chmod


chmod Command



Purpose

Changes file modes.

Syntax



To Change File Modes Symbolically

chmod [ -R ] [ -h ] [ -f ] [ [ u ] [ g ] [ o ] | [ a
] ] { { - | + | = } [ r ] [ w ] [ x ] [ X ] [ s ] [ t
] } { File ... | Directory ... }

To Change File Modes Numerically

chmod [ -R ] [ -h ] [ -f ] PermissionCode { File ... | Directory
... }

Description

The chmod command modifies the mode bits and the extended access control
lists (ACLs) of the specified files or directories. The mode can be
defined symbolically or numerically (absolute mode).

When a symbolic link is encountered and you have not specified the
-h flag, the chmod command changes the mode of the file or directory
pointed to by the link and not the mode of the link itself. If you
specify the -h flag, the chmod command prevents this mode change.

If you specify both the -h flag and the -R flag, the chmod command
descends the specified directories recursively, and when a symbolic
link is encountered, the mode of the file or directory pointed to
by the link is not changed.

Flags

-f	Suppresses all error reporting except invalid permissions and usage
statements.

-h	Suppresses a mode change for the file or directory pointed to by
the encountered symbolic link.

Note:	This behavior is slightly different from the behavior of the
-h flag on the chgrp and chown commands because mode bits cannot be
set on symbolic links.

-R	Descends only directories recursively, as specified by the pattern
File...|Directory.... The -R flag changes the file mode bits of each
directory and of all files matching the specified pattern. See Example
6.

When a symbolic link is encountered and the link points to a directory,
the file mode bits of that directory are changed but the directory
is not further traversed.

Symbolic Mode

To specify a mode in symbolic form, you must specify three sets of
flags.

Note:	Do not separate flags with spaces.

The first set of flags specifies who is granted or denied the specified
permissions, as follows:

u	File owner.

g	Group and extended ACL entries pertaining to the file's group.

o	All others.

a	User, group, and all others. The a flag has the same effect as specifying
the ugo flags together. If none of these flags are specified, the
default is the a flag and the file creation mask (umask) is applied.

The second set of flags specifies whether the permissions are to be
removed, applied, or set:

-	Removes specified permissions.

+	Applies specified permissions.

=	Clears the selected permission field and sets it to the permission
specified. If you do not specify a permission following =, the chmod
command removes all permissions from the selected field.

The third set of flags specifies the permissions that are to be removed,
applied, or set:

r	Read permission.

w	Write permission.

x	Execute permission for files; search permission for directories.

X	Execute permission for files if the current (unmodified) mode bits
have at least one of the user, group, or other execute bits set. The
X flag is ignored if the File parameter is specified and none of the
execute bits are set in the current mode bits.

	Search permission for directories.

s	Set-user-ID-on-execution permission if the u flag is specified or
implied. Set-group-ID-on-execution permission if the g flag is specified
or implied.

t	For directories, indicates that only file owners can link or unlink
files in the specified directory. For files, sets the save-text attribute.

Numeric or Absolute Mode

The chmod command also permits you to use octal notation for the mode.
The numeric mode is the sum of one or more of the following values:

4000	Sets user ID on execution.

2000	Sets group ID on execution.

1000	Sets the link permission to directories or sets the save-text
attribute for files.

0400	Permits read by owner.

0200	Permits write by owner.

0100	Permits execute or search by owner.

0040	Permits read by group.

0020	Permits write by group.

0010	Permits execute or search by group.

0004	Permits read by others.

0002	Permits write by others.

0001	Permits execute or search by others.

Notes: 

1.	Specifying the mode numerically disables any extended ACLs. Refer
to "Access Control Lists" in AIX Version 4.1 System User's Guide:
Operating System and Devices for more information.

2.	Changing group access permissions symbolically also affects the
extended ACL entries. The group entries in the ACL that are equal
to the owning group of the file are denied any permission that is
removed from the mode. Refer to "Access Control Lists" for more information.

3.	You can specify multiple symbolic modes separated with commas.
Operations are performed in the order they appear from left to right.

4.	You must specify the mode symbolically when removing the set-group-ID-on-execution
permission from directories.

Security

Access Control: This program should be installed as a normal user
program in the Trusted Computing Base.

Only the owner of the file or the root user can change the mode of
a file.

Exit Status

This command returns the following exit values:

0	The command executed successfully and all requested changes were
made.

>0	An error occurred.

Examples

1.	To add a type of permission to several files:

chmod g+w chap1 chap2

This adds write permission for group members to the files chap1 and
chap2.

2.	To make several permission changes at once:

chmod go-w+x mydir

This denies group members and others the permission to create or delete
files in mydir (go-w) and allows group members and others to search
mydir or use it in a path name (go+x). This is equivalent to the command
sequence:

chmod g-w mydir
chmod o-w mydir
chmod g+x mydir
chmod o+x mydir

3.	To permit only the owner to use a shell procedure as a command:

chmod u=rwx,go= cmd

This gives read, write, and execute permission to the user who owns
the file (u=rwx). It also denies the group and others the permission
to access cmd in any way (go=).

If you have permission to execute the cmd shell command file, then
you can run it by entering:

cmd

Note:	Depending on the PATH shell variable, you may need to specify
the full path to the cmd file.

4.	To use Set-ID Modes:

chmod ug+s cmd

When the cmd command is executed, the effective user and group IDs
are set to those that own the cmd file. Only the effective IDs associated
with the child process that runs the cmd command are changed. The
effective IDs of the shell session remain unchanged.

This feature allows you to permit access to restricted files. Suppose
that the cmd program has the Set-User-ID Mode enabled and is owned
by a user called dbms. The user dbms is not actually a person, but
might be associated with a database management system. The user betty
does not have permission to access any of dbms's data files. However,
she does have permission to execute the cmd command. When she does
so, her effective user ID is temporarily changed to dbms, so that
the cmd program can access the data files owned by the user dbms.

This way the user betty can use the cmd command to access the data
files, but she cannot accidentally damage them with the standard shell
commands.

5.	To use the absolute mode form of the chmod command:

chmod 644 text

This sets read and write permission for the owner, and it sets read-only
mode for the group and others. This also removes all extended ACLs
that might be associated with the file.

6.	To recursively descend directories and change file and directory
permissions given the tree structure:

./dir1/dir2/file1./dir1/dir2/file2./dir1/file1

enter this command sequence:

chmod -R 777 f*

which will change permissions on ./dir1/file1.

But given the tree structure of:

./dir1/fdir2/file1./dir1/fdir2/file2./dir1/file3

the command sequence:

chmod -R 777 f*

will change permissions on:

./dir1/fdir2./dir1/fdir2/file1./dir1/fdir2/file2./dir1/file3

Implementation Specifics

Software Product/Option:	Base Operating System/ Base Operating System
Runtime

Standards Compliance:	OSF/1, OSF Level 3, BSD 4.3, SVID 3, SVID 2,
XPG4, XPG3, POSIX

File

/usr/bin/chmod	Contains the chmod command.

Related Information

The acledit command, aclget command, aclput command, chown command,
chgrp command, ls command.

The chmod subroutine, fchmod subroutine.

File Ownership and User Groups in AIX Version 4.1 System User's Guide:
Operating System and Devices introduces file ownership and permissions
to access files and directories.

Security Administration in AIX Version 4.1 System Management Guide:
Operating System and Devices describes system security.

Trusted Computing Base Overview in AIX Version 4.1 System Management
Guide: Operating System and Devices describes the part of the system
that is responsible for enforcing system information security policies.




=================================================================
=================================================================

chmod or fchmod Subroutine



Purpose

Changes file access permissions.

Library

Standard C Library (libc.a)

Syntax

#include 

int chmod (Path, Mode)
const char *Path;
mode_t Mode;

int fchmod (FileDescriptor, Mode)
int FileDescriptor;
mode_t Mode;

Description

The chmod subroutine sets the access permissions of the file specified
by the Path parameter. If Network File System (NFS) is installed on
your system, this path can cross into another node.

Use the fchmod subroutine to set the access permissions of an open
file pointed to by the FileDescriptor parameter.

The access control information is set according to the Mode parameter.

Parameters

FileDescriptor	Specifies the file descriptor of an open file.

Mode	Specifies the bit pattern that determines the access permissions.
The Mode parameter is constructed by logically ORing one or more of
the following values, which are defined in the sys/mode.h file:

S_ISUID	Enables the setuid attribute for an executable file. A process
executing this program acquires the access rights of the owner of
the file.

S_ISGID	Enables the setgid attribute for an executable file. A process
executing this program acquires the access rights of the group of
the file. Also, enables the group-inheritance attribute for a directory.
Files created in this directory have a group equal to the group of
the directory.

The following attributes apply only to files that are directly executable.
They have no meaning when applied to executable text files such as
shell scripts and awk scripts.

S_ISVTX	Enables the link/unlink attribute for a directory. Files cannot
be linked to in this directory. Files can only be unlinked if the
requesting process has write permission for the directory and is either
the owner of the file or the directory.

S_ISVTX	Enables the save text attribute for an executable file. The
program is not unmapped after usage.

S_ENFMT	Enables enforcement-mode record locking for a regular file.
File locks requested with the lockf subroutine are enforced.

S_IRUSR	Permits the file's owner to read it.

S_IWUSR	Permits the file's owner to write to it.

S_IXUSR	Permits the file's owner to execute it (or to search the directory).

S_IRGRP	Permits the file's group to read it.

S_IWGRP	Permits the file's group to write to it.

S_IXGRP	Permits the file's group to execute it (or to search the directory).

S_IROTH	Permits others to read the file.

S_IWOTH	Permits others to write to the file.

S_IXOTH	Permits others to execute the file (or to search the directory).

Other mode values exist that can be set with the mknod subroutine
but not with the chmod subroutine.

Path	Specifies the full path name of the file.

Return Values

Upon successful completion, the chmod subroutine and fchmod subroutines
return a value of 0. If the chmod subroutine or fchmod subroutine
is unsuccessful, a value of -1 is returned, and the errno global variable
is set to identify the error.

Error Codes

The chmod subroutine is unsuccessful and the file permissions remain
unchanged if one of the following is true:

ENOTDIR	A component of the Path prefix is not a directory.

EACCES	Search permission is denied on a component of the Path prefix.

EFAULT	The Path parameter points to a location outside of the allocated
address space of the process.

ESTALE	The root or current directory of the process is located in
a virtual file system that has been unmounted.

ELOOP	Too many symbolic links were encountered in translating the
Path parameter.

ENOENT	A symbolic link was named, but the file to which it refers
does not exist.

ENOENT	A component of the Path parameter does not exist or has the
disallow truncation attribute (see the ulimit subroutine).

ENOENT	The Path parameter is null.

ENOENT	The named file does not exist.

ENAMETOOLONG	A component of the Path parameter exceeded 255 characters,
or the entire Path parameter exceeded 1023 characters.

EPERM	The effective user ID does not match the owner of the file,
and the process does not have appropriate privileges.

EINVAL	The value of the Mode parameter is invalid.

The fchmod subroutine is unsuccessful and the file permissions remain
unchanged if the following is true:

EBADF	The value of the FileDescriptor parameter is not valid.

The chmod or fchmod subroutine is unsuccessful and the access control
information for a file remains unchanged if one of the following is
true:

EROFS	The named file resides on a read-only file system.

EIO	An I/O error occurred during the operation.

EBUSY	The value of the Mode parameter would change the enforced locking
attribute of an open file.

If NFS is installed on your system, the chmod and fchmod subroutines
can also be unsuccessful if the following is true:

ETIMEDOUT	The connection timed out.

Security

Access Control: The invoker must have search permission for all components
of the Path prefix.

Implementation Specifics

These subroutines are part of Base Operating System (BOS) Runtime.

Related Information

The acl_chg subroutine, acl_get subroutine, acl_put subroutine, acl_set
subroutine, chacl subroutine, statacl subroutine, stat subroutine.

The aclget command, aclput command, chmod command.

List of Security and Auditing Subroutines and Subroutines Overview
in AIX Version 4.1 General Programming Concepts: Writing and Debugging
Programs.




=================================================================
=================================================================

chmod or fchmod Subroutine



Purpose

Changes file access permissions.

Library

Standard C Library (libc.a)

Syntax

#include 

int chmod (Path, Mode)
const char *Path;
mode_t Mode;

int fchmod (FileDescriptor, Mode)
int FileDescriptor;
mode_t Mode;

Description

The chmod subroutine sets the access permissions of the file specified
by the Path parameter. If Network File System (NFS) is installed on
your system, this path can cross into another node.

Use the fchmod subroutine to set the access permissions of an open
file pointed to by the FileDescriptor parameter.

The access control information is set according to the Mode parameter.

Parameters

FileDescriptor	Specifies the file descriptor of an open file.

Mode	Specifies the bit pattern that determines the access permissions.
The Mode parameter is constructed by logically ORing one or more of
the following values, which are defined in the sys/mode.h file:

S_ISUID	Enables the setuid attribute for an executable file. A process
executing this program acquires the access rights of the owner of
the file.

S_ISGID	Enables the setgid attribute for an executable file. A process
executing this program acquires the access rights of the group of
the file. Also, enables the group-inheritance attribute for a directory.
Files created in this directory have a group equal to the group of
the directory.

The following attributes apply only to files that are directly executable.
They have no meaning when applied to executable text files such as
shell scripts and awk scripts.

S_ISVTX	Enables the link/unlink attribute for a directory. Files cannot
be linked to in this directory. Files can only be unlinked if the
requesting process has write permission for the directory and is either
the owner of the file or the directory.

S_ISVTX	Enables the save text attribute for an executable file. The
program is not unmapped after usage.

S_ENFMT	Enables enforcement-mode record locking for a regular file.
File locks requested with the lockf subroutine are enforced.

S_IRUSR	Permits the file's owner to read it.

S_IWUSR	Permits the file's owner to write to it.

S_IXUSR	Permits the file's owner to execute it (or to search the directory).

S_IRGRP	Permits the file's group to read it.

S_IWGRP	Permits the file's group to write to it.

S_IXGRP	Permits the file's group to execute it (or to search the directory).

S_IROTH	Permits others to read the file.

S_IWOTH	Permits others to write to the file.

S_IXOTH	Permits others to execute the file (or to search the directory).

Other mode values exist that can be set with the mknod subroutine
but not with the chmod subroutine.

Path	Specifies the full path name of the file.

Return Values

Upon successful completion, the chmod subroutine and fchmod subroutines
return a value of 0. If the chmod subroutine or fchmod subroutine
is unsuccessful, a value of -1 is returned, and the errno global variable
is set to identify the error.

Error Codes

The chmod subroutine is unsuccessful and the file permissions remain
unchanged if one of the following is true:

ENOTDIR	A component of the Path prefix is not a directory.

EACCES	Search permission is denied on a component of the Path prefix.

EFAULT	The Path parameter points to a location outside of the allocated
address space of the process.

ESTALE	The root or current directory of the process is located in
a virtual file system that has been unmounted.

ELOOP	Too many symbolic links were encountered in translating the
Path parameter.

ENOENT	A symbolic link was named, but the file to which it refers
does not exist.

ENOENT	A component of the Path parameter does not exist or has the
disallow truncation attribute (see the ulimit subroutine).

ENOENT	The Path parameter is null.

ENOENT	The named file does not exist.

ENAMETOOLONG	A component of the Path parameter exceeded 255 characters,
or the entire Path parameter exceeded 1023 characters.

EPERM	The effective user ID does not match the owner of the file,
and the process does not have appropriate privileges.

EINVAL	The value of the Mode parameter is invalid.

The fchmod subroutine is unsuccessful and the file permissions remain
unchanged if the following is true:

EBADF	The value of the FileDescriptor parameter is not valid.

The chmod or fchmod subroutine is unsuccessful and the access control
information for a file remains unchanged if one of the following is
true:

EROFS	The named file resides on a read-only file system.

EIO	An I/O error occurred during the operation.

EBUSY	The value of the Mode parameter would change the enforced locking
attribute of an open file.

If NFS is installed on your system, the chmod and fchmod subroutines
can also be unsuccessful if the following is true:

ETIMEDOUT	The connection timed out.

Security

Access Control: The invoker must have search permission for all components
of the Path prefix.

Implementation Specifics

These subroutines are part of Base Operating System (BOS) Runtime.

Related Information

The acl_chg subroutine, acl_get subroutine, acl_put subroutine, acl_set
subroutine, chacl subroutine, statacl subroutine, stat subroutine.

The aclget command, aclput command, chmod command.

List of Security and Auditing Subroutines and Subroutines Overview
in AIX Version 4.1 General Programming Concepts: Writing and Debugging
Programs.