Change access permissions, change mode.


      chmod [-fv] [-R [-H | -L | -P]] mode file ...

      chmod [-fv] [-R [-H | -L | -P]] [-a | +a | =a] ACE file ...

      chmod [-fhv] [-R [-H | -L | -P]] [ACL_Option] file ...

   -R         Recurse: Change the mode of file hierarchies rooted in the files
              instead of just the files themselves.
              Take care to not run recursive chmod on the root '/' directory or any other system directory.

   -R -H      Follow symbolic links on the command line
              (by default Symbolic links within the tree are not followed.)         
   -R -L      All symbolic links are followed.
   -R -P      No symbolic links are followed. (default)
   -f         Do not display a diagnostic message if chmod could not modify the mode for file.

   -h         If the file is a symbolic link, change the mode of the link
              itself rather than the file that the link points to.

   -v         Verbose, show filenames as the mode is modified, this option is non-standard and
              its use in scripts is not recommended.

   -v -v      Very Verbose: display both old and new modes of the file in both octal and symbolic notation,
              this option is non-standard and its use in scripts is not recommended.

   -E         Read the ACL information from stdin, as a sequential list of ACEs,
              separated by newlines.  If the information parses correctly,
              the existing information is replaced.

   -C         Returns false if any of the named files have ACLs in non-canonical

   -N         Remove the ACL from the named file(s).

   +a mode    Insert a new ACL entry 
   +a# mode   Insert a new ACL entry with specific ordering
   -a mode    Delete an ACL entry
   =a# mode   Rewrite an Individual entry
   -i         Remove the 'inherited' bit from all entries in the named file(s) ACLs.
   -I         Remove all inherited entries from the named file(s) ACL(s).

chmod changes the permissions of each given file according to mode, which can be either an octal number representing the bit pattern for the new permissions or a symbolic representation of changes to make, (+-= rwxXstugoa)

Using letters is easier to understand for most people. e.g. chmod +x to make executable.


Owner Group Other

Optionally, the Superuser and sticky codes below can be added, making a 4 digit mode, e.g. Owner: Read + Stickybit =1400


When chmod is applied to a directory:

Numeric (absolute) mode:

From one to four octal digits
Any omitted digits are assumed to be leading zeros.

First digit (optional) = Selects attributes for the Set User ID (4000) and Set Group ID (2000) and Sticky bit (1000).
Second digit = Permissions for the user who owns the file: read (4), write (2), and execute (1), for directories: allow owner to search (1).
Third digit = Permissions for other users in the file’s group: read (4), write (2), and execute (1), for directories: allow groups to search (1).
Fourth digit = Permissions for other users NOT in the file’s group: read (4), write (2), execute (1), for directories: allow others to search (1).

The octal (0-7) value is calculated by adding up the values for each digit
User (rwx) = 4+2+1 = 7
Group(rx) = 4+1 = 5
World (rx) = 4+1 = 5
chmod mode = 0755

Numeric Mode Examples:

Allow read permission to everyone:
$ chmod 444 file

Allow everyone to read, and execute the file:
$ chmod 755 file

Make a file readable by anyone and writable by the owner only:
$ chmod 644 file

Make a file readable and writable by the group and others:
$ chmod 066 file

Symbolic Mode

The format of a symbolic mode is [who...][[+-=][perm...]...][,...]

Multiple symbolic operations can be given, separated by commas.

who - a combination of the letters 'ugoa' controls which users' access to the file will be changed:

User letter
The user who owns it u
Other users in the file’s Group g
Other users not in the file’s group o
All users (equivalent to ugo) a

If none of these are given, the effect is as if (a) were given, but bits that are set in the umask are not affected.

The operator '+' causes the permissions selected to be added to the existing permissions of each file;
'-' causes them to be removed; and '=' causes them to be the only permissions that the file has.
if = is specified with no who then all (owner, group and other) will be cleared.

The letters 'rwxXstugo' select the new permissions for the affected users:

Permission letter
Read r
Write w
Execute (or access for directories) x
Execute only if the file is a directory
(or already has execute permission for some user)
Set User ID and Group ID on execution bits. s
Restricted deletion flag or sticky bit t
The permissions that the User who owns the file currently has for it u
The permissions that other users in the file’s Group have for it g
Permissions that Other users not in the file’s group have for it o

Symbolic Mode Examples:

Deny execute permission to everyone:
$ chmod a-x file

Allow read permission to everyone:
$ chmod a+r file

Make a file readable and writable by the group and others:
$ chmod go+rw file

Make a shell script executable by the user/owner
$ chmod u+x

You can then execute it like this: ./

Allow everyone to read, write, and execute the file and turn on the set group-ID:
$ chmod =rwx,g+s file

ACL - Access Control List manipulation

Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions.

Filesystem object permissions

delete Delete the item. Deletion can be granted by either this permission on an object or the delete_child right on the containing directory.
readattr Read an objects basic attributes. This is implicitly granted if the object can be looked up and not explicitly denied.
writeattr Write an object’s basic attributes.
readextattr Read extended attributes.
writeextattr Write extended attributes.
readsecurity Read an object’s extended security information (ACL).
writesecurity Write an object’s security information (ownership, mode,ACL).
chown Change an object’s ownership.

Directory permissions:

list List entries.
search Look up files by name.
add_file Add a file.
add_subdirectory Add a subdirectory.
delete_child Delete a contained object. See the file delete permission above.

Non-directory filesystem object permissions:

read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes into areas of the file not previously written.
execute Execute the file as a script or program.

Directory ACL inheritance permissions:

file_inherit Inherit to files.
directory_inherit Inherit to directories.
limit_inherit For subdirectory inheritance; this causes the directory_inherit flag to be cleared, preventing further subdirectories from also inheriting the entry.
only_inherit The entry is inherited by created items but not considered when processing the ACL.

In cases where a user and a group exist with the same name, the user/group name can be prefixed with "user:" or "group:" in order to specify the type of name.

ACL Examples

Use ls -le to view the effect of all changes.

$ chmod +a "admin allow read,readattr,readextattr,readsecurity" MyDemoDirectory
$ chmod +a "admin allow write" myfile.txt
$ chmod +a "guest deny read" myfile.txt
$ chmod +a "admin allow delete" myfile.txt
$ chmod +ai "others allow read" myfile.txt
$ chmod +a# 2 "others deny read" myfile.txt
$ chmod -a# 1 myfile.txt
$ chmod -a "admin allow write" myfile.txt
$ chmod =a# 1 "admin allow write,chown"

Clear All ACLs:
$ sudo chmod -RN /path/to/folder

Disable Apple Remote Desktop by Revoking execute rights:
$ cd /System/Library/CoreServices/RemoteManagement/
$ sudo ls -l
$ sudo chmod u-s ARDAgent

Only the owner of a file or the super-user is permitted to change the mode of a file.

chmod never changes the permissions of symbolic links. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file.

In contrast, chmod ignores symbolic links encountered during recursive directory traversals.

The return status is zero if the mode is successfully changed, non-zero otherwise.

“It’s easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper

Related macOS commands

chown - Change file owner and group.
chflags - Change a file or folder’s flags.
install - Copy files and set attributes.
mount - Mount a file system.
sharing - Create share points for afp, ftp and smb services.
stat - Display file or file system status.
umask - Users file creation mask.

Copyright © 1999-2024
Some rights reserved