svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
chmod(1)
chmod(1) User Commands chmod(1)
NAME
chmod - change the permissions mode of a file
SYNOPSIS
/usr/bin/chmod [-c | --changes] [-f | --silent | --quiet] [--help]
[--no-preserve-root] [--preserve-root] [--reference=<RFILE>]
[-R | --recursive [-H | -L | -P]] [-v | --verbose ]
<absolute-mode> <file> ...
/usr/bin/chmod [-fR] [-@ attribute] ... S<attribute-operation> file ...
/usr/bin/chmod [-fR] <ACL-operation> file ...
/usr/bin/chmod [-c | --changes] [-f | --silent | --quiet] [--help]
[--no-preserve-root] [--preserve-root] [--reference=<RFILE>]
[-R | --recursive [-H | -L | -P]] [-v | --verbose ]
<symbolic-mode-list> file ...
DESCRIPTION
The chmod utility changes or assigns the mode of a file.
chmod can also be used to modify Access Control Lists (ACLs) on files
and directories, and to modify boolean read-write system attributes on
regular files, directories, and opaque extended attribute files.
Absolute Mode
An absolute mode command line has the following format:
chmod [options] absolute-mode file . . .
where absolute-mode is specified using octal numbers nnnn defined as
follows:
n
a number from 0 to 7. An absolute mode is constructed from the OR
of any of the following modes:
4000
Set user ID on execution.
20#0
Set group ID on execution if # is 7, 5, 3, or 1.
Enable mandatory locking if # is 6, 4, 2, or 0.
For directories, files are created with BSD semantics for prop‐
agation of the group ID. With this option, files and subdirec‐
tories created in the directory inherit the group ID of the
directory, rather than of the current process. For directories,
the setgid bit can only be set or cleared by using either abso‐
lute or symbolic mode.
1000
Turn on sticky bit. See chmod(2).
0400
Allow read by owner.
0200
Allow write by owner.
0100
Allow execute (search in directory) by owner.
0700
Allow read, write, and execute (search) by owner.
0040
Allow read by group.
0020
Allow write by group.
0010
Allow execute (search in directory) by group.
0070
Allow read, write, and execute (search) by group.
0004
Allow read by others.
0002
Allow write by others.
0001
Allow execute (search in directory) by others.
0007
Allow read, write, and execute (search) by others.
For directories, the setgid bit cannot be set (or cleared) in absolute
or symbolic mode; setting (or clearing) the setgid bit in symbolic mode
must be done using g+s (or g-s).
Symbolic Mode
A symbolic mode command line has the following format:
chmod [options] symbolic-mode-list file . . .
where symbolic-mode-list is a comma-separated list (with no intervening
white space) of symbolic mode expressions of the form:
[who] operator [permissions]
Operations are performed in the order given. Multiple permissions let‐
ters following a single operator cause the corresponding operations to
be performed simultaneously.
who
zero or more of the characters u, g, o, and a specifying whose per‐
missions are to be changed or assigned:
u user's permissions
g group's permissions
o others' permissions
a all permissions (user, group, and other)
If who is omitted, it defaults to a, but the setting of the file
mode creation mask (see umask(1)) is taken into account.
operator
either +, −, or =, signifying how permissions are to be changed:
+
Add permissions.
If permissions are omitted, nothing is added.
If who is omitted, add the file mode bits represented by per‐
missions, except for the those with corresponding bits in the
file mode creation mask.
If who is present, add the file mode bits represented by the
permissions.
−
Take away permissions.
If permissions are omitted, do nothing.
If who is omitted, clear the file mode bits represented by per‐
missions, except for those with corresponding bits in the file
mode creation mask.
If who is present, clear the file mode bits represented by per‐
missions.
=
Assign permissions absolutely.
If who is omitted, clear all file mode bits; if who is present,
clear the file mode bits represented by who.
If permissions are omitted, do nothing else.
If who is omitted, add the file mode bits represented by per‐
missions, except for the those with corresponding bits in the
file mode creation mask.
If who is present, add the file mode bits represented by per‐
missions.
Unlike other symbolic operations, = has an absolute effect in that
it resets all other bits represented by who. Omitting permissions
is useful only with = to take away all permissions.
permission
any compatible combination of the following letters:
l
mandatory locking
r
read permission
s
user or group set-ID
t
sticky bit
w
write permission
x
execute permission
X
execute permission if the file is a directory or if there is
execute permission for one of the other user classes
u,g,o
indicate that permission is to be taken from the current user,
group or other mode respectively.
Permissions to a file can vary depending on your user identifica‐
tion number (UID) or group identification number (GID). Permissions
are described in three sequences each having three characters:
tab(); lw(1.83i) lw(1.83i) lw(1.83i) UserGroupOther rwxrwxrwx
This example (user, group, and others all have permission to read,
write, and execute a given file) demonstrates two categories for
granting permissions: the access class and the permissions them‐
selves.
The letter s is only meaningful with u or g, and t only works with
u.
Mandatory file and record locking (l) refers to a file's ability to
have its reading or writing permissions locked while a program is
accessing that file.
In a directory which has the set-group-ID bit set (reflected as
either -----s--- or -----l--- in the output of 'ls -ld'), files and
subdirectories are created with the group-ID of the parent direc‐
tory, not that of the current process.
It is not possible to permit group execution and enable a file to
be locked on execution at the same time. In addition, it is not
possible to turn on the set-group-ID bit and enable a file to be
locked on execution at the same time. The following examples,
therefore, are invalid and elicit error messages:
chmod g+x,+l file
chmod g+s,+l file
Only the owner of a file or directory, or a process with the
{PRIV_FILE_OWNER} privilege, can change that file's or directory's
mode. Only a process with the {PRIV_SYS_CONFIG} privilege can set
the sticky bit on a non-directory file. If run without the required
privilege, chmod masks the sticky-bit but does not return an error.
In order to turn on a file's set-group-ID bit, your own group ID
must correspond to the file's and group execution must be set.
ACL Operation
An Access Control List (ACL) is a list of Access Control Entries
(ACEs), each of which define access permissions for a particular class
of user. The list of ACEs is numbered, starting from zero. The position
of an ACE within an ACL is called an index. This index is used as an
argument in many of the chmod commands described below. See Managing
ZFS File Systems in Oracle Solaris 11.4 for further description of ACLs
and ACEs.
Oracle Solaris utilities, including chmod, support both the NFSv4 and
the newer POSIX-draft ACL specifications. These specifications spell
out the syntax and semantics of the acl_specification field shown
below. These two ACL specifications are described in their respective
subsections, below.
An ACL Operation command line has the following format:
chmod [options] A[index]- file ...
chmod [options] A-acl_specification file ...
chmod [options] A[index]{+|=}acl_specification file ...
...where acl_specification is a comma-separated list (with no interven‐
ing whitespace) of the form:
A[index]+acl_specification
Prepends the access control entries (ACE) specified in acl_specifi‐
cation to the beginning of the file's ACL. Depending on the file
system, the ACL can be reordered when applied to the file. If the
optional index is specified, then new ACEs are inserted before
specified index.
A-
Removes all ACEs for current ACL on file and replaces current ACL
with new ACL that represents only the current mode of the file.
Aindex-
Removes ACE specified by index number.
A-acl_specification
Removes ACEs specified by acl_specification, if they exist in cur‐
rent file's ACL.
A=acl_specification
Replaces a files entire ACL with acl_specification.
A[index]=acl_specification
Replaces ACEs starting at a specific index number in the current
ACL on the file. If multiple ACEs are specified, then each subse‐
quent ACE in acl_specification replaces the corresponding ACE in
the current ACL.
POSIX-draft ACL Specification (as supported by UFS)
POSIX-draft ACLs (as supported by UFS) are specified as colon (:) sepa‐
rated fields of the following.
user::perms
File owner permissions.
user:username:perms
Permissions for a specific user.
group::perms
File group member permissions.
group:groupname:perms
Permissions for a specific group.
other::perms
Permissions for user other than the file owner or members of file
group.
mask:perms
The ACL mask. The mask entry specifies the maximum permissions
allowed for user (other than that the owner) and for groups.
default:user::perms
Default file owner permissions.
default:user:username:perms
Default permissions for a specific user.
default:group::perms
Default file group member permissions.
default:group:groupname:perms
Default permissions for a specific group.
default:other:perms
Default permissions for user other than the file owner or members
of the file group.
default:mask:perms
Default ACL mask.
The above specification allows for ACLs to be specified such as:
user:tom:rw-,mask:rwx,group:staff:r-x
NFSv4 ACL Specification (as supported by NFSv4 and ZFS)
NFSv4 ACLs provide richer ACL semantics. They provide both allow and
deny entries, finer-grained permissions, and enhanced inheritance con‐
trol.
NFSv4 ACLs are specified as colon (:) separated fields of the follow‐
ing.
owner@:<perms>[:inheritance flags]:<allow|deny>
Permissions for file owner.
group@:<perms>[:inheritance flags]:<allow|deny>
Permissions for file group member.
everyone@:<perms>[:inheritance flags]:<allow|deny>
Permissions for everyone, including file owner and group member.
user:<username>:<perms>[:inheritance flags]:<allow|deny>
Permissions for a specific user.
usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
Permissions for a specific user, but user is specified by SID.
group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
Permissions for a specific group.
groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
Permissions for a specific group, but group is specified by SID.
sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
Permissions for a specific SID, but it doesn't matter if it is a
user or a group.
In addition to allow and deny ACE types, NFSv4 ACLs provide alarm and
audit ACE types. Privilege is required to view or set audit entries.
Currently, Oracle Solaris does not generate alarms. See acl(7).
Permissions can be specified in three different chmod ACL formats: ver‐
bose, compact, or positional. The verbose format uses words to indicate
that the permissions are separated with a forward slash (/) character.
Compact format uses the permission letters and positional format uses
the permission letters or the hyphen (-) to identify no permissions.
The permissions for verbose mode and their abbreviated form in paren‐
theses for compact and positional mode are described as follows:
read_data (r)
Permission to read the data of a file.
list_directory (r)
Permission to list the contents of a directory.
write_data (w)
Permission to modify a file's data. anywhere in the file's offset
range.
add_file (w)
Permission to add a new file to a directory.
append_data (p)
The ability to modify a file's data, but only starting at EOF.
Currently, this permission is not supported.
add_subdirectory (p)
Permission to create a subdirectory to a directory.
read_xattr (R)
Ability to read the extended attributes of a file.
write_xattr (W)
Ability to create extended attributes or write to the extended
attribute directory.
execute (x)
Permission to execute a file.
read_attributes (a)
The ability to read basic attributes (non-ACLs) of a file.
write_attributes (A)
Permission to change the times associated with a file or directory
to an arbitrary value.
delete (d)
Permission to delete a file.
For more information about delete permission behavior, see the Man‐
aging ZFS File Systems in Oracle Solaris 11.4.
delete_child (D)
Permission to delete a file within a directory.
For more information about delete permission behavior, see the Man‐
aging ZFS File Systems in Oracle Solaris 11.4
read_acl (c)
Permission to read the ACL of a file.
write_acl (C)
Permission to write the ACL of a file.
write_owner (o)
Permission to change the owner of a file.
synchronize (s)
Permission to access file locally at server with synchronize reads
and writes.
Currently, this permission is not supported.
Using the compact ACL format, permissions are specified by using 14
unique letters to indicate permissions.
Using the positional ACL format, permissions are specified as posi‐
tional arguments similar to the ls -V format. The hyphen (-), which
indicates that no permission is granted at that position, can be omit‐
ted and only the required letters have to be specified.
The letters above are listed in the order they would be specified in
positional notation.
Permissions can be specified with these letters in the following way:
rwx--D--------
The hyphens can be removed to compact the string as follows:
rwxD
Several special permission sets or aliases are also supported. The fol‐
lowing permission sets are used the same way that verbose permissions
are specified.
full_set
All permissions.
modify_set
All permissions except write_acl and write_owner.
read_set
read_data, read_acl, read_attributes, and read_xattr.
write_set
write_data, append_data, write_attributes, and write_xattr
The optional inheritance flags can be specified in the three formats.
The first format uses words to indicate the various inheritance flags
separated with a forward slash (/) character.
file_inherit (f)
Inherit to all newly created files.
dir_inherit (d)
Inherit to all newly created directories.
inherit_only (i)
When placed on a directory, do not apply to the directory, only to
newly created files and directories. This flag requires that either
file_inherit and or dir_inherit is also specified.
no_propagate (n)
Indicates that ACL entries should be inherited to objects in a
directory, but inheritance should stop after descending one level.
This flag is dependent upon either file_inherit and or dir_inherit
also being specified.
The inheritance flags listed can also be specified in the compact for‐
mat or as positional arguments similar to the ls -V format. A hyphen
character indicates that the inheritance flag at that position is not
specified in the positional ACL format.
The inheritance flags can be specified with these letters in any of the
following equivalent ways.
file_inherit/dir_inherit/no_propagate
fd-n--
fdn
With this inheritance model, an ACL entry can be specified such as:
user:tom:read_data/write_data/read_attributes:file_inherit:allow
user:fred:read_data:file_inherit/dir_inherit:deny
user:bob:read_data:allow
Attribute Operation
An attribute operation command line has the following format:
chmod [options] attribute_specification_list file ...
where attribute_specification_list is the character S followed by a
comma-separated list of one or more attribute_specifications. Each
attribute_specification is of the form:
[operator]attribute_specifier
An operator is one of the following:
+
Each attribute specified by the associated attribute_specifier is
adjusted to match the value specified by the attribute_specifier.
-
Each attribute specified by the associated attribute_specifier is
adjusted to match the inverse of the value specified by the
attribute_specifier.
=
Each attribute specified by the associated attribute_specifier is
adjusted to match the value specified by the attribute_specifier.
Any boolean read-write extended system attributes associated with
the current file that are not specified by attribute_specifier is
cleared.
If an operator is not specified in an attribute_specification, chmod
behaves as if + had been specified.
An attribute_specifier takes one of the following forms:
a
Set all boolean read-write extended system attributes associated
with the current file.
c[compact_attribute_list]
c'{'compact_attribute_list'}'
Set each boolean read-write extended system attribute identified by
compact_attribute_list.
v[verbose_attribute_setting]
v['{'verbose_attribute_setting_list'}']
Set each boolean read-write extended system attribute identified by
verbose_attribute_setting.
A compact_attribute_list is a list of zero or more adjacent attribute
abbreviation characters from list of Attribute Names and Abbreviation
Characters later in this section. An arbitrary number of hyphen (-)
characters can be included in a compact_attribute_list. These are
ignored.
A verbose_attribute_setting is an attribute name from the list of
Attribute Names and Abbreviation Characters later in this section,
optionally, immediately preceded by no. If the attribute name is used
without no, the attribute is set; otherwise the attribute is cleared.
A verbose_attribute_setting_list is zero or more comma-separated ver‐
bose_attribute_settings.
Multiple operations specified for a file are accumulated and are all
set for a file operand as a single attribute setting operation. If an
attribute is specified more than once in an attribute_specifica‐
tion_list, the last specified operation is applied.
The following is a list of Attribute Names and Abbreviation Characters:
Attribute Name Abbreviation Character
hidden H
sparse s
system S
readonly R
archive A
nounlink u
immutable i
appendonly a
nodump d
av_quarantined q
av_modified m
sensitive T
OPTIONS
The following options are supported:
-c, --changes
Like verbose, but reports only when a change is made.
-f, --silent, --quiet
Force. chmod does not complain if it fails to change the mode of a
file.
--help
Displays usage message and exits with return code 0.
--no-preserve-root
Do not treat '/' specially. This is the default.
--preserve-root
Do not operate recursively on '/'.
--reference=RFILE
Uses RFILE's mode. If RFILE is non-existent, gives an error message
and returns a non-zero exit code.
-R, --recursive
Recursively descend through directory arguments, setting the mode
for each file. When symbolic links are encountered, the mode of the
target file is changed, but no recursion takes place.
-v, --verbose
Give a diagnostic for every file processed.
-@ named_attribute
Perform the attribute operation on the named extended attribute
file of each file operand instead of the file operand itself. If
multiple -@ operations are supplied, the attribute specification
mode is applied to each of the named attribute files.
A named attribute of * carries meaning to chmod, and is considered
to mean all extended attribute files associated with a file oper‐
and. This does not refer to the special files . and ...
A named attribute of .. carries special meaning to chmod, and is
considered to mean the file operand itself. This allows chmod, in a
single call, to apply the attribute specification mode to the spec‐
ified named attribute file of the file operand and the file operand
itself.
-H
If the file specified on the command line is a symbolic link refer‐
encing a file of type directory, this option changes the mode of
the directory referenced by the symbolic link and all the files in
the file hierarchy below it. If a symbolic link is encountered when
traversing a file hierarchy, the mode of the target file is
changed, but no recursion takes place.
-L
If the file is a symbolic link, this option changes the mode of the
file referenced by the symbolic link. If the file specified on the
command line, or encountered during the traversal of the file hier‐
archy, is a symbolic link referencing a file of type directory,
then this option changes the mode of the directory referenced by
the symbolic link and all files in the file hierarchy below it.
-P
Does not follow any symbolic link. The mode of the target of the
symbolic link is unaltered.
OPERANDS
The following operands are supported:
absolute-mode
symbolic-mode-list
Represents the change to be made to the file mode bits of each file
named by one of the file operands. See Absolute Mode and Symbolic
Mode in the DESCRIPTION section of this manual page for more infor‐
mation.
acl_operation
Represents the modification to be performed on the file's ACL. See
ACL Operation in the DESCRIPTION section for more information.
acl_operation is one of the following:
A[number] -
A-acl_specification
A[index]{+|=}acl_specification
attribute_specification_list
Represents the modification to performed on the file's attributes.
See Attribute Operation in the DESCRIPTION section of this manual
page for more information.
file
A path name of a file whose file mode bits are to be modified.
EXAMPLES
Example 1 Denying execute Permission
The following example denies execute permission to everyone:
% chmod a-x file
Example 2 Allowing read-only Permission
The following example allows only read permission to everyone:
% chmod 444 file
Example 3 Making a File readable and writable
The following example makes a file readable and writable by the group
and others:
% chmod go+rw file
% chmod 066 file
Example 4 Locking a File From Access
The following example locks a file from access:
$ chmod +l file
Example 5 Granting read, write, execute, and set group-ID Permission
The following example grants everyone read, write, and execute permis‐
sions on the file, and turns on the set group-ID:
$ chmod a=rwx,g+s file
$ chmod 2777 file
Example 6 Prepending a New ACL Entry on a ZFS File
The following example prepends a new ACL entry on a ZFS file.
First, display the current ACL:
$ ls -v file.3
-rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
Issue the following command:
$ chmod A+user:lp:read_data:deny file.3
Display the new ACL:
$ ls -v file.3
-rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
0:user:lp:read_data:deny
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
Example 7 Prepending a New POSIX-draft ACL Entry on a UFS File
The following example prepends a new POSIX-draft ACL entry on a UFS
file.
First, display the current ACL:
$ ls -v file.2
-rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
0:user::rw-
1:group::r-- #effective:r--
2:mask:r--
3:other:r--
Issue the following command:
$ chmod A+user:lp:-wx file.2
Display the new ACL:
$ ls -v file.2
-rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
0:user::rw-
1:user:lp:-wx #effective:---
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
Example 8 Inserting an ACL Entry in a Specific Position on a ZFS file
The following example inserts an ACL entry in a specific position on a
ZFS file system. It also illustrates the compact ACL format.
First, display the ACL to pick a location to insert a new ACE.
% ls -V file.1
-rw-r--r--+ 1 root root 0 Oct 6 12:16 file.1
user:lp:rw------------:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
Next, insert a new entry in location 3. This causes the entries that
are currently in position 3 - 6 to be pushed down.
Issue the following command:
$ chmod A3+user:marks:r:deny file.1
Display the new ACL:
$ ls -V file.1
-rw-r--r--+ 1 root staff 0 Feb 3 14:13 file.1
user:lp:rw------------:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
user:marks:r-------------:------:deny
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
Example 9 Inserting a POSIX-draft ACL in a Specific Position on a UFS
File
The file system reorders ACLs when they are stored in the file system.
The following example illustrates this behavior.
$ ls -v file.1
-rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
0:user::rw-
1:user:lp:rw- #effective:r--
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
Now, insert an entry at index position 3. The command works, but the
file system reorders the ACL.
$ chmod A3+user:marks:rw- file.1
$ ls -v file.1
-rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
0:user::rw-
1:user:lp:rw- #effective:r--
2:user:marks:rw- #effective:r--
3:group::r-- #effective:r--
4:mask:r--
5:other:r--
Rather than inserting the ACL entry in position 3 as requested, it
actually ends up in position 2.
Example 10 Removing an ACL Entry on a ZFS File
The following example removes the lp entry from an ACL:
$ ls -v file.3
-rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
0:user:lp:read_data:deny
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
$ chmod A-user:lp:read_data:deny file.3
$ ls -v file.3
-rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
Example 11 Removing a POSIX-draft ACL on a UFS File
The following example removes the lp entry from an ACL:
$ ls -v file.2
-rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2
0:user::rw-
1:user:lp:-wx #effective:---
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
$ chmod A-user:lp:-wx file.2
$ ls -v file.2
-rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2
0:user::rw-
1:group::r-- #effective:r--
2:mask:r--
3:other:r--
Example 12 Removing a Specific ACL Entry by Index Number on a ZFS File
Consider the following ACL:
$ ls -v file
0:group:staff:read_data/write_data/execute/read_acl:allow
1:user:bin:read_data:deny
2:user:bin:read_data:allow
3:owner@:write_data/append_data:deny
4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
5:group@:write_data/append_data:deny
6:group@:read_data/execute:allow
7:everyone@:write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:deny
8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
/synchronize:allow
Remove the second user entry for bin.
$ chmod A2- file
$ ls -v file
0:group:staff:read_data/write_data/execute/read_acl:allow
1:user:bin:read_data:deny
2:owner@:write_data/append_data:deny
3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:write_data/append_data:deny
5:group@:read_data/execute:allow
6:everyone@:write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
/synchronize:allow
Example 13 Removing a Specific POSIX-draft ACL Entry on a UFS File
The following example removes the lp entry by index number from the
following ACL:
$ ls -v file.1
-rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
0:user::rw-
1:user:lp:rw- #effective:r--
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
$ chmod A1- file.1
$ ls -v file.1
-rw-r--r--+ 1 root root 0 Sep 29 16:10 file.1
0:user::rw-
1:group::r-- #effective:r--
2:mask:r--
3:other:r--
Example 14 Removing All ACLs From a File
The following command works with either NFSv4/ZFS or POSIX-draft ACLs.
Consider the following ACL:
$ ls -v file.3
-rw-r--r--+ 1 marks staff 0 Oct 9 15:49 file.3
0:user:lp:read_data/write_data:allow
1:user:marks:read_acl:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
4:group@:write_data/append_data/execute:deny
5:group@:read_data:allow
6:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
The existing ACL is effectively removed and is replaced with an ACL
that represents the permission bits of the file.
$ chmod A- file.3
$ ls -v file.3
-rw-r--r-- 1 marks staff 0 Oct 9 15:49 file.3
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
Example 15 Replacing an Entire ACL Entry on a ZFS File
Use the following chmod syntax if you want to replace an ACL in its
entirety:
$ chmod A=owner@:read_data/write_data:allow,group@:read_data/
write_data:allow,user:lp:read_data:allow file.4
$ ls -v file.4
-rw-rw----+ 1 marks staff 0 Oct 9 16:12 file.4
0:owner@:read_data/write_data:allow
1:group@:read_data/write_data:allow
2:user:lp:read_data:allow
Example 16 Replacing an Entire POSIX-draft ACL on a UFS File
This operation is a little more complicated. The replacement ACL needs
the necessary entries to represent the file owner, file group owner,
other, mask and any additional entries you wish to set.
$ chmod A=user::rw-,group::rw-,other::---,mask:r--,
user:lp:r-- file.3
$ ls -v file.3
-rw-r-----+ 1 root root 0 Oct 9 16:14 file.3
0:user::rw-
1:user:lp:r-- #effective:r--
2:group::rw- #effective:r--
3:mask:r--
4:other:---
Example 17 Replacing a Specific Entry on a ZFS File
Consider the following ACL.
$ ls -v file.5
-rw-r--r--+ 1 marks staff 0 Oct 9 16:18 file.5
0:user:marks:read_data:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
Now, change the allow access to a deny for user marks:
$ chmod A0=user:marks:read_data:deny file.5
$ ls -v file.5
-rw-r--r--+ 1 marks staff 0 Aug 23 09:11 file.5
0:user:marks:read_data:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
Example 18 Replacing a Specific POSIX-draft ACL on a UFS File
Consider the following ACL.
$ ls -v file.4
-rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
0:user::rw-
1:user:lp:rwx #effective:r--
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
Now, change the permission on lp from rwx to r--:
$ chmod A1=user:lp:r-- file.4
$ ls -v file
-rw-r--r--+ 1 marks staff 0 Oct 9 16:21 file.4
0:user::rw-
1:user:lp:r-- #effective:r--
2:group::r-- #effective:r--
3:mask:r--
4:other:r--
Example 19 Setting ACL Inheritance Flags on a ZFS File
You can only set inheritance flags on ZFS files. When setting ACLs on
directories, several inheritance flags can be optionally set.
Suppose you have an ACL entry for user lp that you want to be inherited
to newly created files in a directory. First, you need to create an
inheritable ACL entry on the directory:
$ chmod A+user:lp:read_data:file_inherit:allow test.dir
$ ls -dv test.dir
drwxr-xr-x+ 2 marks staff 2 Aug 23 09:08 test.dir/
0:user:lp:read_data:file_inherit:allow
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
The lp entry is inherited to newly created files in the directory
test.dir.
$ touch test.dir/file.test
$ ls -v test.dir/file.test
-rw-r--r--+ 1 marks staff 0 Oct 9 16:29 test.dir/file.test
0:user:lp::deny
1:user:lp:read_data:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/
write_attributes/write_acl/write_owner:allow
4:group@:write_data/append_data/execute:deny
5:group@:read_data:allow
6:everyone@:write_data/append_data/write_xattr/execute/
write_attributes/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/read_attributes/read_acl/
synchronize:allow
The user lp entry is inherited to the newly created file. Multiple com‐
binations of the inheritance flags can be specified. For example, if
you wanted the lp entry to also be inherited to directories, then the
following command can be used:
$ chmod A+user:lp:read_data:file_inherit/\
dir_inherit:allow test.dir
Example 20 Replacing System Attributes of a ZFS File
The following examples replace system attributes of a ZFS file:
$ chmod S=v{archive,hidden,readonly,system,appendonly,\
nonodump,immutable,noav_modified,noav_quarantined,\
nounlink,nonsensitive} file1
or
$ chmod S=c{AHRSaiu} file1
or
$ chmod S=c{AHRSa-i--u-} file1
or
$ chmod S=cAHRSaiu file1
or
$ chmod -@ '..' S=cAHRSaiu file1
Assuming appropriate privileges, this results in the following system
attributes of file1 being set: archive, hidden, readonly, system,
appendonly, immutable, and nounlink. Assuming appropriate privileges,
the following system attributes of file1 are cleared: nodump, av_modi‐
fied, av_quarantined, and sensitive.
Example 21 Clearing All System Attributes of a ZFS File
The following examples clears all system attributes of a ZFS file:
$ chmod S-a file1
or
$ chmod -@ '..' S-a file1
Assuming appropriate privileges, all boolean read-write system
attributes are cleared on file1.
Example 22 Setting a System Attribute of a Named Attribute File of a
ZFS File
The following example sets a system attribute of a named attribute file
of a ZFS file, but not of the file itself:
$ chmod -@ myattr S+vhidden file1
This results in the hidden system attribute being set for the named
attribute file myattr of file1, but not the file itself.
Example 23 Setting a System Attribute of All Named Attribute File of a
ZFS File
The following example sets a system attribute of all named attribute
files of a ZFS file, but not of the file itself:
$ chmod -@ '*' S+a file1
Example 24 Setting a System Attribute of All Named Attribute Files of a
ZFS File
The following example sets a system attribute of all named attribute
files of a ZFS file, as well as of the file itself:
$ chmod -@ '..' -@ '*' S+vhidden file1
This results in the hidden system attribute being set for all named
attribute files of file1, as well as the file itself.
Example 25 Recursively Descending Through a Directory Hierarchy
The following example recursively descends through a directory hierar‐
chy, and sets all system attributes of all named attribute files, the
ZFS file operands, as well as of the directory itself:
$ chmod -R -@ '..' -@ '*' S+a directory1
This results in the hidden system attribute being set for all named
attribute files of all regular files and directories within the direc‐
tory hierarchy of directory1, as well as of directory1 itself.
Example 26 Setting the hidden and system System Attributes of a ZFS
File
The following examples set the hidden and system system attributes of a
ZFS file:
$ chmod S+cHS file1
or
$ chmod S+vhidden,+vsystem file1
or
$ chmod S+v{hidden,system} file1
or
$ chmod S+c{-HS--------} file1
or
$ chmod S-v{nohidden,nosystem} file1
or
$ chmod S-v{hidden,system},+v{hidden,system} file1
Example 27 Clearing All System Attributes of a ZFS File
The following example clears all system attributes of a ZFS file:
$ chmod S-a file1
or
$ chmod S=v{} file1
In the following two examples, the last attribute operation specified
takes precedence.
In this example, the replacement attribute name list ({}) clears all
system attributes for file1:
$ chmod S+cHS,=v{} file1
In this example, the clear attributes operation (-a) clears all system
attributes of file1:
$ chmod S+vhidden,+vsystem,-a file1
Example 28 Setting the Values of All Boolean read-write System
Attributes of a File
The following example sets the values of all boolean read-write system
attributes of a file to the same as the boolean read-write system
attributes of another file:
$ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2
Assuming appropriate privileges and that file1 and file2 have the same
supported system attributes, all system attributes of file1 that are
set are also set on file2. All system attributes of file1 that are
cleared are also cleared on file2.
ENVIRONMENT VARIABLES
See environ(7) for descriptions of the following environment variables
that affect the execution of chmod: LANG, LC_ALL, LC_CTYPE, LC_MES‐
SAGES, and NLSPATH.
EXIT STATUS
The following exit values are returned:
0
Successful completion.
> 0
An error occurred.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ CSIEnabled _ Interface
StabilityCommitted
SEE ALSO
ls(1), chmod(2), fgetattr(3C), acl(7), attributes(7), environ(7),
fsattr(7), privileges(7), standards(7)
Managing ZFS File Systems in Oracle Solaris 11.4
NOTES
Absolute changes do not work for the set-group-ID bit of a directory.
You must use g+s or g-s.
chmod permits you to produce useless modes so long as they are not
illegal (for instance, making a text file executable). chmod does not
check the file type to see if mandatory locking is meaningful.
If the filesystem is mounted with the nosuid or nosetuid options, nei‐
ther setuid nor setgid execution is allowed.
If the filesystem is mounted with the noexec options, direct execution
is not allowed for any user, but scripts and programs may be able to be
indirectly run if provided as the argument to an interpreter run from
another filesystem.
If you use chmod to change the file group owner permissions on a file
with ACL entries, both the file group owner permissions and the ACL
mask are changed to the new permissions. Be aware that the new ACL mask
permissions can change the effective permissions for additional users
and groups who have ACL entries on the file. Use the ls(1) command to
make sure the appropriate permissions are set for all ACL entries.
Oracle Solaris 11.4 3 Nov 2021 chmod(1)