chmod Command Purpose Changes permission modes. Syntax To Change Permission Modes Symbolically chmod [ -R ] [ -f ] [ [ u ] [ g ] [ o ] | [ a ] ] { { - | + | = } [ r ] [ w ] [ x ] [ X ] [ s ] [ t ] } { File ... | Directory ... } To Change Permission Modes Numerically chmod [ -R ] [ -f ] PermissionCode { File ... | Directory ... } Description The chmod command modifies the read, write, and execute permis- sions of specified files and modifies the search permission codes of specified directories. These permissions can be defined sym- bolically or numerically (Absolute mode). Flags -f Suppresses all error reporting. -R Recursively descends the specified directories setting the mode for each file. When symbolic links are encountered, the mode of the file or directory pointed to by the link is changed, but the mode of the symbolic link is not changed. Symbolic Mode Note: You can specify multiple symbolic modes separated with com- mas. Do not separate items in this list with spaces. Operations are performed in the order they appear from left to right. When you use the Symbolic mode to specify permission modes, the first set of parameters selects the permission field, as follows: u File owner. g Group and extended Access Control List (ACL) entries pertaining to the file's group. o All others. a User, group, and all others. This has the same effect as specifying the ugo flags. The a flag is the default permission field. If the permission field is omitted, the default is the a flag and the file creation mask (umask) is applied. The second set of flags selects whether permissions are to be taken away, added, or set exactly as specified: - Removes specified permissions. + Adds specified permissions. = Clears the selected permission field and sets it to the mode specified. If you do not specify a permission mode following =, the chmod command removes all permissions from the selected field. The third set of parameters of the chmod command selects the per- missions as follows: r Read permission. w Write permission. x Execute permission for files; search permission for direc- tories. X Execute/search permission if the specified file is a directory or if the current (unmodified) file mode bits have at least one of the execute bits set. It is ignored if the specified file is not a directory and none of the execute bits are set in the current file mode bits. s Set User-ID or Set Group-ID permission to that of File. This flag is only valid with the u and g flags of the permission field. t Link permission for directories, save text attributes for files. Only the owner of a file has permission to delete it. Note: You can specify +t only if you are a root user. Numeric or Absolute Mode The chmod command also permits you to use octal notation to set each bit in the permission mode. The chmod command sets the per- missions to the PermissionCode you provide. This PermissionCode is constructed by combining (the logical OR of) the following values: 4000 Sets user ID on execution. 2000 Sets group ID on execution. 1000 Sets the link permission to directories or sets the save text attribute for files. 0400 Permits read by owner. 0200 Permits write by owner. 0100 Permits execute or search by owner. 0040 Permits read by group. 0020 Permits write by group. 0010 Permits execute or search by group. 0004 Permits read by others. 0002 Permits write by others. 0001 Permits execute or search by others. Notes: 1. Specifying access numerically limits the amount of attributes that may be expressed and also will implicitly disable any ex- tended Access Control Entries. Refer to " Access Control Lists" in AIX Version 3.2 System Management Guide: Operating System and Devices for more information. 2. Changing group access permissions symbolically will also af- fect the extended Access Control List entries which pertain to the group of the current file in the same way. Refer to " Access Control Lists" for more information. 3. To set the SETUID and SETGID attributes, the chmod command must be invoked on the trusted path or as the root user, other- wise, these attributes will be cleared for all altered files. 4. You cannot remove the SETGID attribute on a directory using the octal notation. To remove the SETGID attribute on a directo- ry, you must explicitly remove the permission using the Symbolic mode form. Security Access Control: This program should be installed as a normal user program in the Trusted Computing Base. Examples 1. To add a type of permission to several files: chmod g+w chap1 chap2 This adds write permission for group members to the files chap1 and chap2. 2. To make several permission changes at once: chmod go-w+x mydir This denies group members and others the permission to create or delete files in mydir (go-w) and allows group members and others to search mydir or use it in a path name (go+x). This is equivalent to the command sequence: chmod g-w mydir chmod o-w mydir chmod g+x mydir chmod o+x mydir 3. To permit only the owner to use a shell procedure as a com- mand: chmod u=rwx,go= cmd This gives read, write, and execute permission to the user who owns the file (u=rwx). It also denies the group and others the permission to access cmd in any way (go=). If you have permission to execute the cmd shell command file, then you can run it by entering: cmd Note: cmd must reside in a directory specified by the shell vari- able PATH. 4. To use Set-ID Modes: chmod ug+s cmd When cmd is executed, the effective user and group ID of the pro- cess are set to those of cmd. Only the effective IDs associated with the child process that runs cmd are changed. The effective IDs of the shell session remain unchanged. This feature allows you to permit restricted access to important files. Suppose that cmd has the Set-User-ID Mode enabled and is owned by a user called dbms. dbms is not actually a person, but might be associated with a database management system. The user betty does not have permission to access any of dbms's data files. However, she does have permission to execute cmd. When she does so, her effective user ID is temporarily changed to dbms, so that the cmd program can access the data files owned by dbms. This way betty can use cmd to access the data files, but she can- not accidentally damage them with the standard shell commands. Note: The SETUID and SETGID attributes work only on files that are directly executable. For example, setting the SETUID atri- bute on a shell script file has no effect because it cannot be executed directly. 5. To use the Absolute mode form of the chmod command: chmod 644 text This sets read and write permission for the owner, and it sets read-only mode for the group and others. Implementation Specifics This command is part of Base Operating System (BOS) Runtime. Files /usr/bin/chmod Contains the chmod command. Related Information The acledit command, aclget command, aclput command, chown command, chgrp command, ls command. Understanding File and Directory Access Modes in AIX Version 3.2 System Management Guide: Operating System and Devices introduces file ownership and permissions to access files and directories. Security Introduction in AIX Version 3.2 System Management Guide: Operating System and Devices describes system security. Trusted Computing Base Overview in AIX Version 3.2 System Management Guide: Operating System and Devices describes the part of the system that is responsible for enforcing system informa- tion security policies.