupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>\fR
816 Permissions for a specific group, but group is specified by SID.
822 \fBsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>\fR
826 Permissions for a specific SID, but it doesn't matter if it is a user or a
832 Permissions can be specified in three different \fBchmod\fR ACL formats:
833 verbose, compact, or positional. The verbose format uses words to indicate that
834 the permissions are separated with a forward slash (\fB/\fR) character. Compact
835 format uses the permission letters and positional format uses the permission
836 letters or the hyphen (\fB-\fR) to identify no permissions.
839 The permissions for verbose mode and their abbreviated form in parentheses for
840 compact and positional mode are described as follows:
844 \fBread_data (\fBr\fR)\fR
847 Permission to read the data of a file.
853 \fBlist_directory (\fBr\fR)\fR
856 Permission to list the contents of a directory.
862 \fBwrite_data (\fBw\fR)\fR
865 Permission to modify a file's data. anywhere in the file's offset range.
871 \fBadd_file (\fBw\fR)\fR
874 Permission to add a new file to a directory.
880 \fBappend_data (\fBp\fR)\fR
883 The ability to modify a file's data, but only starting at EOF.
885 Currently, this permission is not supported.
891 \fBadd_subdirectory (\fBp\fR)\fR
894 Permission to create a subdirectory to a directory.
900 \fBread_xattr (\fBR\fR)\fR
903 Ability to read the extended attributes of a file.
909 \fBwrite_xattr (\fBW\fR)\fR
912 Ability to create extended attributes or write to the extended attribute
919 \fBexecute (\fBx\fR)\fR
922 Permission to execute a file.
928 \fBread_attributes (\fBa\fR)\fR
931 The ability to read basic attributes (non-ACLs) of a file.
937 \fBwrite_attributes (\fBA\fR)\fR
940 Permission to change the times associated with a file or directory to an
947 \fBdelete (\fBd\fR)\fR
950 Permission to delete a file.
956 \fBdelete_child (\fBD\fR)\fR
959 Permission to delete a file within a directory.
965 \fBread_acl (\fBc\fR)\fR
968 Permission to read the ACL of a file.
974 \fBwrite_acl (\fBC\fR)\fR
977 Permission to write the ACL of a file.
983 \fBwrite_owner (\fBo\fR)\fR
986 Permission to change the owner of a file.
992 \fBsynchronize (\fBs\fR)\fR
995 Permission to access file locally at server with synchronize reads and writes.
997 Currently, this permission is not supported.
1002 Using the compact ACL format, permissions are specified by using 14 unique
1003 letters to indicate permissions.
1006 Using the positional ACL format, permissions are specified as positional
1007 arguments similar to the \fBls\fR \fB-V\fR format. The hyphen (\fB-\fR), which
1008 indicates that no permission is granted at that position, can be omitted and
1009 only the required letters have to be specified.
1012 The letters above are listed in the order they would be specified in positional
1016 Permissions can be specified with these letters in the following way:
1027 The hyphens can be removed to compact the string as follows:
1038 Several special permission sets or aliases are also supported. The following
1039 permission sets are used the same way that verbose permissions are specified.
1043 \fB\fBfull_set\fR\fR
1052 \fB\fBmodify_set\fR\fR
1055 All permissions except \fBwrite_acl\fR and \fBwrite_owner\fR.
1061 \fB\fBread_set\fR\fR
1064 \fBread_data, read_acl, read_attributes,\fR and \fBread_xattr\fR.
1070 \fB\fBwrite_set\fR\fR
1073 \fBwrite_data, append_data, write_attributes\fR, and \fBwrite_xattr\fR
1078 The optional inheritance flags can be specified in the three formats. The first
1079 format uses words to indicate the various inheritance flags separated with a
1080 forward slash (\fB/\fR) character.
1084 \fBfile_inherit (\fBf\fR)\fR
1087 Inherit to all newly created files.
1093 \fBdir_inherit (\fBd\fR)\fR
1096 Inherit to all newly created directories.
1102 \fBinherit_only (\fBi\fR)\fR
1105 When placed on a directory, do not apply to the directory, only to newly
1106 created files and directories. This flag requires that either
1107 \fBfile_inherit\fR and or \fBdir_inherit\fR is also specified.
1113 \fBno_propagate (\fBn\fR)\fR
1116 Indicates that ACL entries should be inherited to objects in a directory, but
1117 inheritance should stop after descending one level. This flag is dependent upon
1118 either \fBfile_inherit\fR and or \fBdir_inherit\fR also being specified.
1124 \fBsuccessful_access (\fBS\fR)\fR
1127 Indicates whether an alarm or audit record should be initiated upon successful
1128 accesses. Used with audit/alarm ACE types.
1134 \fBfailed_access (\fBF\fR)\fR
1137 Indicates whether an alarm or audit record should be initiated when access
1138 fails. Used with audit/alarm ACE types.
1144 \fBinherited (\fBI\fR)\fR
1152 The inheritance flags listed can also be specified in the compact format or as
1153 positional arguments similar to the \fBls\fR \fB-V\fR format. A hyphen
1154 character indicates that the inheritance flag at that position is not specified
1155 in the positional ACL format.
1158 The inheritance flags can be specified with these letters in any of the
1159 following equivalent ways.
1163 file_inherit/dir_inherit/no_propagate
1186 With this inheritance model, an ACL entry can be specified such as:
1190 user:tom:read_data/write_data/read_attributes:file_inherit:allow
1191 user:fred:read_data:file_inherit/dir_inherit:deny
1192 user:bob:read_data:allow
1197 .SS "Attribute Operation"
1199 An attribute operation command line has the following format:
1203 chmod [\fIoptions\fR] \fIattribute_specification_list\fR \fIfile\fR ...
1210 where \fIattribute_specification_list\fR is the character \fBS\fR followed by a
1211 comma-separated list of one or more \fIattribute_specifications\fR. Each
1212 \fIattribute_specification\fR is of the form:
1216 [\fIoperator\fR]\fIattribute_specifier\fR
1223 An \fIoperator\fR is one of the following:
1230 Each attribute specified by the associated \fIattribute_specifier\fR is
1231 adjusted to match the value specified by the \fIattribute_specifier\fR.
1240 Each attribute specified by the associated \fIattribute_specifier\fR is
1241 adjusted to match the inverse of the value specified by the
1242 \fIattribute_specifier\fR.
1251 Each attribute specified by the associated \fIattribute_specifier\fR is
1252 adjusted to match the value specified by the \fIattribute_specifier\fR. Any
1253 boolean read-write extended system attributes associated with the current file
1254 that are not specified by \fIattribute_specifier\fR is cleared.
1259 If an \fIoperator\fR is not specified in an \fIattribute_specification\fR,
1260 \fBchmod\fR behaves as if \fB+\fR had been specified.
1263 An \fIattribute_specifier\fR takes one of the following forms:
1271 Set all boolean read-write extended system attributes associated with the
1278 \fB\fBc[\fIcompact_attribute_list\fR]\fR\fR
1282 \fB\fBc'{'\fIcompact_attribute_list\fR'}'\fR\fR
1286 Set each boolean read-write extended system attribute identified by
1287 \fIcompact_attribute_list\fR.
1293 \fB\fBv[\fIverbose_attribute_setting\fR]\fR\fR
1297 \fB\fBv['{'\fIverbose_attribute_setting_list\fR'}']\fR\fR
1301 Set each boolean read-write extended system attribute identified by
1302 \fIverbose_attribute_setting\fR.
1307 A \fIcompact_attribute_list\fR is a list of zero or more adjacent attribute
1308 abbreviation characters from list of \fBAttribute Names and Abbreviation
1309 Characters\fR later in this section. An arbitrary number of hyphen (\fB-\fR)
1310 characters can be included in a \fIcompact_attribute_list\fR. These are
1314 A \fIverbose_attribute_setting\fR is an attribute name from the list of
1315 \fBAttribute Names and Abbreviation Characters\fR later in this section,
1316 optionally, immediately preceded by \fBno\fR. If the attribute name is used
1317 without \fBno\fR, the attribute is set; otherwise the attribute is cleared.
1320 A \fIverbose_attribute_setting_list\fR is zero or more comma-separated
1321 \fIverbose_attribute_setting\fRs.
1324 Multiple operations specified for a file are accumulated and are all set for a
1325 file operand as a single attribute setting operation. If an attribute is
1326 specified more than once in an \fIattribute_specification_list\fR, the last
1327 specified operation is applied.
1330 The following is a list of \fBAttribute Names and Abbreviation Characters\fR:
1334 \fB\fBAttribute Name\fR\fR
1337 \fBAbbreviation Character\fR
1361 \fB\fBreadonly\fR\fR
1379 \fB\fBnounlink\fR\fR
1388 \fB\fBimmutable\fR\fR
1397 \fB\fBappendonly\fR\fR
1415 \fB\fBav_quarantined\fR\fR
1424 \fB\fBav_modified\fR\fR
1450 The following options are supported:
1457 Force. \fBchmod\fR does not complain if it fails to change the mode of a file.
1466 Recursively descend through directory arguments, setting the mode for each
1467 file. When symbolic links are encountered, the mode of the target file is
1468 changed, but no recursion takes place.
1474 \fB\fB-@\fR \fInamed_attribute\fR\fR
1477 Perform the attribute operation on the named extended attribute file of each
1478 file operand instead of the file operand itself. If multiple \fB-@\fR
1479 operations are supplied, the attribute specification mode is applied to each of
1480 the named attribute files.
1482 A named attribute of \fB*\fR carries meaning to \fBchmod\fR, and is considered
1483 to mean all extended attribute files associated with a file operand. This does
1484 not refer to the special files \fB\&.\fR and \fB\&..\fR.
1486 A named attribute of \fB\&..\fR carries special meaning to \fBchmod\fR, and is
1487 considered to mean the file operand itself. This allows \fBchmod\fR, in a
1488 single call, to apply the attribute specification mode to the specified named
1489 attribute file of the file operand and the file operand itself.
1494 The following operands are supported:
1498 \fB\fIabsolute-mode\fR\fR
1502 \fB\fIsymbolic-mode-list\fR\fR
1506 Represents the change to be made to the file mode bits of each file named by
1507 one of the \fIfile\fR operands. See \fBAbsolute Mode\fR and \fBSymbolic Mode\fR
1508 in the \fBDESCRIPTION\fR section of this manual page for more information.
1514 \fB\fIacl_operation\fR\fR
1518 Represents the modification to be performed on the file's ACL. See \fBACL
1519 Operation\fR in the \fBDESCRIPTION\fR section for more information.
1521 \fIacl_operation\fR is one of the following:
1525 \fBA[\fR\fInumber\fR\fB] -\fR
1526 \fBA-\fR\fIacl_specification\fR
1527 \fBA[\fR\fIindex\fR\fB]{+|=}\fR\fBacl_specification\fR
1537 \fB\fIattribute_specification_list\fR\fR
1541 Represents the modification to performed on the file's attributes. See
1542 Attribute Operation in the \fBDESCRIPTION\fR section of this manual page for
1553 A path name of a file whose file mode bits are to be modified.
1558 \fBExample 1 \fRDenying \fBexecute\fR Permission
1561 The following example denies execute permission to everyone:
1566 % chmod a-x \fIfile\fR
1572 \fBExample 2 \fRAllowing \fBread-only\fR Permission
1575 The following example allows only read permission to everyone:
1580 % chmod 444 \fIfile\fR
1586 \fBExample 3 \fRMaking a File \fBreadable\fR and \fBwritable\fR
1589 The following example makes a file readable and writable by the group and
1595 % chmod go+rw \fIfile\fR
1596 % chmod 066 \fIfile\fR
1602 \fBExample 4 \fRLocking a File From Access
1605 The following example locks a file from access:
1610 $ chmod +l \fIfile\fR
1616 \fBExample 5 \fRGranting \fBread\fR, \fBwrite\fR, \fBexecute\fR, and \fBset
1617 group-ID\fR Permission on a File
1620 The following example grants everyone read, write, and execute permissions on
1621 the file, and turns on the set group-ID:
1626 $ chmod a=rwx,g+s \fIfile\fR
1627 $ chmod 2777 \fIfile\fR
1633 \fBExample 6 \fRPrepending a New ACL Entry on a ZFS File
1636 The following example prepends a new ACL entry on a ZFS file.
1640 First, display the current ACL:
1646 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
1647 0:owner@:execute:deny
1648 1:owner@:read_data/write_data/append_data/write_xattr/
1649 write_attributes/write_acl/write_owner:allow
1650 2:group@:write_data/append_data/execute:deny
1651 3:group@:read_data:allow
1652 4:everyone@:write_data/append_data/write_xattr/execute/
1653 write_attributes/write_acl/write_owner:deny
1654 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1662 Issue the following command:
1667 $ chmod A+user:lp:read_data:deny file.3
1674 Display the new ACL:
1680 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
1681 0:user:lp:read_data:deny
1682 1:owner@:execute:deny
1683 2:owner@:read_data/write_data/append_data/write_xattr/
1684 write_attributes/write_acl/write_owner:allow
1685 3:group@:write_data/append_data/execute:deny
1686 4:group@:read_data:allow
1687 5:everyone@:write_data/append_data/write_xattr/execute/
1688 write_attributes/write_acl/write_owner:deny
1689 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1696 \fBExample 7 \fRPrepending a New POSIX-draft ACL Entry on a UFS File
1699 The following example prepends a new POSIX-draft ACL entry on a UFS file.
1703 First, display the current ACL:
1709 -rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
1711 1:group::r-- #effective:r--
1720 Issue the following command:
1725 $ chmod A+user:lp:-wx file.2
1732 Display the new ACL:
1738 -rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
1740 1:user:lp:-wx #effective:---
1741 2:group::r-- #effective:r--
1749 \fBExample 8 \fRInserting an ACL Entry in a Specific Position on a ZFS file
1752 The following example inserts an ACL entry in a specific position on a ZFS file
1753 system. It also illustrates the compact ACL format.
1757 First, display the ACL to pick a location to insert a new ACE.
1763 -rw-r--r--+ 1 root root 0 Oct 6 12:16 file.1
1764 user:lp:rw------------:-------:allow
1765 owner@:--x-----------:-------:deny
1766 owner@:rw-p---A-W-Co-:-------:allow
1767 group@:-wxp----------:-------:deny
1768 group@:r-------------:-------:allow
1769 everyone@:-wxp---A-W-Co-:-------:deny
1770 everyone@:r-----a-R-c--s:-------:allow
1777 Next, insert a new entry in location 3. This causes the entries that are
1778 currently in position 3 - 6 to be pushed down.
1782 Issue the following command:
1787 $ chmod A3+user:marks:r:deny file.1
1794 Display the new ACL:
1800 -rw-r--r--+ 1 root staff 0 Feb 3 14:13 file.1
1801 user:lp:rw------------:-------:allow
1802 owner@:--x-----------:-------:deny
1803 owner@:rw-p---A-W-Co-:-------:allow
1804 user:marks:r-------------:-------:deny
1805 group@:-wxp----------:-------:deny
1806 group@:r-------------:-------:allow
1807 everyone@:-wxp---A-W-Co-:-------:deny
1808 everyone@:r-----a-R-c--s:-------:allow
1814 \fBExample 9 \fRInserting a POSIX-draft ACL in a Specific Position on a UFS
1818 The file system reorders ACLs when they are stored in the file system. The
1819 following example illustrates this behavior.
1825 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1827 1:user:lp:rw- #effective:r--
1828 2:group::r-- #effective:r--
1837 Now, insert an entry at index position 3. The command works, but the file
1838 system reorders the ACL.
1843 $ chmod A3+user:marks:rw- file.1
1845 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
1847 1:user:lp:rw- #effective:r--
1848 2:user:marks:rw- #effective:r--
1849 3:group::r-- #effective:r--
1858 Rather than inserting the ACL entry in position 3 as requested, it actually
1859 ends up in position 2.
1862 \fBExample 10 \fRRemoving an ACL Entry on a ZFS File
1865 The following example removes the \fBlp\fR entry from an ACL:
1871 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
1872 0:user:lp:read_data:deny
1873 1:owner@:execute:deny
1874 2:owner@:read_data/write_data/append_data/write_xattr/
1875 write_attributes/write_acl/write_owner:allow
1876 3:group@:write_data/append_data/execute:deny
1877 4:group@:read_data:allow
1878 5:everyone@:write_data/append_data/write_xattr/execute/
1879 write_attributes/write_acl/write_owner:deny
1880 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
1889 $ chmod A-user:lp:read_data:deny file.3
1891 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
1892 0:owner@:execute:deny
1893 1:owner@:read_data/write_data/append_data/write_xattr/
1894 write_attributes/write_acl/write_owner:allow
1895 2:group@:write_data/append_data/execute:deny
1896 3:group@:read_data:allow
1897 4:everyone@:write_data/append_data/write_xattr/execute/
1898 write_attributes/write_acl/write_owner:deny
1899 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
1906 \fBExample 11 \fRRemoving a POSIX-draft ACL on a UFS File
1909 The following example removes the \fBlp\fR entry from an ACL:
1915 -rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
1917 1:user:lp:-wx #effective:---
1918 2:group::r-- #effective:r--
1928 $ chmod A-user:lp:-wx file.2
1930 -rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
1932 1:group::r-- #effective:r--
1940 \fBExample 12 \fRRemoving a Specific ACL Entry by Index Number on a ZFS File
1943 Consider the following ACL:
1949 0:group:staff:read_data/write_data/execute/read_acl:allow
1950 1:user:bin:read_data:deny
1951 2:user:bin:read_data:allow
1952 3:owner@:write_data/append_data:deny
1953 4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1955 5:group@:write_data/append_data:deny
1956 6:group@:read_data/execute:allow
1957 7:everyone@:write_data/append_data/write_xattr/write_attributes
1958 /write_acl/write_owner:deny
1959 8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1967 Remove the second user entry for bin.
1974 0:group:staff:read_data/write_data/execute/read_acl:allow
1975 1:user:bin:read_data:deny
1976 2:owner@:write_data/append_data:deny
1977 3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
1979 4:group@:write_data/append_data:deny
1980 5:group@:read_data/execute:allow
1981 6:everyone@:write_data/append_data/write_xattr/write_attributes
1982 /write_acl/write_owner:deny
1983 7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
1990 \fBExample 13 \fRRemoving a Specific POSIX-draft ACL Entry on a UFS File
1993 The following example removes the lp entry by index number from the following
2000 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
2002 1:user:lp:rw- #effective:r--
2003 2:group::r-- #effective:r--
2009 -rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
2011 1:group::r-- #effective:r--
2019 \fBExample 14 \fRRemoving All ACLs From a File
2022 The following command works with either NFSv4/ZFS or POSIX-draft ACLs.
2026 Consider the following ACL:
2032 -rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
2033 0:user:lp:read_data/write_data:allow
2034 1:user:marks:read_acl:allow
2035 2:owner@:execute:deny
2036 3:owner@:read_data/write_data/append_data/write_xattr/
2037 write_attributes/write_acl/write_owner:allow
2038 4:group@:write_data/append_data/execute:deny
2039 5:group@:read_data:allow
2040 6:everyone@:write_data/append_data/write_xattr/execute/
2041 write_attributes/write_acl/write_owner:deny
2042 7:everyone@:read_data/read_xattr/read_attributes/read_acl/
2050 The existing ACL is effectively removed and is replaced with an ACL that
2051 represents the permission bits of the file.
2058 -rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
2059 0:owner@:execute:deny
2060 1:owner@:read_data/write_data/append_data/write_xattr/
2061 write_attributes/write_acl/write_owner:allow
2062 2:group@:write_data/append_data/execute:deny
2063 3:group@:read_data:allow
2064 4:everyone@:write_data/append_data/write_xattr/execute/
2065 write_attributes/write_acl/write_owner:deny
2066 5:everyone@:read_data/read_xattr/read_attributes/read_acl/
2073 \fBExample 15 \fRReplacing an Entire ACL Entry on a ZFS File
2076 Use the following \fBchmod\fR syntax if you want to replace an ACL in its
2082 $ chmod A=owner@:read_data/write_data:allow,group@:read_data/
2083 write_data:allow,user:lp:read_data:allow file.4
2085 -rw-rw----+ 1 marks staff 0 Oct 9 16:12 file.4
2086 0:owner@:read_data/write_data:allow
2087 1:group@:read_data/write_data:allow
2088 2:user:lp:read_data:allow
2094 \fBExample 16 \fRReplacing an Entire POSIX-draft ACL on a UFS File
2097 This operation is a little more complicated. The replacement ACL needs the
2098 necessary entries to represent the file owner, file group owner, other, mask
2099 and any additional entries you wish to set.
2104 $ chmod A=user::rw-,group::rw-,other::---,mask:r--,
2107 -rw-r-----+ 1 root root 0 Oct 9 16:14 file.3
2109 1:user:lp:r-- #effective:r--
2110 2:group::rw- #effective:r--
2118 \fBExample 17 \fRReplacing a Specific Entry on a ZFS File
2121 Consider the following ACL.
2127 -rw-r--r--+ 1 marks staff 0 Oct 9 16:18 file.5
2128 0:user:marks:read_data:allow
2129 1:owner@:execute:deny
2130 2:owner@:read_data/write_data/append_data/write_xattr/
2131 write_attributes/write_acl/write_owner:allow
2132 3:group@:write_data/append_data/execute:deny
2133 4:group@:read_data:allow
2134 5:everyone@:write_data/append_data/write_xattr/execute/
2135 write_attributes/write_acl/write_owner:deny
2136 6:everyone@:read_data/read_xattr/read_attributes/read_acl/
2144 Now, change the allow access to a deny for user marks:
2149 $ chmod A0=user:marks:read_data:deny file.5
2151 -rw-r--r--+ 1 marks staff 0 Aug 23 09:11 file.5
2152 0:user:marks:read_data:deny
2153 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
2154 /write_acl/write_owner:allow
2155 2:group@:write_data/append_data/execute:deny
2156 3:group@:read_data:allow
2157 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
2158 /write_acl/write_owner:deny
2159 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
2166 \fBExample 18 \fRReplacing a Specific POSIX-draft ACL on a UFS File
2169 Consider the following ACL.
2175 -rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
2177 1:user:lp:rwx #effective:r--
2178 2:group::r-- #effective:r--
2187 Now, change the permission on \fBlp\fR from \fBrwx\fR to \fBr--\fR:
2192 $ chmod A1=user:lp:r-- file.4
2195 -rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
2197 1:user:lp:r-- #effective:r--
2198 2:group::r-- #effective:r--
2206 \fBExample 19 \fRSetting ACL Inheritance Flags on a ZFS File
2209 You can only set inheritance flags on ZFS files. When setting ACLs on
2210 directories, several inheritance flags can be optionally set.
2214 Suppose you have an ACL entry for user \fBlp\fR that you want to be inherited
2215 to newly created files in a directory. First, you need to create an
2216 inheritable ACL entry on the directory:
2221 $ chmod A+user:lp:read_data:file_inherit:allow test.dir
2223 drwxr-xr-x+ 2 marks staff 2 Aug 23 09:08 test.dir/
2224 0:user:lp:read_data:file_inherit:allow
2226 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
2227 /append_data/write_xattr/execute/write_attributes/write_acl
2229 3:group@:add_file/write_data/add_subdirectory/append_data:deny
2230 4:group@:list_directory/read_data/execute:allow
2231 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
2232 /write_attributes/write_acl/write_owner:deny
2233 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
2234 /read_acl/synchronize:allow
2241 The \fBlp\fR entry is inherited to newly created files in the directory
2247 $ touch test.dir/file.test
2248 $ ls -v test.dir/file.test
2249 -rw-r--r--+ 1 marks staff 0 Oct 9 16:29 test.dir/file.test
2251 1:user:lp:read_data:allow
2252 2:owner@:execute:deny
2253 3:owner@:read_data/write_data/append_data/write_xattr/
2254 write_attributes/write_acl/write_owner:allow
2255 4:group@:write_data/append_data/execute:deny
2256 5:group@:read_data:allow
2257 6:everyone@:write_data/append_data/write_xattr/execute/
2258 write_attributes/write_acl/write_owner:deny
2259 7:everyone@:read_data/read_xattr/read_attributes/read_acl/
2267 The user \fBlp\fR entry is inherited to the newly created file. Multiple
2268 combinations of the inheritance flags can be specified. For example, if you
2269 wanted the \fBlp\fR entry to also be inherited to directories, then the
2270 following command can be used:
2275 $ chmod A+user:lp:read_data:file_inherit/\e
2276 dir_inherit:allow test.dir
2282 \fBExample 20 \fRReplacing System Attributes of a ZFS File
2285 The following examples replace system attributes of a ZFS file:
2290 $ chmod S=v{archive,hidden,readonly,system,appendonly,\e
2291 nonodump,immutable,noav_modified,noav_quarantined,\e
2292 nounlink,nooffline,nosparse} file1
2304 $ chmod S=c{AHRSaiu} file1
2316 $ chmod S=c{AHRSa-i--u--} file1
2328 $ chmod S=cAHRSaiu file1
2340 $ chmod -@ '..' S=cAHRSaiu file1
2347 Assuming appropriate privileges, this results in the following system
2348 attributes of \fBfile1\fR being set: \fBarchive\fR, \fBhidden\fR,
2349 \fBreadonly\fR, \fBsystem\fR, \fBappendonly\fR, \fBimmutable\fR, and
2350 \fBnounlink\fR. Assuming appropriate privileges, the following system
2351 attributes of \fBfile1\fR are cleared: \fBnodump\fR, \fBav_modified\fR,
2352 \fBav_quarantined\fR, \fBoffline\fR, and \fBsparse\fR.
2355 \fBExample 21 \fRClearing All System Attributes of a ZFS File
2358 The following examples clears all system attributes of a ZFS file:
2375 $ chmod -@ '..' S-a file1
2382 Assuming appropriate privileges, all boolean read-write system attributes are
2383 cleared on \fBfile1\fR.
2386 \fBExample 22 \fRSetting a System Attribute of a Named Attribute File of a ZFS
2390 The following example sets a system attribute of a named attribute file of a
2391 ZFS file, but not of the file itself:
2396 $ chmod -@ myattr S+vhidden file1
2403 This results in the hidden system attribute being set for the named attribute
2404 file \fBmyattr\fR of \fBfile1\fR, but not the file itself.
2407 \fBExample 23 \fRSetting a System Attribute of All Named Attribute File of a
2411 The following example sets a system attribute of all named attribute files of a
2412 ZFS file, but not of the file itself:
2417 $ chmod -@ '*' S+a file1
2423 \fBExample 24 \fRSetting a System Attribute of All Named Attribute Files of a
2427 The following example sets a system attribute of all named attribute files of a
2428 ZFS file, as well as of the file itself:
2433 $ chmod -@ '..' -@ '*' S+vhidden file1
2440 This results in the hidden system attribute being set for all named attribute
2441 files of \fBfile1\fR, as well as the file itself.
2444 \fBExample 25 \fRRecursively Descending Through a Directory Hierarchy
2447 The following example recursively descends through a directory hierarchy, and
2448 sets all system attributes of all named attribute files, the ZFS file operands,
2449 as well as of the directory itself:
2454 $ chmod -R -@ '..' -@ '*' S+a directory1
2461 This results in the hidden system attribute being set for all named attribute
2462 files of all regular files and directories within the directory hierarchy of
2463 \fBdirectory1\fR, as well as of \fBdirectory1\fR itself.
2466 \fBExample 26 \fRSetting the \fBhidden\fR and \fBsystem\fR System Attributes of
2470 The following examples set the \fBhidden\fR and \fBsystem\fR system attributes
2488 $ chmod S+vhidden,+vsystem file1
2500 $ chmod S+v{hidden,system} file1
2512 $ chmod S+c{-H-S--------} file1
2524 $ chmod S-v{nohidden,nosystem} file1
2536 $ chmod S-v{hidden,system},+v{hidden,system} file1
2542 \fBExample 27 \fRClearing All System Attributes of a ZFS File
2545 The following example clears all system attributes of a ZFS file:
2569 In the following two examples, the last attribute operation specified takes
2574 In this example, the replacement attribute name list (\fB{}\fR) clears all
2575 system attributes for \fBfile1\fR:
2580 $ chmod S+cHS,=v{} file1
2587 In this example, the clear attributes operation (\fB-a\fR) clears all system
2588 attributes of \fBfile1\fR:
2593 $ chmod S+vhidden,+vsystem,-a file1
2599 \fBExample 28 \fRSetting the Values of All Boolean read-write System Attributes
2603 The following example sets the values of all boolean read-write system
2604 attributes of a file to the same as the boolean read-write system attributes of
2610 $ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2
2617 Assuming appropriate privileges and that \fBfile1\fR and \fBfile2\fR have the
2618 same supported system attributes, all system attributes of \fBfile1\fR that are
2619 set are also set on \fBfile2\fR. All system attributes of \fBfile1\fR that are
2620 cleared are also cleared on \fBfile2\fR.
2622 .SH ENVIRONMENT VARIABLES
2624 See \fBenviron\fR(5) for descriptions of the following environment variables
2625 that affect the execution of \fBchmod\fR: \fBLANG\fR, \fBLC_ALL\fR,
2626 \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR, and \fBNLSPATH\fR.
2629 The following exit values are returned:
2636 Successful completion.
2650 See \fBattributes\fR(5) for descriptions of the following attributes:
2658 ATTRIBUTE TYPE ATTRIBUTE VALUE
2662 Interface Stability Committed
2667 \fBgetfacl\fR(1), \fBls\fR(1), \fBsetfacl\fR(1), \fBchmod\fR(2),
2668 \fBfgetattr\fR(3C), \fBacl\fR(5), \fBattributes\fR(5), \fBenviron\fR(5),
2669 \fBfsattr\fR(5), \fBstandards\fR(5)
2672 Absolute changes do not work for the set-group-\fBID\fR bit of a directory. You
2673 must use \fBg+s\fR or \fBg-s\fR.
2676 \fBchmod\fR permits you to produce useless modes so long as they are not
2677 illegal (for instance, making a text file executable). \fBchmod\fR does not
2678 check the file type to see if mandatory locking is meaningful.
2681 If the filesystem is mounted with the \fInosuid\fR option, \fIsetuid\fR
2682 execution is not allowed.
2685 If you use \fBchmod\fR to change the file group owner permissions on a file
2686 with \fBACL\fR entries, both the file group owner permissions and the \fBACL\fR
2687 mask are changed to the new permissions. Be aware that the new \fBACL\fR mask
2688 permissions can change the effective permissions for additional users and
2689 groups who have \fBACL\fR entries on the file. Use the \fBgetfacl\fR(1) or
2690 \fBls\fR(1) command to make sure the appropriate permissions are set for all