chmod is used to change the permissions of a file (its protection mode).
Only the owner or the POSIX administrator is authorized to change the permissions of a file. A file’s set-group-id bit can be set only by a user whose current group ID is the same as the file’s group ID (see chgrp and newgrp).
Syntax
chmod [-R] mode file ... |
(recursive)
In mode you specify how the permissions for one or more named files are to be changed.
Name of the file for which you wish to define or alter the permissions. file may also be a directory. Multiple names are also allowed. Symbolic form
who In who you say who the file permissions apply to.
who not specified: op In op you specify whether permissions are to be granted, left unchanged, or revoked.
permission In permission you specify which permission(s) you wish to grant or revoke.
permission not specified: As indicated above, you can specify several "who-op-permission" arguments in a row, provided they are separated by commas as follows:
The string you specify for mode is processed by chmod from left to right. For instance, a-w,u+w grants write permission to the owner, revoking it for all others. Absolute formAn absolute mode is a three or four digit octal number. The admissible octal values are obtained by logically ORing (in binary) the octal modes shown below. The effect is the same as adding the modes in octal or decimal. A leading zero (neither the s bit nor the sticky bit set) may be omitted.
Example To grant read, write, and execute permission to the owner and read and execute permission to the group, you would enter a value of 750 for mode:
The file then has the permissions rwxr-x--- | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The s bit
When an executable program which has the set-user-ID bit set is called, the effective user ID of the associated process is the same as the user ID of the owner of the file (and not that of the caller). In other words, the process runs under the user ID of the program owner and can therefore also access files for which the caller of the program does not have explicit access permission. If the set-group-ID bit is set, the effective group ID of the process is the same as the group ID of the program owner. This means that the process runs under the group ID of the program owner. The s bits are only useful for executable binary files (executable programs) and not for shell scripts. Although chmod can be used to set the s bits for files that contain a shell script, the setting will essentially have no effect. When changes are made to a file, the s bits are reset for security reasons. If the POSIX administrator sets the s bit for a program which he or she owns, all users who can call the program are thereby authorized to carry out any operations that the POSIX administrator is allowed to perform using the program. Hence the POSIX administrator should not set the s bit unless it is certain that security will not be compromised, leading to data loss for example. Example of an s bit application One example of an s bit application is the mailx command. Messages sent with mailx to user USER1 are written to the file
Thus ordinarily a user from a different group (USER2, for example) would be unable to write messages to this file. However, since the mailx command has the s bit set for the |
The sticky bit (t bit)
Only the POSIX administrator is able to set the sticky bit (t bit). Attempts by non-privileged users to set the sticky bit are ignored. The sticky bit only has an effect on directories and executable files. It is possible to use chmod to set it on other files, but it will then have no effect. If the sticky bit is set on an executable file, it is possible to some extent to save on the overhead usually involved in reading a program in from the disk file again every time the program is started. If a directory is writable and has the sticky bit set, files within the directory cannot be removed, renamed or linked to unless one or more of the following conditions apply:
In the output of the ls -l command, the sticky bit if set appears in the last position of the listed permissions. If the x bit has simultaneously been set for "other users", a t appears; if not, a T. |
The l bit
| The lockf() function allows a program to place a lock on a file which it is accessing. If this file has its l bit set, the function call results in mandatory locking of the file (see lockf() [4]). |
Error
You have defined an illegal set of permissions for chmod.
Files with group execute permission cannot also have the l bit set.
|
Locale
The following environment variables affect the execution of chmod: LANG Provide a default value for the internationalization variables that are unset or null. If LANG is unset of null, the corresponding value from the implementation-specific default locale will be used. If any of the internationalization variables contains an invalid setting, the utility will behave as if none of the variables had been defined. LC_ALL If set to a non-empty string value, override the values of all the other internationalization variables. LC_CTYPE Determine the locale for the interpretation of sequences of bytes of text data as characters (for example, single- as opposed to multi-byte characters in arguments). LC_CTYPE governs character classes, character conversion (shifting) and the behavior of character classes in regular expressions. LC_MESSAGES Determine the locale that should be used to affect the format and contents of diagnostic messages written to standard error. NLSPATH Determine the location of message catalogs for the processing of LC_MESSAGES. |
Example
The following examples all refer to a file with the permissions rw-------. The first two columns of the table contain possible mode arguments; the last column shows the result of a chmod call using these arguments.
The sticky bit (last example) can only be set by the POSIX administrator. Attempts by nonprivileged users to set the sticky bit are ignored. |
See also
chgrp, ls, newgrp, umask chmod(), chown() [4] |