chmod(1) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨페이지이름
검색(S)

chmod

Name
     chmod - change the permissions mode of a file

Synopsis
     chmod [-fR] absolute-mode file...


     chmod [-fR] symbolic-mode-list file...


     chmod [-fR] acl_operation file...


     chmod [-fR] [-@ named_attribute]...attribute_specification_list file...

Description
     The chmod utility changes or assigns the mode of a file.


     chmod can also be used to modify Access Control Lists (ACLs)
     on  files  and directories, and to modify boolean read-write
     system attributes on regular files, directories, and  opaque
     extended attribute files.

  Absolute Mode
     An absolute mode command line has the following format:


     chmod [options] absolute-mode file . . .


     where absolute-mode is specified using  octal  numbers  nnnn
     defined as follows:

     n
         a number from 0 to 7. An absolute  mode  is  constructed
         from the OR of any of the following modes:

         4000
             Set user ID on execution.


         20#0
             Set group ID on execution if # is 7, 5, 3, or 1.

             Enable mandatory locking if # is 6, 4, 2, or 0.

             For directories, files are created with  BSD  seman-
             tics  for  propagation  of  the  group ID. With this
             option, files  and  subdirectories  created  in  the
             directory  inherit  the  group  ID of the directory,
             rather than of the current process. For directories,
             the  setgid  bit can only be set or cleared by using
             symbolic mode (g+s or g-s respectively).


         1000
             Turn on sticky bit. See chmod(2).


         0400
             Allow read by owner.


         0200
             Allow write by owner.


         0100
             Allow execute (search in directory) by owner.


         0700
             Allow read, write, and execute (search) by owner.


         0040
             Allow read by group.


         0020
             Allow write by group.


         0010
             Allow execute (search in directory) by group.


         0070
             Allow read, write, and execute (search) by group.


         0004
             Allow read by others.

         0002
             Allow write by others.


         0001
             Allow execute (search in directory) by others.


         0007
             Allow read, write, and execute (search) by others.




     For directories, the setgid bit cannot be set  (or  cleared)
     in  absolute  mode  (chmod  20#0  ...);  it  must be set (or
     cleared) in symbolic mode using `chmod g+s ...'  (or  `chmod
     g-s ...')

  Symbolic Mode
     A symbolic mode command line has the following format:


     chmod [options] symbolic-mode-list file . . .


     where symbolic-mode-list is a comma-separated list (with  no
     intervening white space) of symbolic mode expressions of the
     form:


     [who] operator [permissions]


     Operations are performed in the order given.  Multiple  per-
     missions  letters  following  a  single  operator  cause the
     corresponding operations to be performed simultaneously.

     who
         zero or more of the characters u, g, o, and a specifying
         whose permissions are to be changed or assigned:

         u
             user's permissions


         g
             group's permissions

         o
             others' permissions


         a
             all permissions (user, group, and other)

         If who is omitted, it defaults to a, but the setting  of
         the  file  mode  creation  mask  (see  umask in sh(1) or
         csh(1) for more information) is taken into account. When
         who is omitted, chmod does not override the restrictions
         of your user mask.


     operator
         either +, -, or =, signifying how permissions are to  be
         changed:

         +
             Add permissions.

             If permissions are omitted, nothing is added.

             If  who  is  omitted,  add  the   file   mode   bits
             represented  by  permissions,  except  for the those
             with corresponding bits in the  file  mode  creation
             mask.

             If  who  is  present,  add  the   file   mode   bits
             represented by the permissions.


         -
             Take away permissions.

             If permissions are omitted, do nothing.

             If  who  is  omitted,  clear  the  file  mode   bits
             represented  by  permissions,  except for those with
             corresponding bits in the file mode creation mask.

             If  who  is  present,  clear  the  file  mode   bits
             represented by permissions.


         =
             Assign permissions absolutely.

             If who is omitted, clear all file mode bits; if  who
             is  present, clear the file mode bits represented by
             who.

             If permissions are omitted, do nothing else.

             If  who  is  omitted,  add  the   file   mode   bits
             represented  by  permissions,  except  for the those
             with corresponding bits in the  file  mode  creation
             mask.

             If  who  is  present,  add  the   file   mode   bits
             represented by permissions.

         Unlike other symbolic  operations,  =  has  an  absolute
         effect  in  that it resets all other bits represented by
         who. Omitting permissions is useful only with = to  take
         away all permissions.


     permission
         any compatible combination of the following letters:

         l
             mandatory locking


         r
             read permission


         s
             user or group set-ID


         t
             sticky bit


         w
             write permission


         x
             execute permission


         X
             execute permission if the file is a directory or  if
             there  is  execute  permission  for one of the other
             user classes


         u,g,o
             indicate that permission is to  be  taken  from  the
             current user, group or other mode respectively.

         Permissions to a file can vary depending  on  your  user
         identification  number  (UID)  or  group  identification
         number  (GID).  Permissions  are  described   in   three
         sequences each having three characters:



         tab(); lw(1.83i) lw(1.83i) lw(1.83i) lw(1.83i) lw(1.83i)
         lw(1.83i) UserGroupOther rwxrwxrwx

         This example (user, group, and others all  have  permis-
         sion  to  read,  write, and execute a given file) demon-
         strates two categories  for  granting  permissions:  the
         access class and the permissions themselves.

         The letter s is only meaningful with u or g, and t  only
         works with u.

         Mandatory file and record locking (l) refers to a file's
         ability  to  have  its  reading  or  writing permissions
         locked while a program is accessing that file.

         In a  directory  which  has  the  set-group-ID  bit  set
         (reflected  as either -----s--- or -----l--- in the out-
         put of `ls -ld'), files and subdirectories  are  created
         with  the  group-ID  of the parent directory-not that of
         current process.

         It is not possible to permit group execution and  enable
         a  file  to  be locked on execution at the same time. In
         addition, it is not possible to turn on the set-group-ID
         bit  and  enable a file to be locked on execution at the
         same  time.  The  following  examples,  therefore,   are
         invalid and elicit error messages:

           chmod g+x,+l file

           chmod g+s,+l file


         Only the owner of a file or  directory  (or  the  super-
         user)  can  change that file's or directory's mode. Only
         the super-user can set the sticky bit on a non-directory
         file.  If  you  are  not  super-user,  chmod  masks  the
         sticky-bit but does not return an  error.  In  order  to
         turn  on  a  file's  set-group-ID bit, your own group ID
         must correspond to the file's and group  execution  must
         be set.


  ACL Operation
     An Access Control List (ACL) is a  list  of  Access  Control
     Entries  (ACEs), each of which define access permissions for
     a particular class of user. The list of  ACEs  is  numbered,
     starting  from zero. The position of an ACE within an ACL is
     called an index. This index is used as an argument  in  many
     of the chmod commands described below. See Managing ZFS File
     Systems in Oracle Solaris 11.3 for  further  description  of
     ACLs and ACEs.


     Oracle Solaris utilities, including chmod, support both  the
     NFSv4  and  the  newer POSIX-draft ACL specifications. These
     specifications spell out the syntax  and  semantics  of  the
     acl_specification  field shown below. These two ACL specifi-
     cations  are  described  in  their  respective  subsections,
     below.


     An ACL Operation command line has the following format:

       chmod [options] A[index]- file ...

       chmod [options] A-acl_specification file ...

       chmod [options] A[index]{+|=}acl_specification file ...




     ...where acl_specification is a comma-separated  list  (with
     no intervening whitespace) of the form:

     A[index]+acl_specification
         Prepends the access control entries (ACE)  specified  in
         acl_specification  to  the  beginning of the file's ACL.
         Depending on the file system, the ACL can  be  reordered
         when  applied  to  the  file.  If  the optional index is
         specified, then new ACEs are inserted  before  specified
         index.


     A-
         Removes all ACEs for current ACL on  file  and  replaces
         current  ACL  with  new  ACL  that  represents  only the
         current mode of the file.


     Aindex-
         Removes ACE specified by index number.


     A-acl_specification

         Removes ACEs specified  by  acl_specification,  if  they
         exist in current file's ACL.


     A=acl_specification
         Replaces a files entire ACL with acl_specification.


     A[index]=acl_specification
         Replaces ACEs starting at a specific index number in the
         current ACL on the file. If multiple ACEs are specified,
         then each subsequent ACE in  acl_specification  replaces
         the corresponding ACE in the current ACL.


  POSIX-draft ACL Specification (as supported by UFS)
     POSIX-draft ACLs (as supported  by  UFS)  are  specified  as
     colon (:) separated fields of the following.

     user::perms
         File owner permissions.


     user:username:perms
         Permissions for a specific user.


     group::perms
         File group member permissions.


     group:groupname:perms
         Permissions for a specific group.


     other::perms
         Permissions for  user  other  than  the  file  owner  or
         members of file group.

     mask:perms
         The ACL mask. The mask entry specifies the maximum  per-
         missions  allowed  for  user (other than that the owner)
         and for groups.


     default:user::perms
         Default file owner permissions.


     default:user:username:perms
         Default permissions for a specific user.


     default:group::perms
         Default file group member permissions.


     default:group:groupname:perms
         Default permissions for a specific group.


     default:other:perms
         Default permissions for user other than the  file  owner
         or members of the file group.


     default:mask:perms
         Default ACL mask.



     The above specification allows for ACLs to be specified such
     as:

       user:tom:rw-,mask:rwx,group:staff:r-x



  NFSv4 ACL Specification (as supported by NFSv4 and ZFS)
     NFSv4 ACLs provide richer ACL semantics. They  provide  both
     allow  and  deny  entries,  finer-grained  permissions,  and
     enhanced inheritance control.


     NFSv4 ACLs are specified as colon (:)  separated  fields  of
     the following.
     owner@:<perms>[:inheritance flags]:<allow|deny>
         Permissions for file owner.


     group@:<perms>[:inheritance flags]:<allow|deny>
         Permissions for file group member.


     everyone@:<perms>[:inheritance flags]:<allow|deny>
         Permissions for everyone, including file owner and group
         member.


     user:<username>:<perms>[:inheritance flags]:<allow|deny>
         Permissions for a specific user.


     usersid:<sid string>:<perms>[:inheritance
     flags]:<allow|deny>
         Permissions for a specific user, but user  is  specified
         by SID.


     group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
         Permissions for a specific group.


     groupsid:<sid string>:<perms>[:inheritance
     flags]:<allow|deny>
         Permissions for a specific group, but group is specified
         by SID.


     sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
         Permissions for a specific SID, but it doesn't matter if
         it is a user or a group.



     Permissions can be specified in three  different  chmod  ACL
     formats: verbose, compact, or positional. The verbose format
     uses words to indicate that the  permissions  are  separated
     with  a forward slash (/) character. Compact format uses the
     permission letters and positional format uses the permission
     letters or the hyphen (-) to identify no permissions.

     The permissions for verbose mode and their abbreviated  form
     in parentheses for compact and positional mode are described
     as follows:

     read_data (r)
         Permission to read the data of a file.


     list_directory (r)
         Permission to list the contents of a directory.


     write_data (w)
         Permission to modify a  file's  data.  anywhere  in  the
         file's offset range.


     add_file (w)
         Permission to add a new file to a directory.


     append_data (p)
         The ability to modify a file's data, but  only  starting
         at EOF.

         Currently, this permission is not supported.


     add_subdirectory (p)
         Permission to create a subdirectory to a directory.


     read_xattr (R)
         Ability to read the extended attributes of a file.


     write_xattr (W)
         Ability to create extended attributes or  write  to  the
         extended attribute directory.


     execute (x)
         Permission to execute a file.


     read_attributes (a)
         The ability to read basic  attributes  (non-ACLs)  of  a
         file.


     write_attributes (A)
         Permission to change the times associated with a file or
         directory to an arbitrary value.


     delete (d)
         Permission to delete a file.

         For more information about delete  permission  behavior,
         see  the  Managing  ZFS  File  Systems in Oracle Solaris
         11.3.


     delete_child (D)
         Permission to delete a file within a directory.

         For more information about delete  permission  behavior,
         see the Managing ZFS File Systems in Oracle Solaris 11.3


     read_acl (c)
         Permission to read the ACL of a file.


     write_acl (C)
         Permission to write the ACL of a file.


     write_owner (o)
         Permission to change the owner of a file.


     synchronize (s)
         Permission to access file locally at  server  with  syn-
         chronize reads and writes.

         Currently, this permission is not supported.



     Using the compact ACL format, permissions are  specified  by
     using 14 unique letters to indicate permissions.

     Using the positional ACL format, permissions  are  specified
     as  positional  arguments  similar  to the ls -V format. The
     hyphen (-), which indicates that no permission is granted at
     that  position, can be omitted and only the required letters
     have to be specified.


     The letters above are listed in  the  order  they  would  be
     specified in positional notation.


     Permissions can be specified with these letters in the  fol-
     lowing way:

       rwx--D--------




     The hyphens can be removed to compact the string as follows:

       rwxD




     Several special permission sets or  aliases  are  also  sup-
     ported.  The following permission sets are used the same way
     that verbose permissions are specified.

     full_set
         All permissions.


     modify_set
         All permissions except write_acl and write_owner.


     read_set
         read_data, read_acl, read_attributes, and read_xattr.


     write_set
         write_data,    append_data,    write_attributes,     and
         write_xattr



     The optional inheritance flags can be specified in the three
     formats. The first format uses words to indicate the various
     inheritance flags separated with a forward slash (/) charac-
     ter.

     file_inherit (f)
         Inherit to all newly created files.


     dir_inherit (d)
         Inherit to all newly created directories.


     inherit_only (i)
         When placed on a directory, do not apply to  the  direc-
         tory,  only to newly created files and directories. This
         flag  requires   that   either   file_inherit   and   or
         dir_inherit is also specified.


     no_propagate (n)
         Indicates  that  ACL  entries  should  be  inherited  to
         objects  in  a  directory,  but  inheritance should stop
         after descending one level. This flag is dependent  upon
         either file_inherit and or dir_inherit also being speci-
         fied.



     The inheritance flags listed can also be  specified  in  the
     compact  format or as positional arguments similar to the ls
     -V format. A hyphen character indicates that the inheritance
     flag at that position is not specified in the positional ACL
     format.


     The inheritance flags can be specified with these letters in
     any of the following equivalent ways.

       file_inherit/dir_inherit/no_propagate



       fd-n--



       fdn

     With this inheritance model, an ACL entry can  be  specified
     such as:

       user:tom:read_data/write_data/read_attributes:file_inherit:allow

       user:fred:read_data:file_inherit/dir_inherit:deny

       user:bob:read_data:allow



  Attribute Operation
     An attribute operation command line has the  following  for-
     mat:

       chmod [options] attribute_specification_list file ...




     where attribute_specification_list is the character  S  fol-
     lowed   by   a   comma-separated   list   of   one  or  more
     attribute_specifications. Each attribute_specification is of
     the form:

       [operator]attribute_specifier




     An operator is one of the following:

     +
         Each   attribute    specified    by    the    associated
         attribute_specifier  is  adjusted  to  match  the  value
         specified by the attribute_specifier.


     -
         Each   attribute    specified    by    the    associated
         attribute_specifier  is adjusted to match the inverse of
         the value specified by the attribute_specifier.


     =
         Each   attribute    specified    by    the    associated
         attribute_specifier  is  adjusted  to  match  the  value
         specified by the attribute_specifier. Any boolean  read-
         write  extended  system  attributes  associated with the
         current    file    that    are    not    specified    by
         attribute_specifier is cleared.

     If    an    operator    is    not    specified     in     an
     attribute_specification,  chmod  behaves  as  if  + had been
     specified.


     An attribute_specifier takes one of the following forms:

     a
         Set all boolean read-write  extended  system  attributes
         associated with the current file.


     c[compact_attribute_list]
     c'{'compact_attribute_list'}'
         Set each boolean read-write  extended  system  attribute
         identified by compact_attribute_list.


     v[verbose_attribute_setting]
     v['{'verbose_attribute_setting_list'}']
         Set each boolean read-write  extended  system  attribute
         identified by verbose_attribute_setting.



     A compact_attribute_list is a list of zero or more  adjacent
     attribute  abbreviation  characters  from  list of Attribute
     Names and Abbreviation Characters later in this section.  An
     arbitrary number of hyphen (-) characters can be included in
     a compact_attribute_list. These are ignored.


     A verbose_attribute_setting is an attribute  name  from  the
     list of Attribute Names and Abbreviation Characters later in
     this section, optionally, immediately preceded by no. If the
     attribute  name  is  used  without no, the attribute is set;
     otherwise the attribute is cleared.


     A verbose_attribute_setting_list  is  zero  or  more  comma-
     separated verbose_attribute_settings.


     Multiple operations specified for a file are accumulated and
     are all set for a file operand as a single attribute setting
     operation. If an attribute is specified more than once in an
     attribute_specification_list,  the  last specified operation
     is applied.

     The following is a list of Attribute Names and  Abbreviation
     Characters:

     Attribute Name
         Abbreviation Character


     hidden
         H


     sparse
         s


     system
         S


     readonly
         R


     archive
         A


     nounlink
         u


     immutable
         i


     appendonly
         a


     nodump
         d


     av_quarantined
         q

     av_modified
         m


     sensitive
         T

Options
     The following options are supported:

     -f
         Force. chmod does not complain if it fails to change the
         mode of a file.


     -R
         Recursively descend through directory arguments, setting
         the  mode for each file. When symbolic links are encoun-
         tered, the mode of the target file is  changed,  but  no
         recursion takes place.


     -@ named_attribute
         Perform the attribute operation on  the  named  extended
         attribute  file of each file operand instead of the file
         operand itself. If multiple -@ operations are  supplied,
         the  attribute  specification mode is applied to each of
         the named attribute files.

         A named attribute of * carries meaning to chmod, and  is
         considered  to mean all extended attribute files associ-
         ated with a file operand. This does  not  refer  to  the
         special files . and ...

         A named attribute  of  ..  carries  special  meaning  to
         chmod,  and  is  considered  to  mean  the  file operand
         itself. This allows chmod, in a single  call,  to  apply
         the  attribute specification mode to the specified named
         attribute file of the file operand and the file  operand
         itself.

Operands
     The following operands are supported:

     absolute-mode
     symbolic-mode-list
         Represents the change to be made to the file  mode  bits
         of  each  file  named  by  one of the file operands. See
         Absolute Mode and Symbolic Mode in the DESCRIPTION  sec-
         tion of this manual page for more information.


     acl_operation
         Represents the  modification  to  be  performed  on  the
         file's ACL. See ACL Operation in the DESCRIPTION section
         for more information.

         acl_operation is one of the following:

           A[number] -

           A-acl_specification

           A[index]{+|=}acl_specification




     attribute_specification_list
         Represents the modification to performed on  the  file's
         attributes.  See  Attribute Operation in the DESCRIPTION
         section of this manual page for more information.


     file
         A path name of a file whose file mode  bits  are  to  be
         modified.

Usage
     See largefile(5) for the  description  of  the  behavior  of
     chmod  when  encountering  files  greater than or equal to 2
     Gbyte ( 2^31 bytes).

Examples
     Example 1 Denying execute Permission


     The following example denies execute permission to everyone:


       % chmod a-x file



     Example 2 Allowing read-only Permission

     The following example allows only read permission to  every-
     one:


       % chmod 444 file



     Example 3 Making a File readable and writable


     The following example makes a file readable and writable  by
     the group and others:


       % chmod go+rw file

       % chmod 066 file



     Example 4 Locking a File From Access


     The following example locks a file from access:


       $ chmod +l file



     Example 5 Granting read, write, execute,  and  set  group-ID
     Permission on a File


     The following example grants everyone read, write, and  exe-
     cute permissions on the file, and turns on the set group-ID:


       $ chmod a=rwx,g+s file

       $ chmod 2777 file



     Example 6 Prepending a New ACL Entry on a ZFS File


     The following example prepends a new  ACL  entry  on  a  ZFS
     file.

     First, display the current ACL:


       $ ls -v file.3

       -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3

             0:owner@:execute:deny

             1:owner@:read_data/write_data/append_data/write_xattr/

                write_attributes/write_acl/write_owner:allow

             2:group@:write_data/append_data/execute:deny

             3:group@:read_data:allow

             4:everyone@:write_data/append_data/write_xattr/execute/

               write_attributes/write_acl/write_owner:deny

             5:everyone@:read_data/read_xattr/read_attributes/read_acl/

                synchronize:allow




     Issue the following command:


       $ chmod A+user:lp:read_data:deny file.3




     Display the new ACL:


       $ ls -v file.3

       -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3

             0:user:lp:read_data:deny

             1:owner@:execute:deny

             2:owner@:read_data/write_data/append_data/write_xattr/

                 write_attributes/write_acl/write_owner:allow

             3:group@:write_data/append_data/execute:deny
             4:group@:read_data:allow

             5:everyone@:write_data/append_data/write_xattr/execute/

                 write_attributes/write_acl/write_owner:deny

             6:everyone@:read_data/read_xattr/read_attributes/read_acl/

                 synchronize:allow



     Example 7 Prepending a New POSIX-draft ACL Entry  on  a  UFS
     File


     The following example prepends a new POSIX-draft  ACL  entry
     on a UFS file.



     First, display the current ACL:


       $ ls -v file.2

       -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2

             0:user::rw-

             1:group::r--           #effective:r--

             2:mask:r--

             3:other:r--




     Issue the following command:


       $ chmod A+user:lp:-wx file.2




     Display the new ACL:


       $ ls -v file.2
       -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2

             0:user::rw-

             1:user:lp:-wx          #effective:---

             2:group::r--           #effective:r--

             3:mask:r--

             4:other:r--



     Example 8 Inserting an ACL Entry in a Specific Position on a
     ZFS file


     The following example inserts an ACL  entry  in  a  specific
     position  on a ZFS file system. It also illustrates the com-
     pact ACL format.



     First, display the ACL to pick a location to  insert  a  new
     ACE.


       % ls -V file.1

       -rw-r--r--+  1 root     root           0 Oct  6 12:16 file.1

            user:lp:rw------------:------:allow

             owner@:--x-----------:------:deny

             owner@:rw-p---A-W-Co-:------:allow

             group@:-wxp----------:------:deny

             group@:r-------------:------:allow

          everyone@:-wxp---A-W-Co-:------:deny

          everyone@:r-----a-R-c--s:------:allow




     Next, insert a new entry in location 3.   This  causes   the
     entries   that  are currently in position 3 - 6 to be pushed
     down.

     Issue the following command:


       $ chmod A3+user:marks:r:deny file.1




     Display the new ACL:


       $ ls -V file.1

       -rw-r--r--+  1 root     staff          0 Feb  3 14:13 file.1

            user:lp:rw------------:------:allow

             owner@:--x-----------:------:deny

             owner@:rw-p---A-W-Co-:------:allow

         user:marks:r-------------:------:deny

             group@:-wxp----------:------:deny

             group@:r-------------:------:allow

          everyone@:-wxp---A-W-Co-:------:deny

          everyone@:r-----a-R-c--s:------:allow



     Example 9 Inserting a POSIX-draft ACL in a Specific Position
     on a UFS File


     The file system reorders ACLs when they are  stored  in  the
     file   system.   The   following  example  illustrates  this
     behavior.


       $ ls -v file.1

       -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1

             0:user::rw-

             1:user:lp:rw-          #effective:r--

             2:group::r--           #effective:r--

             3:mask:r--

             4:other:r--




     Now, insert an entry  at  index  position  3.   The  command
     works, but the file system reorders the ACL.


       $ chmod A3+user:marks:rw- file.1

       $ ls -v file.1

       -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1

             0:user::rw-

             1:user:lp:rw-           #effective:r--

             2:user:marks:rw-        #effective:r--

             3:group::r--            #effective:r--

             4:mask:r--

             5:other:r--




     Rather than  inserting  the  ACL  entry  in  position  3  as
     requested, it actually ends up in position 2.


     Example 10 Removing an ACL Entry on a ZFS File


     The following example removes the lp entry from an ACL:


       $ ls -v file.3

       -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3

             0:user:lp:read_data:deny

             1:owner@:execute:deny

             2:owner@:read_data/write_data/append_data/write_xattr/

                write_attributes/write_acl/write_owner:allow

             3:group@:write_data/append_data/execute:deny

             4:group@:read_data:allow

             5:everyone@:write_data/append_data/write_xattr/execute/

                write_attributes/write_acl/write_owner:deny

             6:everyone@:read_data/read_xattr/read_attributes/read_acl/

                synchronize:allow



       $ chmod A-user:lp:read_data:deny file.3

       $ ls -v file.3

       -rw-r--r--   1 marks    staff          0 Oct  9 15:49 file.3

             0:owner@:execute:deny

             1:owner@:read_data/write_data/append_data/write_xattr/

                write_attributes/write_acl/write_owner:allow

             2:group@:write_data/append_data/execute:deny

             3:group@:read_data:allow

             4:everyone@:write_data/append_data/write_xattr/execute/

                write_attributes/write_acl/write_owner:deny

             5:everyone@:read_data/read_xattr/read_attributes/read_acl/

                synchronize:allow



     Example 11 Removing a POSIX-draft ACL on a UFS File


     The following example removes the lp entry from an ACL:


       $ ls -v file.2

       -rw-r--r--+  1 marks    staff          0 Oct  9 15:52 file.2

             0:user::rw-

             1:user:lp:-wx           #effective:---

             2:group::r--            #effective:r--

             3:mask:r--

             4:other:r--



       $ chmod A-user:lp:-wx file.2

       $ ls -v file.2

       -rw-r--r--   1 marks    staff          0 Oct  9 15:52 file.2

             0:user::rw-

             1:group::r--            #effective:r--

             2:mask:r--

             3:other:r--



     Example 12 Removing a Specific ACL Entry by Index Number  on
     a ZFS File


     Consider the following ACL:


       $ ls -v file

           0:group:staff:read_data/write_data/execute/read_acl:allow

           1:user:bin:read_data:deny

           2:user:bin:read_data:allow

           3:owner@:write_data/append_data:deny

           4:owner@:read_data/write_xattr/execute/write_attributes/write_acl

               /write_owner:allow

           5:group@:write_data/append_data:deny

           6:group@:read_data/execute:allow
           7:everyone@:write_data/append_data/write_xattr/write_attributes

               /write_acl/write_owner:deny

           8:everyone@:read_data/read_xattr/execute/read_attributes/read_acl

               /synchronize:allow




     Remove the second user entry for bin.


       $ chmod A2- file

       $ ls -v file

           0:group:staff:read_data/write_data/execute/read_acl:allow

           1:user:bin:read_data:deny

           2:owner@:write_data/append_data:deny

           3:owner@:read_data/write_xattr/execute/write_attributes/write_acl

              /write_owner:allow

           4:group@:write_data/append_data:deny

           5:group@:read_data/execute:allow

           6:everyone@:write_data/append_data/write_xattr/write_attributes

              /write_acl/write_owner:deny

           7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl

              /synchronize:allow



     Example 13 Removing a Specific POSIX-draft ACL  Entry  on  a
     UFS File


     The following example removes the lp entry by  index  number
     from the following ACL:


       $ ls -v file.1
       -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1

             0:user::rw-

             1:user:lp:rw-              #effective:r--

             2:group::r--               #effective:r--

             3:mask:r--

             4:other:r--



             $ chmod A1- file.1

             $ ls -v

       -rw-r--r--+  1 root     root           0 Sep 29 16:10 file.1

             0:user::rw-

             1:group::r--               #effective:r--

             2:mask:r--

             3:other:r--



     Example 14 Removing All ACLs From a File


     The following command works with either NFSv4/ZFS or  POSIX-
     draft ACLs.



     Consider the following ACL:


       $ ls -v file.3

       -rw-r--r--+  1 marks    staff          0 Oct  9 15:49 file.3

             0:user:lp:read_data/write_data:allow

             1:user:marks:read_acl:allow

             2:owner@:execute:deny

             3:owner@:read_data/write_data/append_data/write_xattr/

                write_attributes/write_acl/write_owner:allow

             4:group@:write_data/append_data/execute:deny

             5:group@:read_data:allow

             6:everyone@:write_data/append_data/write_xattr/execute/

                write_attributes/write_acl/write_owner:deny

             7:everyone@:read_data/read_xattr/read_attributes/read_acl/

                synchronize:allow




     The existing ACL is effectively removed and is replaced with
     an ACL that represents the permission bits of the file.


       $ chmod A- file.3

       $ ls -v file.3

       -rw-r--r--  1 marks    staff          0 Oct  9 15:49 file.3

            0:owner@:execute:deny

            1:owner@:read_data/write_data/append_data/write_xattr/

               write_attributes/write_acl/write_owner:allow

            2:group@:write_data/append_data/execute:deny

            3:group@:read_data:allow

            4:everyone@:write_data/append_data/write_xattr/execute/

               write_attributes/write_acl/write_owner:deny

            5:everyone@:read_data/read_xattr/read_attributes/read_acl/

              synchronize:allow



     Example 15 Replacing an Entire ACL Entry on a ZFS File


     Use the following chmod syntax if you want to replace an ACL
     in its entirety:

       $ chmod A=owner@:read_data/write_data:allow,group@:read_data/

                      write_data:allow,user:lp:read_data:allow file.4

       $ ls -v file.4

       -rw-rw----+  1 marks    staff          0 Oct  9 16:12 file.4

              0:owner@:read_data/write_data:allow

              1:group@:read_data/write_data:allow

              2:user:lp:read_data:allow



     Example 16 Replacing an Entire POSIX-draft ACL on a UFS File


     This operation is a little more complicated.   The  replace-
     ment  ACL  needs the necessary entries to represent the file
     owner, file group owner,  other,  mask  and  any  additional
     entries you wish to set.


       $ chmod A=user::rw-,group::rw-,other::---,mask:r--,

                     user:lp:r-- file.3

       $ ls -v file.3

       -rw-r-----+  1 root     root           0 Oct  9 16:14 file.3

               0:user::rw-

               1:user:lp:r--        #effective:r--

               2:group::rw-         #effective:r--

               3:mask:r--

               4:other:---



     Example 17 Replacing a Specific Entry on a ZFS File


     Consider the following ACL.


       $ ls -v file.5
       -rw-r--r--+  1 marks    staff          0 Oct  9 16:18 file.5

            0:user:marks:read_data:allow

            1:owner@:execute:deny

            2:owner@:read_data/write_data/append_data/write_xattr/

               write_attributes/write_acl/write_owner:allow

            3:group@:write_data/append_data/execute:deny

            4:group@:read_data:allow

            5:everyone@:write_data/append_data/write_xattr/execute/

               write_attributes/write_acl/write_owner:deny

            6:everyone@:read_data/read_xattr/read_attributes/read_acl/

               synchronize:allow




     Now, change the allow access to a deny for user marks:


       $ chmod A0=user:marks:read_data:deny file.5

       $ ls -v file.5

       -rw-r--r--+  1 marks   staff          0 Aug 23 09:11 file.5

       0:user:marks:read_data:deny

       1:owner@:read_data/write_data/append_data/write_xattr/write_attributes

            /write_acl/write_owner:allow

       2:group@:write_data/append_data/execute:deny

       3:group@:read_data:allow

       4:everyone@:write_data/append_data/write_xattr/execute/write_attributes

            /write_acl/write_owner:deny

       5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize

            :allow

     Example 18 Replacing a Specific POSIX-draft  ACL  on  a  UFS
     File


     Consider the following ACL.


       $ ls -v file.4

       -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4

               0:user::rw-

               1:user:lp:rwx         #effective:r--

               2:group::r--          #effective:r--

               3:mask:r--

               4:other:r--




     Now, change the permission on lp from rwx to r--:


       $ chmod A1=user:lp:r-- file.4



       $ ls -v file

       -rw-r--r--+  1 marks    staff          0 Oct  9 16:21 file.4

               0:user::rw-

               1:user:lp:r--         #effective:r--

               2:group::r--          #effective:r--

               3:mask:r--

               4:other:r--



     Example 19 Setting ACL Inheritance Flags on a ZFS File


     You can only set inheritance flags on ZFS files.  When  set-
     ting  ACLs on directories,  several inheritance flags can be
     optionally set.



     Suppose you have an ACL entry for user lp that you  want  to
     be  inherited to newly created files in a directory.  First,
     you need to create an inheritable ACL entry  on  the  direc-
     tory:


       $ chmod A+user:lp:read_data:file_inherit:allow test.dir

       $ ls -dv test.dir

       drwxr-xr-x+  2 marks   staff          2 Aug 23 09:08 test.dir/

       0:user:lp:read_data:file_inherit:allow

       1:owner@::deny

       2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory

            /append_data/write_xattr/execute/write_attributes/write_acl

            /write_owner:allow

       3:group@:add_file/write_data/add_subdirectory/append_data:deny

       4:group@:list_directory/read_data/execute:allow

       5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr

            /write_attributes/write_acl/write_owner:deny

       6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes

            /read_acl/synchronize:allow




     The lp entry is inherited to  newly  created  files  in  the
     directory test.dir.


       $ touch test.dir/file.test

       $ ls -v test.dir/file.test

       -rw-r--r--+  1 marks    staff          0 Oct  9 16:29 test.dir/file.test

            0:user:lp::deny
            1:user:lp:read_data:allow

            2:owner@:execute:deny

            3:owner@:read_data/write_data/append_data/write_xattr/

                write_attributes/write_acl/write_owner:allow

            4:group@:write_data/append_data/execute:deny

            5:group@:read_data:allow

            6:everyone@:write_data/append_data/write_xattr/execute/

                write_attributes/write_acl/write_owner:deny

            7:everyone@:read_data/read_xattr/read_attributes/read_acl/

        synchronize:allow




     The user lp entry is inherited to the  newly  created  file.
     Multiple combinations of the inheritance flags can be speci-
     fied. For example, if you wanted the lp  entry  to  also  be
     inherited to  directories, then the following command can be
     used:


       $ chmod A+user:lp:read_data:file_inherit/\

             dir_inherit:allow test.dir



     Example 20 Replacing System Attributes of a ZFS File


     The following examples replace system attributes  of  a  ZFS
     file:


       $ chmod S=v{archive,hidden,readonly,system,appendonly,\

            nonodump,immutable,noav_modified,noav_quarantined,\

            nounlink,nosensitive} file1

     or


       $ chmod S=c{AHRSaiu} file1




     or


       $ chmod S=c{AHRSa-i--u-} file1




     or


       $ chmod S=cAHRSaiu file1




     or


       $ chmod -@ `..' S=cAHRSaiu file1




     Assuming appropriate privileges, this results in the follow-
     ing  system  attributes of file1 being set: archive, hidden,
     readonly,  system,  appendonly,  immutable,  and   nounlink.
     Assuming appropriate privileges, the following system attri-
     butes   of   file1   are   cleared:   nodump,   av_modified,
     av_quarantined, and sensitive.


     Example 21 Clearing All System Attributes of a ZFS File


     The following examples clears all system attributes of a ZFS
     file:


       $ chmod S-a file1

     or


       $ chmod -@ `..' S-a file1




     Assuming appropriate privileges, all boolean read-write sys-
     tem attributes are cleared on file1.


     Example 22 Setting a System Attribute of a  Named  Attribute
     File of a ZFS File


     The following example sets a system  attribute  of  a  named
     attribute file of a ZFS file, but not of the file itself:


       $ chmod -@ myattr S+vhidden file1




     This results in the hidden system attribute  being  set  for
     the  named  attribute file myattr of file1, but not the file
     itself.


     Example 23 Setting a System Attribute of All Named Attribute
     File of a ZFS File


     The following example sets a system attribute of  all  named
     attribute files of a ZFS file, but not of the file itself:


       $ chmod -@ `*' S+a file1



     Example 24 Setting a System Attribute of All Named Attribute
     Files of a ZFS File


     The following example sets a system attribute of  all  named
     attribute  files  of  a  ZFS  file,  as  well as of the file
     itself:


       $ chmod -@ `..' -@ `*' S+vhidden file1

     This results in the hidden system attribute  being  set  for
     all  named  attribute  files  of  file1, as well as the file
     itself.


     Example  25  Recursively  Descending  Through  a   Directory
     Hierarchy


     The following example recursively descends through a  direc-
     tory  hierarchy, and sets all system attributes of all named
     attribute files, the ZFS file operands, as well  as  of  the
     directory itself:


       $ chmod -R -@ `..' -@ `*' S+a directory1




     This results in the hidden system attribute  being  set  for
     all  named  attribute  files of all regular files and direc-
     tories within the directory hierarchy of directory1, as well
     as of directory1 itself.


     Example 26 Setting the hidden and system  System  Attributes
     of a ZFS File


     The following examples set  the  hidden  and  system  system
     attributes of a ZFS file:


       $ chmod S+cHS file1




     or


       $ chmod S+vhidden,+vsystem file1




     or


       $ chmod S+v{hidden,system} file1

     or


       $ chmod S+c{-HS--------} file1




     or


       $ chmod S-v{nohidden,nosystem} file1




     or


       $ chmod S-v{hidden,system},+v{hidden,system} file1



     Example 27 Clearing All System Attributes of a ZFS File


     The following example clears all system attributes of a  ZFS
     file:


       $ chmod S-a file1




     or


       $ chmod S=v{} file1




     In the following two examples, the last attribute  operation
     specified takes precedence.



     In this example, the replacement attribute  name  list  ({})
     clears all system attributes for file1:

       $ chmod S+cHS,=v{} file1




     In this example, the clear attributes operation (-a)  clears
     all system attributes of file1:


       $ chmod S+vhidden,+vsystem,-a file1



     Example 28 Setting the Values of All Boolean read-write Sys-
     tem Attributes of a File


     The following example sets the values of all  boolean  read-
     write system attributes of a file to the same as the boolean
     read-write system attributes of another file:


       $ chmod S=v`ls -/v file1|sed -n `2s/.*{/{/p'` file2




     Assuming appropriate privileges and  that  file1  and  file2
     have the same supported system attributes, all system attri-
     butes of file1 that are set are also set on file2. All  sys-
     tem attributes of file1 that are cleared are also cleared on
     file2.

Environment Variables
     See environ(5) for descriptions of the following environment
     variables  that affect the execution of chmod: LANG, LC_ALL,
     LC_CTYPE, LC_MESSAGES, and NLSPATH.

Exit Status
     The following exit values are returned:

     0
         Successful completion.


     >0
         An error occurred.

Attributes
     See attributes(5) for descriptions of the  following  attri-
     butes:



     tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i)  ATTRI-
     BUTE  TYPEATTRIBUTE  VALUE  _  Availabilitysystem/core-os  _
     CSIEnabled _ Interface StabilityCommitted

See Also
     getfacl(1),  ls(1),  setfacl(1),   chmod(2),   fgetattr(3C),
     acl(5),  attributes(5), environ(5), fsattr(5), largefile(5),
     standards(5)


     Managing ZFS File Systems in Oracle Solaris 11.3

Notes
     Absolute changes do not work for the set-group-ID bit  of  a
     directory. You must use g+s or g-s.


     chmod permits you to produce useless modes so long  as  they
     are  not  illegal  (for instance, making a text file execut-
     able). chmod does not check the file type to see  if  manda-
     tory locking is meaningful.


     If the filesystem is mounted with the nosuid option,  setuid
     execution is not allowed.


     If you use chmod to change the file group owner  permissions
     on  a  file with ACL entries, both the file group owner per-
     missions and the ACL mask are changed  to  the  new  permis-
     sions. Be aware that the new ACL mask permissions can change
     the effective permissions for additional  users  and  groups
     who  have  ACL  entries  on  the file. Use the getfacl(1) or
     ls(1)command to make sure the  appropriate  permissions  are
     set for all ACL entries.
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 1.0 CSS3