chmod(1) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

chmod(1)

chmod(1)                         User Commands                        chmod(1)



NAME
       chmod - change the permissions mode of a file

SYNOPSIS
       /usr/bin/chmod [-c | --changes] [-f | --silent | --quiet] [--help]
           [--no-preserve-root] [--preserve-root] [--reference=<RFILE>]
           [-R | --recursive [-H | -L | -P]] [-v | --verbose ]
           <absolute-mode> <file> ...


       /usr/bin/chmod [-fR] [-@ attribute] ... S<attribute-operation> file ...


       /usr/bin/chmod [-fR] <ACL-operation> file ...


       /usr/bin/chmod [-c | --changes] [-f | --silent | --quiet] [--help]
           [--no-preserve-root] [--preserve-root] [--reference=<RFILE>]
           [-R | --recursive [-H | -L | -P]] [-v | --verbose ]
           <symbolic-mode-list> file ...

DESCRIPTION
       The chmod utility changes or assigns the mode of a file.


       chmod  can  also be used to modify Access Control Lists (ACLs) on files
       and directories, and to modify boolean read-write system attributes  on
       regular files, directories, and opaque extended attribute files.

   Absolute Mode
       An absolute mode command line has the following format:


       chmod [options] absolute-mode  file . . .


       where  absolute-mode  is  specified using octal numbers nnnn defined as
       follows:

       n

           a number from 0 to 7. An absolute mode is constructed from  the  OR
           of any of the following modes:

           4000

               Set user ID on execution.


           20#0

               Set group ID on execution if # is 7, 5, 3, or 1.

               Enable mandatory locking if # is 6, 4, 2, or 0.

               For directories, files are created with BSD semantics for prop‐
               agation of the group ID. With this option, files and  subdirec‐
               tories  created  in  the  directory inherit the group ID of the
               directory, rather than of the current process. For directories,
               the setgid bit can only be set or cleared by using either abso‐
               lute or symbolic mode.


           1000

               Turn on sticky bit. See chmod(2).


           0400

               Allow read by owner.


           0200

               Allow write by owner.


           0100

               Allow execute (search in directory) by owner.


           0700

               Allow read, write, and execute (search) by owner.


           0040

               Allow read by group.


           0020

               Allow write by group.


           0010

               Allow execute (search in directory) by group.


           0070

               Allow read, write, and execute (search) by group.


           0004

               Allow read by others.


           0002

               Allow write by others.


           0001

               Allow execute (search in directory) by others.


           0007

               Allow read, write, and execute (search) by others.




       For directories, the setgid bit cannot be set (or cleared) in  absolute
       or symbolic mode; setting (or clearing) the setgid bit in symbolic mode
       must be done using g+s (or g-s).

   Symbolic Mode
       A symbolic mode command line has the following format:


       chmod [options] symbolic-mode-list  file . . .


       where symbolic-mode-list is a comma-separated list (with no intervening
       white space) of symbolic mode expressions of the form:


       [who] operator [permissions]


       Operations  are performed in the order given. Multiple permissions let‐
       ters following a single operator cause the corresponding operations  to
       be performed simultaneously.

       who

           zero or more of the characters u, g, o, and a specifying whose per‐
           missions are to be changed or assigned:


           u            user's permissions


           g            group's permissions


           o            others' permissions


           a            all permissions (user, group, and other)

           If who is omitted, it defaults to a, but the setting  of  the  file
           mode creation mask (see umask(1)) is taken into account.


       operator

           either +, −, or =, signifying how permissions are to be changed:


           +

               Add permissions.

               If permissions are omitted, nothing is added.

               If  who  is omitted, add the file mode bits represented by per‐
               missions, except for the those with corresponding bits  in  the
               file mode creation mask.

               If  who  is  present, add the file mode bits represented by the
               permissions.


           −

               Take away permissions.

               If permissions are omitted, do nothing.

               If who is omitted, clear the file mode bits represented by per‐
               missions,  except for those with corresponding bits in the file
               mode creation mask.

               If who is present, clear the file mode bits represented by per‐
               missions.


           =

               Assign permissions absolutely.

               If who is omitted, clear all file mode bits; if who is present,
               clear the file mode bits represented by who.

               If permissions are omitted, do nothing else.

               If who is omitted, add the file mode bits represented  by  per‐
               missions,  except  for the those with corresponding bits in the
               file mode creation mask.

               If who is present, add the file mode bits represented  by  per‐
               missions.

           Unlike  other symbolic operations, = has an absolute effect in that
           it resets all other bits represented by who.  Omitting  permissions
           is useful only with = to take away all permissions.


       permission

           any compatible combination of the following letters:


           l

               mandatory locking


           r

               read permission


           s

               user or group set-ID


           t

               sticky bit


           w

               write permission


           x

               execute permission


           X

               execute  permission  if  the file is a directory or if there is
               execute permission for one of the other user classes


           u,g,o

               indicate that permission is to be taken from the current  user,
               group or other mode respectively.

           Permissions  to  a file can vary depending on your user identifica‐
           tion number (UID) or group identification number (GID). Permissions
           are described in three sequences each having three characters:



           tab(); lw(1.83i) lw(1.83i) lw(1.83i) UserGroupOther rwxrwxrwx

           This  example (user, group, and others all have permission to read,
           write, and execute a given file) demonstrates  two  categories  for
           granting  permissions:  the  access class and the permissions them‐
           selves.

           The letter s is only meaningful with u or g, and t only works  with
           u.

           Mandatory file and record locking (l) refers to a file's ability to
           have its reading or writing permissions locked while a  program  is
           accessing that file.

           In  a  directory  which  has the set-group-ID bit set (reflected as
           either -----s--- or -----l--- in the output of 'ls -ld'), files and
           subdirectories  are  created with the group-ID of the parent direc‐
           tory, not that of the current process.

           It is not possible to permit group execution and enable a  file  to
           be  locked  on  execution  at the same time. In addition, it is not
           possible to turn on the set-group-ID bit and enable a  file  to  be
           locked  on  execution  at  the  same  time. The following examples,
           therefore, are invalid and elicit error messages:


             chmod g+x,+l file
             chmod g+s,+l file

           Only the owner of a file  or  directory,  or  a  process  with  the
           {PRIV_FILE_OWNER}  privilege, can change that file's or directory's
           mode. Only a process with the {PRIV_SYS_CONFIG} privilege  can  set
           the sticky bit on a non-directory file. If run without the required
           privilege, chmod masks the sticky-bit but does not return an error.
           In  order  to  turn on a file's set-group-ID bit, your own group ID
           must correspond to the file's and group execution must be set.


   ACL Operation
       An Access Control List (ACL)  is  a  list  of  Access  Control  Entries
       (ACEs),  each of which define access permissions for a particular class
       of user. The list of ACEs is numbered, starting from zero. The position
       of  an  ACE  within an ACL is called an index. This index is used as an
       argument in many of the chmod commands described  below.  See  Managing
       ZFS File Systems in Oracle Solaris 11.4 for further description of ACLs
       and ACEs.


       Oracle Solaris utilities, including chmod, support both the  NFSv4  and
       the  newer  POSIX-draft  ACL specifications. These specifications spell
       out the syntax and  semantics  of  the  acl_specification  field  shown
       below.  These  two ACL specifications are described in their respective
       subsections, below.


       An ACL Operation command line has the following format:

         chmod [options] A[index]- file ...
         chmod [options] A-acl_specification file ...
         chmod [options] A[index]{+|=}acl_specification file ...



       ...where acl_specification is a comma-separated list (with no interven‐
       ing whitespace) of the form:

       A[index]+acl_specification

           Prepends the access control entries (ACE) specified in acl_specifi‐
           cation to the beginning of the file's ACL. Depending  on  the  file
           system,  the  ACL can be reordered when applied to the file. If the
           optional index is specified, then  new  ACEs  are  inserted  before
           specified index.


       A-

           Removes  all  ACEs for current ACL on file and replaces current ACL
           with new ACL that represents only the current mode of the file.


       Aindex-

           Removes ACE specified by index number.


       A-acl_specification


           Removes ACEs specified by acl_specification, if they exist in  cur‐
           rent file's ACL.



       A=acl_specification

           Replaces a files entire ACL with acl_specification.


       A[index]=acl_specification

           Replaces  ACEs  starting  at a specific index number in the current
           ACL on the file. If multiple ACEs are specified, then  each  subse‐
           quent  ACE  in  acl_specification replaces the corresponding ACE in
           the current ACL.


   POSIX-draft ACL Specification (as supported by UFS)
       POSIX-draft ACLs (as supported by UFS) are specified as colon (:) sepa‐
       rated fields of the following.

       user::perms

           File owner permissions.


       user:username:perms

           Permissions for a specific user.


       group::perms

           File group member permissions.


       group:groupname:perms

           Permissions for a specific group.


       other::perms

           Permissions  for  user other than the file owner or members of file
           group.


       mask:perms

           The ACL mask. The mask  entry  specifies  the  maximum  permissions
           allowed for user (other than that the owner) and for groups.


       default:user::perms

           Default file owner permissions.


       default:user:username:perms

           Default permissions for a specific user.


       default:group::perms

           Default file group member permissions.


       default:group:groupname:perms

           Default permissions for a specific group.


       default:other:perms

           Default  permissions  for user other than the file owner or members
           of the file group.


       default:mask:perms

           Default ACL mask.



       The above specification allows for ACLs to be specified such as:

         user:tom:rw-,mask:rwx,group:staff:r-x


   NFSv4 ACL Specification (as supported by NFSv4 and ZFS)
       NFSv4 ACLs provide richer ACL semantics. They provide  both  allow  and
       deny  entries, finer-grained permissions, and enhanced inheritance con‐
       trol.


       NFSv4 ACLs are specified as colon (:) separated fields of  the  follow‐
       ing.

       owner@:<perms>[:inheritance flags]:<allow|deny>

           Permissions for file owner.


       group@:<perms>[:inheritance flags]:<allow|deny>

           Permissions for file group member.


       everyone@:<perms>[:inheritance flags]:<allow|deny>

           Permissions for everyone, including file owner and group member.


       user:<username>:<perms>[:inheritance flags]:<allow|deny>

           Permissions for a specific user.


       usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

           Permissions for a specific user, but user is specified by SID.


       group:<groupname>:<perms>[:inheritance flags]:<allow|deny>

           Permissions for a specific group.


       groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

           Permissions for a specific group, but group is specified by SID.


       sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>

           Permissions  for  a  specific SID, but it doesn't matter if it is a
           user or a group.



       In addition to allow and deny ACE types, NFSv4 ACLs provide  alarm  and
       audit  ACE  types.  Privilege is required to view or set audit entries.
       Currently, Oracle Solaris does not generate alarms. See acl(7).


       Permissions can be specified in three different chmod ACL formats: ver‐
       bose, compact, or positional. The verbose format uses words to indicate
       that the permissions are separated with a forward slash (/)  character.
       Compact  format  uses the permission letters and positional format uses
       the permission letters or the hyphen (-) to identify no permissions.


       The permissions for verbose mode and their abbreviated form  in  paren‐
       theses for compact and positional mode are described as follows:

       read_data (r)

           Permission to read the data of a file.


       list_directory (r)

           Permission to list the contents of a directory.


       write_data (w)

           Permission  to  modify a file's data. anywhere in the file's offset
           range.


       add_file (w)

           Permission to add a new file to a directory.


       append_data (p)

           The ability to modify a file's data, but only starting at EOF.

           Currently, this permission is not supported.


       add_subdirectory (p)

           Permission to create a subdirectory to a directory.


       read_xattr (R)

           Ability to read the extended attributes of a file.


       write_xattr (W)

           Ability to create extended attributes  or  write  to  the  extended
           attribute directory.


       execute (x)

           Permission to execute a file.


       read_attributes (a)

           The ability to read basic attributes (non-ACLs) of a file.


       write_attributes (A)

           Permission  to change the times associated with a file or directory
           to an arbitrary value.


       delete (d)

           Permission to delete a file.

           For more information about delete permission behavior, see the Man‐
           aging ZFS File Systems in Oracle Solaris 11.4.


       delete_child (D)

           Permission to delete a file within a directory.

           For more information about delete permission behavior, see the Man‐
           aging ZFS File Systems in Oracle Solaris 11.4


       read_acl (c)

           Permission to read the ACL of a file.


       write_acl (C)

           Permission to write the ACL of a file.


       write_owner (o)

           Permission to change the owner of a file.


       synchronize (s)

           Permission to access file locally at server with synchronize  reads
           and writes.

           Currently, this permission is not supported.



       Using  the  compact  ACL  format, permissions are specified by using 14
       unique letters to indicate permissions.


       Using the positional ACL format, permissions  are  specified  as  posi‐
       tional  arguments  similar  to the ls  -V format. The hyphen (-), which
       indicates that no permission is granted at that position, can be  omit‐
       ted and only the required letters have to be specified.


       The  letters  above  are listed in the order they would be specified in
       positional notation.


       Permissions can be specified with these letters in the following way:

         rwx--D--------



       The hyphens can be removed to compact the string as follows:

         rwxD



       Several special permission sets or aliases are also supported. The fol‐
       lowing  permission  sets are used the same way that verbose permissions
       are specified.

       full_set

           All permissions.


       modify_set

           All permissions except write_acl and write_owner.


       read_set

           read_data, read_acl, read_attributes, and read_xattr.


       write_set

           write_data, append_data, write_attributes, and write_xattr



       The optional inheritance flags can be specified in the  three  formats.
       The  first  format uses words to indicate the various inheritance flags
       separated with a forward slash (/) character.

       file_inherit (f)

           Inherit to all newly created files.


       dir_inherit (d)

           Inherit to all newly created directories.


       inherit_only (i)

           When placed on a directory, do not apply to the directory, only  to
           newly created files and directories. This flag requires that either
           file_inherit and or dir_inherit is also specified.


       no_propagate (n)

           Indicates that ACL entries should be  inherited  to  objects  in  a
           directory,  but inheritance should stop after descending one level.
           This flag is dependent upon either file_inherit and or  dir_inherit
           also being specified.



       The  inheritance flags listed can also be specified in the compact for‐
       mat or as positional arguments similar to the ls  -V format.  A  hyphen
       character  indicates  that the inheritance flag at that position is not
       specified in the positional ACL format.


       The inheritance flags can be specified with these letters in any of the
       following equivalent ways.

         file_inherit/dir_inherit/no_propagate


         fd-n--


         fdn



       With this inheritance model, an ACL entry can be specified such as:

         user:tom:read_data/write_data/read_attributes:file_inherit:allow
         user:fred:read_data:file_inherit/dir_inherit:deny
         user:bob:read_data:allow


   Attribute Operation
       An attribute operation command line has the following format:

         chmod [options] attribute_specification_list file ...



       where  attribute_specification_list  is  the  character S followed by a
       comma-separated list of  one  or  more  attribute_specifications.  Each
       attribute_specification is of the form:

         [operator]attribute_specifier



       An operator is one of the following:

       +

           Each  attribute  specified by the associated attribute_specifier is
           adjusted to match the value specified by the attribute_specifier.


       -

           Each attribute specified by the associated  attribute_specifier  is
           adjusted  to  match  the  inverse  of  the  value  specified by the
           attribute_specifier.


       =

           Each attribute specified by the associated  attribute_specifier  is
           adjusted  to  match the value specified by the attribute_specifier.
           Any boolean read-write extended system attributes  associated  with
           the  current  file that are not specified by attribute_specifier is
           cleared.



       If an operator is not specified in  an  attribute_specification,  chmod
       behaves as if + had been specified.


       An attribute_specifier takes one of the following forms:

       a

           Set  all  boolean  read-write extended system attributes associated
           with the current file.


       c[compact_attribute_list]
       c'{'compact_attribute_list'}'

           Set each boolean read-write extended system attribute identified by
           compact_attribute_list.



       v[verbose_attribute_setting]
       v['{'verbose_attribute_setting_list'}']

           Set each boolean read-write extended system attribute identified by
           verbose_attribute_setting.




       A compact_attribute_list is a list of zero or more  adjacent  attribute
       abbreviation  characters  from list of Attribute Names and Abbreviation
       Characters later in this section. An arbitrary  number  of  hyphen  (-)
       characters  can  be  included  in  a  compact_attribute_list. These are
       ignored.


       A verbose_attribute_setting is an  attribute  name  from  the  list  of
       Attribute  Names  and  Abbreviation  Characters  later in this section,
       optionally, immediately preceded by no. If the attribute name  is  used
       without no, the attribute is set; otherwise the attribute is cleared.


       A  verbose_attribute_setting_list  is zero or more comma-separated ver‐
       bose_attribute_settings.


       Multiple operations specified for a file are accumulated  and  are  all
       set  for  a file operand as a single attribute setting operation. If an
       attribute is  specified  more  than  once  in  an  attribute_specifica‐
       tion_list, the last specified operation is applied.


       The following is a list of Attribute Names and Abbreviation Characters:

       Attribute Name              Abbreviation Character


       hidden                      H


       sparse                      s


       system                      S


       readonly                    R


       archive                     A


       nounlink                    u


       immutable                   i


       appendonly                  a


       nodump                      d


       av_quarantined              q


       av_modified                 m


       sensitive                   T


OPTIONS
       The following options are supported:

       -c, --changes

           Like verbose, but reports only when a change is made.


       -f, --silent, --quiet

           Force.  chmod does not complain if it fails to change the mode of a
           file.


       --help

           Displays usage message and exits with return code 0.

       --no-preserve-root

           Do not treat '/' specially. This is the default.

       --preserve-root

           Do not operate recursively on '/'.

       --reference=RFILE

           Uses RFILE's mode. If RFILE is non-existent, gives an error message
           and returns a non-zero exit code.


       -R, --recursive

           Recursively  descend  through directory arguments, setting the mode
           for each file. When symbolic links are encountered, the mode of the
           target file is changed, but no recursion takes place.


       -v, --verbose

           Give a diagnostic for every file processed.


       -@ named_attribute

           Perform  the  attribute  operation  on the named extended attribute
           file of each file operand instead of the file  operand  itself.  If
           multiple  -@  operations  are supplied, the attribute specification
           mode is applied to each of the named attribute files.

           A named attribute of * carries meaning to chmod, and is  considered
           to  mean  all extended attribute files associated with a file oper‐
           and. This does not refer to the special files . and ...

           A named attribute of .. carries special meaning to  chmod,  and  is
           considered to mean the file operand itself. This allows chmod, in a
           single call, to apply the attribute specification mode to the spec‐
           ified named attribute file of the file operand and the file operand
           itself.


       -H

           If the file specified on the command line is a symbolic link refer‐
           encing  a  file  of type directory, this option changes the mode of
           the directory referenced by the symbolic link and all the files  in
           the file hierarchy below it. If a symbolic link is encountered when
           traversing a file  hierarchy,  the  mode  of  the  target  file  is
           changed, but no recursion takes place.


       -L

           If the file is a symbolic link, this option changes the mode of the
           file referenced by the symbolic link. If the file specified on  the
           command line, or encountered during the traversal of the file hier‐
           archy, is a symbolic link referencing a  file  of  type  directory,
           then  this  option  changes the mode of the directory referenced by
           the symbolic link and all files in the file hierarchy below it.


       -P

           Does not follow any symbolic link. The mode of the  target  of  the
           symbolic link is unaltered.


OPERANDS
       The following operands are supported:

       absolute-mode
       symbolic-mode-list

           Represents the change to be made to the file mode bits of each file
           named by one of the file operands. See Absolute Mode  and  Symbolic
           Mode in the DESCRIPTION section of this manual page for more infor‐
           mation.



       acl_operation

           Represents the modification to be performed on the file's ACL.  See
           ACL Operation in the DESCRIPTION section for more information.

           acl_operation is one of the following:

             A[number] -
             A-acl_specification
             A[index]{+|=}acl_specification



       attribute_specification_list

           Represents  the modification to performed on the file's attributes.
           See Attribute Operation in the DESCRIPTION section of  this  manual
           page for more information.


       file

           A path name of a file whose file mode bits are to be modified.


EXAMPLES
       Example 1 Denying execute Permission



       The following example denies execute permission to everyone:


         % chmod a-x file


       Example 2 Allowing read-only Permission



       The following example allows only read permission to everyone:


         % chmod 444 file


       Example 3 Making a File readable and writable



       The  following  example makes a file readable and writable by the group
       and others:


         % chmod go+rw file
         % chmod 066 file


       Example 4 Locking a File From Access



       The following example locks a file from access:


         $ chmod +l file


       Example 5 Granting read, write, execute, and set group-ID Permission



       The following example grants everyone read, write, and execute  permis‐
       sions on the file, and turns on the set group-ID:


         $ chmod a=rwx,g+s file
         $ chmod 2777 file


       Example 6 Prepending a New ACL Entry on a ZFS File



       The following example prepends a new ACL entry on a ZFS file.



       First, display the current ACL:


         $ ls -v file.3
         -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3
               0:owner@:execute:deny
               1:owner@:read_data/write_data/append_data/write_xattr/
                  write_attributes/write_acl/write_owner:allow
               2:group@:write_data/append_data/execute:deny
               3:group@:read_data:allow
               4:everyone@:write_data/append_data/write_xattr/execute/
                 write_attributes/write_acl/write_owner:deny
               5:everyone@:read_data/read_xattr/read_attributes/read_acl/
                  synchronize:allow




       Issue the following command:


         $ chmod A+user:lp:read_data:deny file.3




       Display the new ACL:


         $ ls -v file.3
         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
               0:user:lp:read_data:deny
               1:owner@:execute:deny
               2:owner@:read_data/write_data/append_data/write_xattr/
                   write_attributes/write_acl/write_owner:allow
               3:group@:write_data/append_data/execute:deny
               4:group@:read_data:allow
               5:everyone@:write_data/append_data/write_xattr/execute/
                   write_attributes/write_acl/write_owner:deny
               6:everyone@:read_data/read_xattr/read_attributes/read_acl/
                   synchronize:allow


       Example 7 Prepending a New POSIX-draft ACL Entry on a UFS File



       The  following  example  prepends  a new POSIX-draft ACL entry on a UFS
       file.



       First, display the current ACL:


         $ ls -v file.2
         -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2
               0:user::rw-
               1:group::r--           #effective:r--
               2:mask:r--
               3:other:r--




       Issue the following command:


         $ chmod A+user:lp:-wx file.2




       Display the new ACL:


         $ ls -v file.2
         -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2
               0:user::rw-
               1:user:lp:-wx          #effective:---
               2:group::r--           #effective:r--
               3:mask:r--
               4:other:r--


       Example 8 Inserting an ACL Entry in a Specific Position on a ZFS file



       The following example inserts an ACL entry in a specific position on  a
       ZFS file system. It also illustrates the compact ACL format.



       First, display the ACL to pick a location to insert a new ACE.


         % ls -V file.1
         -rw-r--r--+  1 root     root           0 Oct  6 12:16 file.1
              user:lp:rw------------:------:allow
               owner@:--x-----------:------:deny
               owner@:rw-p---A-W-Co-:------:allow
               group@:-wxp----------:------:deny
               group@:r-------------:------:allow
            everyone@:-wxp---A-W-Co-:------:deny
            everyone@:r-----a-R-c--s:------:allow





       Next,  insert  a  new entry in location 3. This causes the entries that
       are currently in position 3 - 6 to be pushed down.



       Issue the following command:


         $ chmod A3+user:marks:r:deny file.1




       Display the new ACL:


         $ ls -V file.1
         -rw-r--r--+  1 root     staff          0 Feb  3 14:13 file.1
              user:lp:rw------------:------:allow
               owner@:--x-----------:------:deny
               owner@:rw-p---A-W-Co-:------:allow
           user:marks:r-------------:------:deny
               group@:-wxp----------:------:deny
               group@:r-------------:------:allow
            everyone@:-wxp---A-W-Co-:------:deny
            everyone@:r-----a-R-c--s:------:allow



       Example 9 Inserting a POSIX-draft ACL in a Specific Position on  a  UFS
       File



       The  file system reorders ACLs when they are stored in the file system.
       The following example illustrates this behavior.


         $ ls -v file.1
         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
               0:user::rw-
               1:user:lp:rw-          #effective:r--
               2:group::r--           #effective:r--
               3:mask:r--
               4:other:r--




       Now, insert an entry at index position 3. The command  works,  but  the
       file system reorders the ACL.


         $ chmod A3+user:marks:rw- file.1
         $ ls -v file.1
         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
               0:user::rw-
               1:user:lp:rw-           #effective:r--
               2:user:marks:rw-        #effective:r--
               3:group::r--            #effective:r--
               4:mask:r--
               5:other:r--




       Rather  than  inserting  the  ACL  entry in position 3 as requested, it
       actually ends up in position 2.

       Example 10 Removing an ACL Entry on a ZFS File



       The following example removes the lp entry from an ACL:


         $ ls -v file.3
         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
               0:user:lp:read_data:deny
               1:owner@:execute:deny
               2:owner@:read_data/write_data/append_data/write_xattr/
                  write_attributes/write_acl/write_owner:allow
               3:group@:write_data/append_data/execute:deny
               4:group@:read_data:allow
               5:everyone@:write_data/append_data/write_xattr/execute/
                  write_attributes/write_acl/write_owner:deny
               6:everyone@:read_data/read_xattr/read_attributes/read_acl/
                  synchronize:allow

         $ chmod A-user:lp:read_data:deny file.3
         $ ls -v file.3
         -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3
               0:owner@:execute:deny
               1:owner@:read_data/write_data/append_data/write_xattr/
                  write_attributes/write_acl/write_owner:allow
               2:group@:write_data/append_data/execute:deny
               3:group@:read_data:allow
               4:everyone@:write_data/append_data/write_xattr/execute/
                  write_attributes/write_acl/write_owner:deny
               5:everyone@:read_data/read_xattr/read_attributes/read_acl/
                  synchronize:allow


       Example 11 Removing a POSIX-draft ACL on a UFS File



       The following example removes the lp entry from an ACL:


         $ ls -v file.2
         -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2
               0:user::rw-
               1:user:lp:-wx           #effective:---
               2:group::r--            #effective:r--
               3:mask:r--
               4:other:r--

         $ chmod A-user:lp:-wx file.2
         $ ls -v file.2
         -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2
               0:user::rw-
               1:group::r--            #effective:r--
               2:mask:r--
               3:other:r--


       Example 12 Removing a Specific ACL Entry by Index Number on a ZFS File



       Consider the following ACL:


         $ ls -v file
             0:group:staff:read_data/write_data/execute/read_acl:allow
             1:user:bin:read_data:deny
             2:user:bin:read_data:allow
             3:owner@:write_data/append_data:deny
             4:owner@:read_data/write_xattr/execute/write_attributes/write_acl
                 /write_owner:allow
             5:group@:write_data/append_data:deny
             6:group@:read_data/execute:allow
             7:everyone@:write_data/append_data/write_xattr/write_attributes
                 /write_acl/write_owner:deny
             8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
                 /synchronize:allow




       Remove the second user entry for bin.


         $ chmod A2- file
         $ ls -v file
             0:group:staff:read_data/write_data/execute/read_acl:allow
             1:user:bin:read_data:deny
             2:owner@:write_data/append_data:deny
             3:owner@:read_data/write_xattr/execute/write_attributes/write_acl
                /write_owner:allow
             4:group@:write_data/append_data:deny
             5:group@:read_data/execute:allow
             6:everyone@:write_data/append_data/write_xattr/write_attributes
                /write_acl/write_owner:deny
             7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
                /synchronize:allow


       Example 13 Removing a Specific POSIX-draft ACL Entry on a UFS File



       The following example removes the lp entry by  index  number  from  the
       following ACL:


         $ ls -v file.1
         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
               0:user::rw-
               1:user:lp:rw-              #effective:r--
               2:group::r--               #effective:r--
               3:mask:r--
               4:other:r--

         $ chmod A1- file.1
         $ ls -v file.1
         -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1
               0:user::rw-
               1:group::r--               #effective:r--
               2:mask:r--
               3:other:r--


       Example 14 Removing All ACLs From a File



       The following command works with either NFSv4/ZFS or POSIX-draft ACLs.



       Consider the following ACL:


         $ ls -v file.3
         -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3
               0:user:lp:read_data/write_data:allow
               1:user:marks:read_acl:allow
               2:owner@:execute:deny
               3:owner@:read_data/write_data/append_data/write_xattr/
                  write_attributes/write_acl/write_owner:allow
               4:group@:write_data/append_data/execute:deny
               5:group@:read_data:allow
               6:everyone@:write_data/append_data/write_xattr/execute/
                  write_attributes/write_acl/write_owner:deny
               7:everyone@:read_data/read_xattr/read_attributes/read_acl/
                  synchronize:allow




       The  existing  ACL  is  effectively removed and is replaced with an ACL
       that represents the permission bits of the file.


         $ chmod A- file.3
         $ ls -v file.3
         -rw-r--r--  1 marks    staff          0 Oct  9 15:49 file.3
              0:owner@:execute:deny
              1:owner@:read_data/write_data/append_data/write_xattr/
                 write_attributes/write_acl/write_owner:allow
              2:group@:write_data/append_data/execute:deny
              3:group@:read_data:allow
              4:everyone@:write_data/append_data/write_xattr/execute/
                 write_attributes/write_acl/write_owner:deny
              5:everyone@:read_data/read_xattr/read_attributes/read_acl/
                synchronize:allow


       Example 15 Replacing an Entire ACL Entry on a ZFS File



       Use the following chmod syntax if you want to replace  an  ACL  in  its
       entirety:


         $ chmod A=owner@:read_data/write_data:allow,group@:read_data/
                        write_data:allow,user:lp:read_data:allow file.4
         $ ls -v file.4
         -rw-rw----+  1 marks    staff          0 Oct  9 16:12 file.4
                0:owner@:read_data/write_data:allow
                1:group@:read_data/write_data:allow
                2:user:lp:read_data:allow


       Example 16 Replacing an Entire POSIX-draft ACL on a UFS File



       This  operation is a little more complicated. The replacement ACL needs
       the necessary entries to represent the file owner,  file  group  owner,
       other, mask and any additional entries you wish to set.


         $ chmod A=user::rw-,group::rw-,other::---,mask:r--,
                       user:lp:r-- file.3
         $ ls -v file.3
         -rw-r-----+  1 root     root           0 Oct  9 16:14 file.3
                 0:user::rw-
                 1:user:lp:r--        #effective:r--
                 2:group::rw-         #effective:r--
                 3:mask:r--
                 4:other:---


       Example 17 Replacing a Specific Entry on a ZFS File



       Consider the following ACL.


         $ ls -v file.5
         -rw-r--r--+  1 marks    staff          0 Oct  9 16:18 file.5
              0:user:marks:read_data:allow
              1:owner@:execute:deny
              2:owner@:read_data/write_data/append_data/write_xattr/
                 write_attributes/write_acl/write_owner:allow
              3:group@:write_data/append_data/execute:deny
              4:group@:read_data:allow
              5:everyone@:write_data/append_data/write_xattr/execute/
                 write_attributes/write_acl/write_owner:deny
              6:everyone@:read_data/read_xattr/read_attributes/read_acl/
                 synchronize:allow




       Now, change the allow access to a deny for user marks:


         $ chmod A0=user:marks:read_data:deny file.5
         $ ls -v file.5
         -rw-r--r--+  1 marks   staff          0 Aug 23 09:11 file.5
         0:user:marks:read_data:deny
         1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
              /write_acl/write_owner:allow
         2:group@:write_data/append_data/execute:deny
         3:group@:read_data:allow
         4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
              /write_acl/write_owner:deny
         5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
              :allow



       Example 18 Replacing a Specific POSIX-draft ACL on a UFS File



       Consider the following ACL.


         $ ls -v file.4
         -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4
                 0:user::rw-
                 1:user:lp:rwx         #effective:r--
                 2:group::r--          #effective:r--
                 3:mask:r--
                 4:other:r--




       Now, change the permission on lp from rwx to r--:


         $ chmod A1=user:lp:r-- file.4

         $ ls -v file
         -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4
                 0:user::rw-
                 1:user:lp:r--         #effective:r--
                 2:group::r--          #effective:r--
                 3:mask:r--
                 4:other:r--


       Example 19 Setting ACL Inheritance Flags on a ZFS File



       You  can  only set inheritance flags on ZFS files. When setting ACLs on
       directories, several inheritance flags can be optionally set.



       Suppose you have an ACL entry for user lp that you want to be inherited
       to  newly  created  files  in a directory. First, you need to create an
       inheritable ACL entry on the directory:


         $ chmod A+user:lp:read_data:file_inherit:allow test.dir
         $ ls -dv test.dir
         drwxr-xr-x+  2 marks   staff          2 Aug 23 09:08 test.dir/
         0:user:lp:read_data:file_inherit:allow
         1:owner@::deny
         2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
              /append_data/write_xattr/execute/write_attributes/write_acl
              /write_owner:allow
         3:group@:add_file/write_data/add_subdirectory/append_data:deny
         4:group@:list_directory/read_data/execute:allow
         5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
              /write_attributes/write_acl/write_owner:deny
         6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
              /read_acl/synchronize:allow





       The lp entry is inherited to  newly  created  files  in  the  directory
       test.dir.


         $ touch test.dir/file.test
         $ ls -v test.dir/file.test
         -rw-r--r--+  1 marks    staff          0 Oct  9 16:29 test.dir/file.test
              0:user:lp::deny
              1:user:lp:read_data:allow
              2:owner@:execute:deny
              3:owner@:read_data/write_data/append_data/write_xattr/
                  write_attributes/write_acl/write_owner:allow
              4:group@:write_data/append_data/execute:deny
              5:group@:read_data:allow
              6:everyone@:write_data/append_data/write_xattr/execute/
                  write_attributes/write_acl/write_owner:deny
              7:everyone@:read_data/read_xattr/read_attributes/read_acl/
          synchronize:allow




       The user lp entry is inherited to the newly created file. Multiple com‐
       binations of the inheritance flags can be specified.  For  example,  if
       you  wanted  the lp entry to also be inherited to directories, then the
       following command can be used:


         $ chmod A+user:lp:read_data:file_inherit/\
               dir_inherit:allow test.dir



       Example 20 Replacing System Attributes of a ZFS File



       The following examples replace system attributes of a ZFS file:


         $ chmod S=v{archive,hidden,readonly,system,appendonly,\
              nonodump,immutable,noav_modified,noav_quarantined,\
              nounlink,nonsensitive} file1





       or


         $ chmod S=c{AHRSaiu} file1




       or


         $ chmod S=c{AHRSa-i--u-} file1




       or


         $ chmod S=cAHRSaiu file1




       or


         $ chmod -@ '..' S=cAHRSaiu file1




       Assuming appropriate privileges, this results in the  following  system
       attributes  of  file1  being  set:  archive,  hidden, readonly, system,
       appendonly, immutable, and nounlink. Assuming  appropriate  privileges,
       the  following system attributes of file1 are cleared: nodump, av_modi‐
       fied, av_quarantined, and sensitive.

       Example 21 Clearing All System Attributes of a ZFS File



       The following examples clears all system attributes of a ZFS file:


         $ chmod S-a file1




       or


         $ chmod -@ '..' S-a file1




       Assuming  appropriate  privileges,  all   boolean   read-write   system
       attributes are cleared on file1.

       Example  22  Setting  a System Attribute of a Named Attribute File of a
       ZFS File



       The following example sets a system attribute of a named attribute file
       of a ZFS file, but not of the file itself:


         $ chmod -@ myattr S+vhidden file1




       This  results  in  the  hidden system attribute being set for the named
       attribute file myattr of file1, but not the file itself.

       Example 23 Setting a System Attribute of All Named Attribute File of  a
       ZFS File



       The  following  example  sets a system attribute of all named attribute
       files of a ZFS file, but not of the file itself:


         $ chmod -@ '*' S+a file1


       Example 24 Setting a System Attribute of All Named Attribute Files of a
       ZFS File



       The  following  example  sets a system attribute of all named attribute
       files of a ZFS file, as well as of the file itself:


         $ chmod -@ '..' -@ '*' S+vhidden file1




       This results in the hidden system attribute being  set  for  all  named
       attribute files of file1, as well as the file itself.

       Example 25 Recursively Descending Through a Directory Hierarchy



       The  following example recursively descends through a directory hierar‐
       chy, and sets all system attributes of all named attribute  files,  the
       ZFS file operands, as well as of the directory itself:


         $ chmod -R -@ '..' -@ '*' S+a directory1




       This  results  in  the  hidden system attribute being set for all named
       attribute files of all regular files and directories within the  direc‐
       tory hierarchy of directory1, as well as of directory1 itself.

       Example  26  Setting  the  hidden and system System Attributes of a ZFS
       File



       The following examples set the hidden and system system attributes of a
       ZFS file:


         $ chmod S+cHS file1




       or


         $ chmod S+vhidden,+vsystem file1




       or


         $ chmod S+v{hidden,system} file1




       or


         $ chmod S+c{-HS--------} file1




       or


         $ chmod S-v{nohidden,nosystem} file1




       or


         $ chmod S-v{hidden,system},+v{hidden,system} file1


       Example 27 Clearing All System Attributes of a ZFS File



       The following example clears all system attributes of a ZFS file:


         $ chmod S-a file1




       or


         $ chmod S=v{} file1




       In  the  following two examples, the last attribute operation specified
       takes precedence.



       In this example, the replacement attribute name list  ({})  clears  all
       system attributes for file1:


         $ chmod S+cHS,=v{} file1




       In  this example, the clear attributes operation (-a) clears all system
       attributes of file1:


         $ chmod S+vhidden,+vsystem,-a file1


       Example  28  Setting  the  Values  of  All  Boolean  read-write  System
       Attributes of a File



       The  following example sets the values of all boolean read-write system
       attributes of a file to the  same  as  the  boolean  read-write  system
       attributes of another file:


         $ chmod S=v`ls -/v file1|sed -n '2s/.*{/{/p'` file2




       Assuming  appropriate privileges and that file1 and file2 have the same
       supported system attributes, all system attributes of  file1  that  are
       set  are  also  set  on  file2. All system attributes of file1 that are
       cleared are also cleared on file2.

ENVIRONMENT VARIABLES
       See environ(7) for descriptions of the following environment  variables
       that  affect  the  execution  of chmod: LANG, LC_ALL, LC_CTYPE, LC_MES‐
       SAGES, and NLSPATH.

EXIT STATUS
       The following exit values are returned:

       0

           Successful completion.


       > 0

           An error occurred.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE  VALUE  _  Availabilitysystem/core-os  _ CSIEnabled _ Interface
       StabilityCommitted


SEE ALSO
       ls(1),  chmod(2),  fgetattr(3C),  acl(7),  attributes(7),   environ(7),
       fsattr(7), privileges(7), standards(7)


       Managing ZFS File Systems in Oracle Solaris 11.4

NOTES
       Absolute  changes  do not work for the set-group-ID bit of a directory.
       You must use g+s or g-s.


       chmod permits you to produce useless modes so  long  as  they  are  not
       illegal  (for  instance, making a text file executable). chmod does not
       check the file type to see if mandatory locking is meaningful.


       If the filesystem is mounted with the nosuid or nosetuid options,  nei‐
       ther setuid nor setgid execution is allowed.


       If  the filesystem is mounted with the noexec options, direct execution
       is not allowed for any user, but scripts and programs may be able to be
       indirectly  run  if provided as the argument to an interpreter run from
       another filesystem.


       If you use chmod to change the file group owner permissions on  a  file
       with  ACL  entries,  both  the file group owner permissions and the ACL
       mask are changed to the new permissions. Be aware that the new ACL mask
       permissions  can  change the effective permissions for additional users
       and groups who have ACL entries on the file. Use the ls(1)  command  to
       make sure the appropriate permissions are set for all ACL entries.



Oracle Solaris 11.4               3 Nov 2021                          chmod(1)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3