chmod Command

Purpose:

Changes file modes.

Syntax:

To Change File Modes Symbolically:

chmod [ -R ] [ -h ] [ -f ] [ [ u ] [ g ] [ o ] | [ a ] ] { { - | + | = } [ r ]
[ w ] [ x ] [ X ] [ s ] [ t ] } { File ... | Directory ... }

To Change File Modes Numerically:

chmod [ -R ] [ -h ] [ -f ] PermissionCode { File ... | Directory ... }

Description:

The chmod command modifies the mode bits and the extended access control lists
(ACLs) of the specified files or directories. The mode can be defined
symbolically or numerically (absolute mode).

When a symbolic link is encountered and you have not specified the -h flag, the
chmod command changes the mode of the file or directory pointed to by the link
and not the mode of the link itself. If you specify the -h flag, the chmod
command prevents this mode change.

If you specify both the -h flag and the -R flag, the chmod command descends the
specified directories recursively, and when a symbolic link is encountered, the
mode of the file or directory pointed to by the link is not changed.

Flags:

-f Suppresses all error reporting except invalid permissions and usage
statements.

-h Suppresses a mode change for the file or directory pointed to by the
encountered symbolic link.

Note: This behavior is slightly different from the behavior of the -h flag
on the chgrp and chown commands because mode bits cannot be set on symbolic
links.

-R Descends only directories recursively, as specified by the pattern
File...|Directory.... The -R flag changes the file mode bits of each directory
and of all files matching the specified pattern. See Example 6.

When a symbolic link is encountered and the link points to a directory, the
file mode bits of that directory are changed but the directory is not further
traversed.

Symbolic Mode:

To specify a mode in symbolic form, you must specify three sets of flags.

Note: Do not separate flags with spaces.

The first set of flags specifies who is granted or denied the specified
permissions, as follows:

u File owner.

g Group and extended ACL entries pertaining to the file's group.

o All others.

a User, group, and all others. The a flag has the same effect as specifying the
ugo flags together. If none of these flags are specified, the default is the a
flag and the file creation mask (umask) is applied.

The second set of flags specifies whether the permissions are to be removed,
applied, or set:

- Removes specified permissions.

+ Applies specified permissions.

= Clears the selected permission field and sets it to the permission specified.
If you do not specify a permission following =, the chmod command removes all
permissions from the selected field.

The third set of flags specifies the permissions that are to be removed,
applied, or set:

r Read permission.

w Write permission.

x Execute permission for files; search permission for directories.

X Execute permission for files if the current (unmodified) mode bits have at
least one of the user, group, or other execute bits set. The X flag is ignored
if the File parameter is specified and none of the execute bits are set in the
current mode bits.

Search permission for directories.

s Set-user-ID-on-execution permission if the u flag is specified or implied.
Set-group-ID-on-execution permission if the g flag is specified or implied.

t For directories, indicates that only file owners can link or unlink files in
the specified directory. For files, sets the save-text attribute.

Numeric or Absolute Mode:

The chmod command also permits you to use octal notation for the mode. The
numeric mode is the sum of one or more of the following values:

4000 Sets user ID on execution.

2000 Sets group ID on execution.

1000 Sets the link permission to directories or sets the save-text attribute
for files.

0400 Permits read by owner.

0200 Permits write by owner.

0100 Permits execute or search by owner.

0040 Permits read by group.

0020 Permits write by group.

0010 Permits execute or search by group.

0004 Permits read by others.

0002 Permits write by others.

0001 Permits execute or search by others.

Notes:

1. Specifying the mode numerically disables any extended ACLs. Refer to
"Access Control Lists" in AIX 5L Version 5.2 System User's Guide:
Operating System and Devices for more information.
2. Changing group access permissions symbolically also affects the
extended ACL entries. The group entries in the ACL that are equal to
the owning group of the file are denied any permission that is removed
from the mode. Refer to "Access Control Lists" for more information.
3. You can specify multiple symbolic modes separated with commas.
Operations are performed in the order they appear from left to right.
4. You must specify the mode symbolically or use an explicit 4-character
octal with a leading zero (for example, 0755) when removing the
set-group-ID-on-execution permission from directories.

Security:

Access Control: This program should be installed as a normal user program in
the Trusted Computing Base.

Only the owner of the file or the root user can change the mode of a file.

Exit Status

This command returns the following exit values:

0 The command executed successfully and all requested changes were made.

>0 An error occurred.

Examples:

1. To add a type of permission to several files:

chmod g+w chap1 chap2

This adds write permission for group members to the files chap1 and chap2.
2. To make several permission changes at once:

chmod go-w+x mydir

This denies group members and others the permission to create or delete
files in mydir (go-w) and allows group members and others to search mydir
or use it in a path name (go+x). This is equivalent to the command
sequence:
chmod g-w mydir

chmod o-w mydir

chmod g+x mydir

chmod o+x mydir

3. To permit only the owner to use a shell procedure as a command:

chmod u=rwx,go= cmd

This gives read, write, and execute permission to the user who owns the
file (u=rwx). It also denies the group and others the permission to access
cmd in any way (go=).

If you have permission to execute the cmd shell command file, then you can
run it by entering:

cmd

Note: Depending on the PATH shell variable, you may need to specify
the full path to the cmd file.

4. To use Set-ID Modes:

chmod ug+s cmd

When the cmd command is executed, the effective user and group IDs are set
to those that own the cmd file. Only the effective IDs associated with the
child process that runs the cmd command are changed. The effective IDs of
the shell session remain unchanged.

This feature allows you to permit access to restricted files. Suppose that
the cmd program has the Set-User-ID Mode enabled and is owned by a user
called dbms. The user dbms is not actually a person, but might be
associated with a database management system. The user betty does not have
permission to access any of dbms's data files. However, she does have
permission to execute the cmd command. When she does so, her effective
user ID is temporarily changed to dbms, so that the cmd program can access
the data files owned by the user dbms.

This way the user betty can use the cmd command to access the data files,
but she cannot accidentally damage them with the standard shell commands.
5. To use the absolute mode form of the chmod command:

chmod 644 text

This sets read and write permission for the owner, and it sets read-only
mode for the group and others. This also removes all extended ACLs that
might be associated with the file.
6. To recursively descend directories and change file and directory
permissions given the tree structure:

./dir1/dir2/file1

./dir1/dir2/file2

./dir1/file1

enter this command sequence:

chmod -R 777 f*

which will change permissions on ./dir1/file1.

But given the tree structure of:

./dir1/fdir2/file1

./dir1/fdir2/file2

./dir1/file3

the command sequence:

chmod -R 777 f*

will change permissions on:

./dir1/fdir2

./dir1/fdir2/file1

./dir1/fdir2/file2

./dir1/file3

File:

/usr/bin/chmod Contains the chmod command .