From 5fd83771641d15c418f747bd343ba6738d3875f7 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sun, 9 May 2021 14:20:58 -0400 Subject: Import macOS userland adv_cmds-176 basic_cmds-55 bootstrap_cmds-116.100.1 developer_cmds-66 diskdev_cmds-667.40.1 doc_cmds-53.60.1 file_cmds-321.40.3 mail_cmds-35 misc_cmds-34 network_cmds-606.40.1 patch_cmds-17 remote_cmds-63 shell_cmds-216.60.1 system_cmds-880.60.2 text_cmds-106 --- file_cmds/chmod/chmod.1 | 604 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 604 insertions(+) create mode 100644 file_cmds/chmod/chmod.1 (limited to 'file_cmds/chmod/chmod.1') diff --git a/file_cmds/chmod/chmod.1 b/file_cmds/chmod/chmod.1 new file mode 100644 index 0000000..0e89f26 --- /dev/null +++ b/file_cmds/chmod/chmod.1 @@ -0,0 +1,604 @@ +.\"- +.\" Copyright (c) 1989, 1990, 1993, 1994 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" This code is derived from software contributed to Berkeley by +.\" the Institute of Electrical and Electronics Engineers, Inc. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)chmod.1 8.4 (Berkeley) 3/31/94 +.\" $FreeBSD$ +.\" +.Dd January 7, 2017 +.Dt CHMOD 1 +.Os +.Sh NAME +.Nm chmod +.Nd change file modes or Access Control Lists +.Sh SYNOPSIS +.Nm chmod +.Op Fl fv +.Op Fl R Op Fl H | L | P +.Ar mode +.Ar +.Nm chmod +.Op Fl fv +.Op Fl R Op Fl H | L | P +.Op -a | +a | =a +.Ar ACE +.Ar +.Nm chmod +.Op Fl fhv +.Op Fl R Op Fl H | L | P +.Op Fl E +.Ar +.Nm chmod +.Op Fl fhv +.Op Fl R Op Fl H | L | P +.Op Fl C +.Ar +.Nm chmod +.Op Fl fhv +.Op Fl R Op Fl H | L | P +.Op Fl N +.Ar +.Sh DESCRIPTION +The +.Nm chmod +utility modifies the file mode bits of the listed files +as specified by the +.Ar mode +operand. It may also be used to modify the Access Control +Lists (ACLs) associated with the listed files. +.Pp +The generic options are as follows: +.Bl -tag -width indent +.It Fl f +Do not display a diagnostic message if +.Nm chmod +could not modify the mode for +.Va file , +nor modify the exit status to reflect such failures. +.It Fl H +If the +.Fl R +option is specified, symbolic links on the command line are followed +and hence unaffected by the command. +(Symbolic links encountered during tree traversal are not followed.) +.It Fl h +If the file is a symbolic link, change the mode of the link itself +rather than the file that the link points to. +.It Fl L +If the +.Fl R +option is specified, all symbolic links are followed. +.It Fl P +If the +.Fl R +option is specified, no symbolic links are followed. +This is the default. +.It Fl R +Change the modes of the file hierarchies rooted in the files, +instead of just the files themselves. +Beware of unintentionally matching the +.Dq Pa ".." +hard link to the parent directory when using wildcards like +.Dq Li ".*" . +.It Fl v +Cause +.Nm chmod +to be verbose, showing filenames as the mode is modified. +If the +.Fl v +flag is specified more than once, the old and new modes of the file +will also be printed, in both octal and symbolic notation. +.El +.Pp +The +.Fl H , +.Fl L +and +.Fl P +options are ignored unless the +.Fl R +option is specified. +In addition, these options override each other and the +command's actions are determined by the last one specified. +.Pp +If +.Nm chmod +receives a +.Dv SIGINFO +signal (see the +.Cm status +argument for +.Xr stty 1 ) , +then the current filename as well as the old and new modes are displayed. +.Pp +Only the owner of a file or the super-user is permitted to change +the mode of a file. +.Sh EXIT STATUS +.Ex -std +.Sh MODES +Modes may be absolute or symbolic. +An absolute mode is an octal number constructed from the sum of +one or more of the following values: +.Pp +.Bl -tag -width 6n -compact -offset indent +.It Li 4000 +(the setuid bit). +Executable files with this bit set +will run with effective uid set to the uid of the file owner. +Directories with this bit set will force all files and +sub-directories created in them to be owned by the directory owner +and not by the uid of the creating process, if the underlying file +system supports this feature: see +.Xr chmod 2 +and the +.Cm suiddir +option to +.Xr mount 8 . +.It Li 2000 +(the setgid bit). +Executable files with this bit set +will run with effective gid set to the gid of the file owner. +.It Li 1000 +(the sticky bit). +See +.Xr chmod 2 +and +.Xr sticky 7 . +.It Li 0400 +Allow read by owner. +.It Li 0200 +Allow write by owner. +.It Li 0100 +For files, allow execution by owner. +For directories, allow the owner to +search in the directory. +.It Li 0040 +Allow read by group members. +.It Li 0020 +Allow write by group members. +.It Li 0010 +For files, allow execution by group members. +For directories, allow +group members to search in the directory. +.It Li 0004 +Allow read by others. +.It Li 0002 +Allow write by others. +.It Li 0001 +For files, allow execution by others. +For directories allow others to +search in the directory. +.El +.Pp +For example, the absolute mode that permits read, write and execute by +the owner, read and execute by group members, read and execute by +others, and no set-uid or set-gid behaviour is 755 +(400+200+100+040+010+004+001). +.Pp +The symbolic mode is described by the following grammar: +.Bd -literal -offset indent +mode ::= clause [, clause ...] +clause ::= [who ...] [action ...] action +action ::= op [perm ...] +who ::= a | u | g | o +op ::= + | \- | = +perm ::= r | s | t | w | x | X | u | g | o +.Ed +.Pp +The +.Ar who +symbols ``u'', ``g'', and ``o'' specify the user, group, and other parts +of the mode bits, respectively. +The +.Ar who +symbol ``a'' is equivalent to ``ugo''. +.Pp +The +.Ar perm +symbols represent the portions of the mode bits as follows: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It r +The read bits. +.It s +The set-user-ID-on-execution and set-group-ID-on-execution bits. +.It t +The sticky bit. +.It w +The write bits. +.It x +The execute/search bits. +.It X +The execute/search bits if the file is a directory or any of the +execute/search bits are set in the original (unmodified) mode. +Operations with the +.Ar perm +symbol ``X'' are only meaningful in conjunction with the +.Ar op +symbol ``+'', and are ignored in all other cases. +.It u +The user permission bits in the original mode of the file. +.It g +The group permission bits in the original mode of the file. +.It o +The other permission bits in the original mode of the file. +.El +.Pp +The +.Ar op +symbols represent the operation performed, as follows: +.Bl -tag -width 4n +.It + +If no value is supplied for +.Ar perm , +the ``+'' operation has no effect. +If no value is supplied for +.Ar who , +each permission bit specified in +.Ar perm , +for which the corresponding bit in the file mode creation mask +(see +.Xr umask 2 ) +is clear, is set. +Otherwise, the mode bits represented by the specified +.Ar who +and +.Ar perm +values are set. +.It \&\- +If no value is supplied for +.Ar perm , +the ``\-'' operation has no effect. +If no value is supplied for +.Ar who , +each permission bit specified in +.Ar perm , +for which the corresponding bit in the file mode creation mask +is set, is cleared. +Otherwise, the mode bits represented by the specified +.Ar who +and +.Ar perm +values are cleared. +.It = +The mode bits specified by the +.Ar who +value are cleared, or, if no +.Ar who +value is specified, the owner, group +and other mode bits are cleared. +Then, if no value is supplied for +.Ar who , +each permission bit specified in +.Ar perm , +for which the corresponding bit in the file mode creation mask +is clear, is set. +Otherwise, the mode bits represented by the specified +.Ar who +and +.Ar perm +values are set. +.El +.Pp +Each +.Ar clause +specifies one or more operations to be performed on the mode +bits, and each operation is applied to the mode bits in the +order specified. +.Pp +Operations upon the other permissions only (specified by the symbol +``o'' by itself), in combination with the +.Ar perm +symbols ``s'' or ``t'', are ignored. +.Pp +The ``w'' permission on directories will permit file creation, relocation, +and copy into that directory. +Files created within the directory itself will inherit its group ID. +.Sh EXAMPLES OF VALID MODES +.Bl -tag -width "u=rwx,go=u-w" -compact +.It Li 644 +make a file readable by anyone and writable by the owner only. +.Pp +.It Li go-w +deny write permission to group and others. +.Pp +.It Li =rw,+X +set the read and write permissions to the usual defaults, but +retain any execute permissions that are currently set. +.Pp +.It Li +X +make a directory or file searchable/executable by everyone if it is +already searchable/executable by anyone. +.Pp +.It Li 755 +.It Li u=rwx,go=rx +.It Li u=rwx,go=u-w +make a file readable/executable by everyone and writable by the owner only. +.Pp +.It Li go= +clear all mode bits for group and others. +.Pp +.It Li g=u-w +set the group bits equal to the user bits, but clear the group write bit. +.El +.Sh ACL MANIPULATION OPTIONS +ACLs are manipulated using extensions to the symbolic mode +grammar. Each file has one ACL, containing an ordered list of entries. +Each entry refers to a user or group, and grants or denies a set of +permissions. +In cases where a user and a group exist with the same name, the +user/group name can be prefixed with "user:" or "group:" in order to +specify the type of name. +.Pp +If the user or group name contains spaces you can use ':' as the delimiter +between name and permission. +.Pp +The following permissions are applicable to all filesystem objects: +.Bl -tag -width 6n -compact -offset indent +.It delete +Delete the item. Deletion may be granted by either this permission +on an object or the delete_child right on the containing directory. +.It readattr +Read an object's basic attributes. This is implicitly granted if +the object can be looked up and not explicitly denied. +.It writeattr +Write an object's basic attributes. +.It readextattr +Read extended attributes. +.It writeextattr +Write extended attributes. +.It readsecurity +Read an object's extended security information (ACL). +.It writesecurity +Write an object's security information (ownership, mode, ACL). +.It chown +Change an object's ownership. +.El +.Pp +The following permissions are applicable to directories: +.Bl -tag -width 6n -compact -offset indent +.It list +List entries. +.It search +Look up files by name. +.It add_file +Add a file. +.It add_subdirectory +Add a subdirectory. +.It delete_child +Delete a contained object. See the file delete permission above. +.El +.Pp +The following permissions are applicable to non-directory filesystem objects: +.Bl -tag -width 6n -compact -offset indent +.It read +Open for reading. +.It write +Open for writing. +.It append +Open for writing, but in a fashion that only allows writes into areas of +the file not previously written. +.It execute +Execute the file as a script or program. +.El +.Pp +ACL inheritance is controlled with the following permissions words, which +may only be applied to directories: +.Bl -tag -width 6n -compact -offset indent +.It file_inherit +Inherit to files. +.It directory_inherit +Inherit to directories. +.It limit_inherit +This flag is only relevant to entries inherited by subdirectories; it +causes the directory_inherit flag to be cleared in the entry that is +inherited, preventing further nested subdirectories from also +inheriting the entry. +.It only_inherit +The entry is inherited by created items but not considered when processing +the ACL. +.El +.Pp +The ACL manipulation options are as follows: +.Bl -tag -width Ds +.It \fB+a\fR +The +a mode parses a new ACL entry from the next argument on +the commandline and inserts it into the canonical location in the +ACL. If the supplied entry refers to an identity already listed, the +two entries are combined. +.Pp +\fBExamples\fR + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + # chmod +a "admin allow write" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: admin allow write + # chmod +a "guest deny read" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write + # chmod +a "admin allow delete" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write,delete + # chmod +a "User 1:allow:read" file + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: User 1 allow read + 3: admin allow write,delete +.Pp +The +a mode strives to maintain correct canonical form for the ACL. + local deny + local allow + inherited deny + inherited allow +.Pp +By default, chmod adds entries to the top of the local deny and local +allow lists. Inherited entries are added by using the +ai mode. +.Pp +\fBExamples\fR + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write,delete + 3: juser inherited deny delete + 4: admin inherited allow delete + 5: backup inherited deny read + 6: admin inherited allow write-security + # chmod +ai "others allow read" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write,delete + 3: juser inherited deny delete + 4: others inherited allow read + 5: admin inherited allow delete + 6: backup inherited deny read + 7: admin inherited allow write-security +.It \fB+a#\fR +When a specific ordering is required, the exact location at which an +entry will be inserted is specified with the +a# mode. +.Pp +\fBExamples\fR + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write + # chmod +a# 2 "others deny read" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: others deny read + 3: admin allow write +.Pp +The +ai# mode may be used to insert inherited entries at a specific +location. Note that these modes allow non-canonical ACL ordering to +be constructed. +.It Fl a +The -a mode is used to delete ACL entries. All entries exactly +matching the supplied entry will be deleted. If the entry lists a +subset of rights granted by an entry, only the rights listed are +removed. Entries may also be deleted by index using the -a# mode. +.Pp +\fBExamples\fR + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: guest deny read + 2: admin allow write,delete + # chmod -a# 1 file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: admin allow write,delete + # chmod -a "admin allow write" file1 + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: admin allow delete +.Pp +Inheritance is not considered when processing the -a mode; rights and +entries will be removed regardless of their inherited state. +.Pp +If the user or group name contains spaces you can use ':' as the delimiter +.Pp +\fBExample\fR + # chmod +a "User 1:allow:read" file +.It \fB=a#\fR +Individual entries are rewritten using the =a# mode. +.Pp +\fBExamples\fR + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: admin allow delete + # chmod =a# 1 "admin allow write,chown" + # ls -le + -rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 + owner: juser + 1: admin allow write,chown +.Pp +This mode may not be used to add new entries. +.It Fl E +Reads the ACL information from stdin, as a sequential list +of ACEs, separated by newlines. If the information parses correctly, +the existing information is replaced. +.It Fl C +Returns false if any of the named files have ACLs in non-canonical order. +.It Fl i +Removes the 'inherited' bit from all entries in the named file(s) ACLs. +.It Fl I +Removes all inherited entries from the named file(s) ACL(s). +.It Fl N +Removes the ACL from the named file(s). +.El +.Sh COMPATIBILITY +The +.Fl v +option is non-standard and its use in scripts is not recommended. +.Sh SEE ALSO +.Xr chflags 1 , +.Xr install 1 , +.Xr chmod 2 , +.Xr stat 2 , +.Xr umask 2 , +.Xr fts 3 , +.Xr setmode 3 , +.Xr sticky 7 , +.Xr symlink 7 , +.Xr chown 8 , +.Xr mount 8 +.Sh STANDARDS +The +.Nm chmod +utility is expected to be +.St -p1003.2 +compatible with the exception of the +.Ar perm +symbol +.Dq t +which is not included in that standard. +.Sh HISTORY +A +.Nm chmod +command appeared in +.At v1 . -- cgit v1.2.3-56-ge451