Permision UID bit of ARDagent exploit
The ARDAgent, it was discovered by www.macshadows.com that take advantage of the UID setting to allow the file and files ran by it as the file owner. This of course can allow a attacker either by remote process or by acutally going to the keyboard to run a script using applescript. Entering the following command will show you that using Applescript to run a shell script, our example simply the whois command will run as root.
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
The results will be root. (Note: if you installed the latest version of Virus Barrier signatures then you will get an error.) You can solve this many ways, here are two ways which.
One
Enter the following into a terminal:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/
sudo chmod 0555 ARDAgent
or you can do it in one line as follows:
sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
You will have to reboot after if you do any remote access management or screen sharing. If you are a Virus Barrier user the latest update should fix the problem by making it so that Applescript will not run shell scripts.
You can read about that here--->http://www.intego.com/news/ism0802.asp
This is using absolute mode for chmod settings.
FYI for all the Unix chmod fans, here is the complete man file for your reading pleaseure. I would suggest that you read the arbitury section since the chmod of this file is from chmod 4555 to 0555.
CHMOD BSD General Commands Manual CHMOD
NNAAMMEE
cchhmmoodd -- change file modes or Access Control Lists
SSYYNNOOPPSSIISS
cchhmmoodd [--ffvv] [--RR [--HH | --LL | --PP]] _m_o_d_e _f_i_l_e _._._.
cchhmmoodd [--ffvv] [--RR [--HH | --LL | --PP]] [-a | +a | =a] _A_C_E _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--EE] _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--CC] _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--NN] _f_i_l_e _._._.
DDEESSCCRRIIPPTTIIOONN
The cchhmmoodd utility modifies the file mode bits of the listed files as
specified by the _m_o_d_e operand. It may also be used to modify the Access
Control Lists (ACLs) associated with the listed files.
The generic options are as follows:
--ff Do not display a diagnostic message if cchhmmoodd could not modify the
mode for _f_i_l_e.
--HH If the --RR option is specified, symbolic links on the command line
are followed. (Symbolic links encountered in the tree traversal
are not followed by default.)
--hh If the file is a symbolic link, change the mode of the link
itself rather than the file that the link points to.
--LL If the --RR option is specified, all symbolic links are followed.
--PP If the --RR option is specified, no symbolic links are followed.
This is the default.
--RR Change the modes of the file hierarchies rooted in the files
instead of just the files themselves.
-vv Cause cchhmmoodd to be verbose, showing filenames as the mode is modi
fied. If the --vv flag is specified more than once, the old and
new modes of the file will also be printed, in both octal and
symbolic notation.
The --HH, --LL and --PP options are ignored unless the --RR option is specified.
In addition, these options override each other and the command's actions
are determined by the last one specified.
Only the owner of a file or the super-user is permitted to change the
mode of a file.
DDIIAAGGNNOOSSTTIICCSS
The cchhmmoodd utility exits 0 on success, and >0 if an error occurs.
MMOODDEESS
Modes may be absolute or symbolic. An absolute mode is an octal number
constructed from the sum of one or more of the following values:
4000 (the set-user-ID-on-execution bit) Executable files with
this bit set will run with effective uid set to the uid of
the file owner. Directories with the set-user-id bit set
will force all files and sub-directories created in them to
be owned by the directory owner and not by the uid of the
creating process, if the underlying file system supports
this feature: see chmod(2) and the _s_u_i_d_d_i_r option to
mount(8).
2000 (the set-group-ID-on-execution bit) Executable files with
this bit set will run with effective gid set to the gid of
the file owner.
1000 (the sticky bit) See chmod(2) and sticky(8).
0400 Allow read by owner.
0200 Allow write by owner.
0100 For files, allow execution by owner. For directories,
allow the owner to search in the directory.
0040 Allow read by group members.
0020 Allow write by group members.
0010 For files, allow execution by group members. For directo-
ries, allow group members to search in the directory.
0004 Allow read by others.
0002 Allow write by others.
0001 For files, allow execution by others. For directories
allow others to search in the directory.
For example, the absolute mode that permits read, write and execute by
the owner, read and execute by group members, read and execute by others,
and no set-uid or set-gid behaviour is 755 (400+200+100+040+010+004+001).
The symbolic mode is described by the following grammar:
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g | o
The _w_h_o symbols ``u'', ``g'', and ``o'' specify the user, group, and
other parts of the mode bits, respectively. The _w_h_o symbol ``a'' is
equivalent to ``ugo''.
The _p_e_r_m symbols represent the portions of the mode bits as follows:
r The read bits.
s The set-user-ID-on-execution and set-group-ID-on-execution
bits.
t The sticky bit.
w The write bits.
x The execute/search bits.
X The execute/search bits if the file is a directory or any
of the execute/search bits are set in the original (unmodi-
fied) mode. Operations with the _p_e_r_m symbol ``X'' are only
meaningful in conjunction with the _o_p symbol ``+'', and are
ignored in all other cases.
u The user permission bits in the original mode of the file.
g The group permission bits in the original mode of the file.
o The other permission bits in the original mode of the file.
The _o_p symbols represent the operation performed, as follows:
+ If no value is supplied for _p_e_r_m, the ``+'' operation has no
effect. If no value is supplied for _w_h_o, each permission bit spec-
ified in _p_e_r_m, for which the corresponding bit in the file mode
creation mask is clear, is set. Otherwise, the mode bits repre-
sented by the specified _w_h_o and _p_e_r_m values are set.
- If no value is supplied for _p_e_r_m, the ``-'' operation has no
effect. If no value is supplied for _w_h_o, each permission bit spec-
ified in _p_e_r_m, for which the corresponding bit in the file mode
creation mask is clear, is cleared. Otherwise, the mode bits rep-
resented by the specified _w_h_o and _p_e_r_m values are cleared.
= The mode bits specified by the _w_h_o value are cleared, or, if no who
value is specified, the owner, group and other mode bits are
cleared. Then, if no value is supplied for _w_h_o, each permission
bit specified in _p_e_r_m, for which the corresponding bit in the file
mode creation mask is clear, is set. Otherwise, the mode bits rep-
resented by the specified _w_h_o and _p_e_r_m values are set.
Each _c_l_a_u_s_e specifies one or more operations to be performed on the mode
bits, and each operation is applied to the mode bits in the order speci-
fied.
Operations upon the other permissions only (specified by the symbol ``o''
by itself), in combination with the _p_e_r_m symbols ``s'' or ``t'', are
ignored.
EEXXAAMMPPLLEESS OOFF VVAALLIIDD MMOODDEESS
644 make a file readable by anyone and writable by the owner
only.
go-w deny write permission to group and others.
=rw,+X set the read and write permissions to the usual defaults,
but retain any execute permissions that are currently set.
+X make a directory or file searchable/executable by everyone
if it is already searchable/executable by anyone.
755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone and writable by
the owner only.
go= clear all mode bits for group and others.
g=u-w set the group bits equal to the user bits, but clear the
group write bit.
AACCLL MMAANNIIPPUULLAATTIIOONN OOPPTTIIOONNSS
ACLs are manipulated using extensions to the symbolic mode grammar. Each
file has one ACL, containing an ordered list of entries. Each entry
refers to a user or group, and grants or denies a set of permissions. In
cases where a user and a group exist with the same name, the user/group
name can be prefixed with "user:" or "group:" in order to specify the
type of name.
The following permissions are applicable to all filesystem objects:
delete Delete the item. Deletion may be granted by either this
permission on an object or the delete_child right on the
containing directory.
readattr
Read an objects basic attributes. This is implicitly
granted if the object can be looked up and not explicitly
denied.
writeattr
Write an object's basic attributes.
readextattr
Read extended attributes.
writeextattr
Write extended attributes.
readsecurity
Read an object's extended security information (ACL).
writesecurity
Write an object's security information (ownership, mode,
ACL).
chown Change an object's ownership.
The following permissions are applicable to directories:
list List entries.
search Look up files by name.
add_file
Add a file.
add_subdirectory
Add a subdirectory.
delete_child
Delete a contained object. See the file delete permission
above.
The following permissions are applicable to non-directory filesystem
objects:
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes
into areas of the file not previously written.
execute
Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which
may only be applied to directories:
file_inherit
Inherit to files.
directory_inherit
Inherit to directories.
limit_inherit
This flag is only relevant to entries inherited by subdi-
rectories; it causes the directory_inherit flag to be
cleared in the entry that is inherited, preventing further
nested subdirectories from also inheriting the entry.
only_inherit
The entry is inherited by created items but not considered
when processing the ACL.
The ACL manipulation options are as follows:
++aa The +a mode parses a new ACL entry from the next argument on the
commandline and inserts it into the canonical location in the
ACL. If the supplied entry refers to an identity already listed,
the two entries are combined.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
The +a mode strives to maintain correct canonical form for the
ACL.
local deny
local allow
inherited deny
inherited allow
By default, chmod adds entries to the top of the local deny and
local allow lists. Inherited entries are added by using the +ai
mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
++aa## When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
The +ai# mode may be used to insert inherited entries at a spe-
cific location. Note that these modes allow non-canonical ACL
ordering to be constructed.
--aa The -a mode is used to delete ACL entries. All entries exactly
matching the supplied entry will be deleted. If the entry lists a
subset of rights granted by an entry, only the rights listed are
removed. Entries may also be deleted by index using the -a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
Inheritance is not considered when processing the -a mode; rights
and entries will be removed regardless of their inherited state.
==aa## Individual entries are rewritten using the =a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
This mode may not be used to add new entries.
--EE Reads the ACL information from stdin, as a sequential list of
ACEs, separated by newlines. If the information parses cor-
rectly, the existing information is replaced.
-CC Returns false if any of the named files have ACLs in non-canoni
cal order.
--ii Removes the 'inherited' bit from all entries in the named file(s)
ACLs.
--II Removes all inherited entries from the named file(s) ACL.
--NN Removes the ACL from the named file(s).
CCOOMMPPAATTIIBBIILLIITTYY
The --vv option is non-standard and its use in scripts is not recommended.
SSEEEE AALLSSOO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3),
setmode(3), symlink(7), chown(8), mount(8), sticky(8)
SSTTAANNDDAARRDDSS
The cchhmmoodd utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compat-
ible with the exception of the _p_e_r_m symbol ``t'' which is not included in
that standard.
HHIISSTTOORRYY
A cchhmmoodd command appeared in Version 1 AT&T UNIX.
BSD July 08, 2004 BSD
Reader Comments (3)
CHMOD(1) BSD General Commands Manual CHMOD(1)
NNAAMMEE
cchhmmoodd -- change file modes or Access Control Lists
SSYYNNOOPPSSIISS
cchhmmoodd [--ffvv] [--RR [--HH | --LL | --PP]] _m_o_d_e _f_i_l_e _._._.
cchhmmoodd [--ffvv] [--RR [--HH | --LL | --PP]] [-a | +a | =a] _A_C_E _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--EE] _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--CC] _f_i_l_e _._._.
cchhmmoodd [--ffhhvv] [--RR [--HH | --LL | --PP]] [--NN] _f_i_l_e _._._.
DDEESSCCRRIIPPTTIIOONN
The cchhmmoodd utility modifies the file mode bits of the listed files as
specified by the _m_o_d_e operand. It may also be used to modify the Access
Control Lists (ACLs) associated with the listed files.
The generic options are as follows:
--ff Do not display a diagnostic message if cchhmmoodd could not modify the
mode for _f_i_l_e.
--HH If the --RR option is specified, symbolic links on the command line
are followed. (Symbolic links encountered in the tree traversal
are not followed by default.)
--hh If the file is a symbolic link, change the mode of the link
itself rather than the file that the link points to.
--LL If the --RR option is specified, all symbolic links are followed.
--PP If the --RR option is specified, no symbolic links are followed.
This is the default.
--RR Change the modes of the file hierarchies rooted in the files
instead of just the files themselves.
--vv Cause cchhmmoodd to be verbose, showing filenames as the mode is modi-
fied. If the --vv flag is specified more than once, the old and
new modes of the file will also be printed, in both octal and
symbolic notation.
The --HH, --LL and --PP options are ignored unless the --RR option is specified.
In addition, these options override each other and the command's actions
are determined by the last one specified.
Only the owner of a file or the super-user is permitted to change the
mode of a file.
DDIIAAGGNNOOSSTTIICCSS
The cchhmmoodd utility exits 0 on success, and >0 if an error occurs.
MMOODDEESS
Modes may be absolute or symbolic. An absolute mode is an octal number
constructed from the sum of one or more of the following values:
4000 (the set-user-ID-on-execution bit) Executable files with
this bit set will run with effective uid set to the uid of
the file owner. Directories with the set-user-id bit set
will force all files and sub-directories created in them to
be owned by the directory owner and not by the uid of the
creating process, if the underlying file system supports
this feature: see chmod(2) and the _s_u_i_d_d_i_r option to
mount(8).
2000 (the set-group-ID-on-execution bit) Executable files with
this bit set will run with effective gid set to the gid of
the file owner.
1000 (the sticky bit) See chmod(2) and sticky(8).
0400 Allow read by owner.
0200 Allow write by owner.
0100 For files, allow execution by owner. For directories,
allow the owner to search in the directory.
0040 Allow read by group members.
0020 Allow write by group members.
0010 For files, allow execution by group members. For directo-
ries, allow group members to search in the directory.
0004 Allow read by others.
0002 Allow write by others.
0001 For files, allow execution by others. For directories
allow others to search in the directory.
For example, the absolute mode that permits read, write and execute by
the owner, read and execute by group members, read and execute by others,
and no set-uid or set-gid behaviour is 755 (400+200+100+040+010+004+001).
The symbolic mode is described by the following grammar:
mode ::= clause [, clause ...]
clause ::= [who ...] [action ...] action
action ::= op [perm ...]
who ::= a | u | g | o
op ::= + | - | =
perm ::= r | s | t | w | x | X | u | g | o
The _w_h_o symbols ``u'', ``g'', and ``o'' specify the user, group, and
other parts of the mode bits, respectively. The _w_h_o symbol ``a'' is
equivalent to ``ugo''.
The _p_e_r_m symbols represent the portions of the mode bits as follows:
r The read bits.
s The set-user-ID-on-execution and set-group-ID-on-execution
bits.
t The sticky bit.
w The write bits.
x The execute/search bits.
X The execute/search bits if the file is a directory or any
of the execute/search bits are set in the original (unmodi-
fied) mode. Operations with the _p_e_r_m symbol ``X'' are only
meaningful in conjunction with the _o_p symbol ``+'', and are
ignored in all other cases.
u The user permission bits in the original mode of the file.
g The group permission bits in the original mode of the file.
o The other permission bits in the original mode of the file.
The _o_p symbols represent the operation performed, as follows:
+ If no value is supplied for _p_e_r_m, the ``+'' operation has no
effect. If no value is supplied for _w_h_o, each permission bit spec-
ified in _p_e_r_m, for which the corresponding bit in the file mode
creation mask is clear, is set. Otherwise, the mode bits repre-
sented by the specified _w_h_o and _p_e_r_m values are set.
- If no value is supplied for _p_e_r_m, the ``-'' operation has no
effect. If no value is supplied for _w_h_o, each permission bit spec-
ified in _p_e_r_m, for which the corresponding bit in the file mode
creation mask is clear, is cleared. Otherwise, the mode bits rep-
resented by the specified _w_h_o and _p_e_r_m values are cleared.
= The mode bits specified by the _w_h_o value are cleared, or, if no who
value is specified, the owner, group and other mode bits are
cleared. Then, if no value is supplied for _w_h_o, each permission
bit specified in _p_e_r_m, for which the corresponding bit in the file
mode creation mask is clear, is set. Otherwise, the mode bits rep-
resented by the specified _w_h_o and _p_e_r_m values are set.
Each _c_l_a_u_s_e specifies one or more operations to be performed on the mode
bits, and each operation is applied to the mode bits in the order speci-
fied.
Operations upon the other permissions only (specified by the symbol ``o''
by itself), in combination with the _p_e_r_m symbols ``s'' or ``t'', are
ignored.
EEXXAAMMPPLLEESS OOFF VVAALLIIDD MMOODDEESS
644 make a file readable by anyone and writable by the owner
only.
go-w deny write permission to group and others.
=rw,+X set the read and write permissions to the usual defaults,
but retain any execute permissions that are currently set.
+X make a directory or file searchable/executable by everyone
if it is already searchable/executable by anyone.
755
u=rwx,go=rx
u=rwx,go=u-w make a file readable/executable by everyone and writable by
the owner only.
go= clear all mode bits for group and others.
g=u-w set the group bits equal to the user bits, but clear the
group write bit.
AACCLL MMAANNIIPPUULLAATTIIOONN OOPPTTIIOONNSS
ACLs are manipulated using extensions to the symbolic mode grammar. Each
file has one ACL, containing an ordered list of entries. Each entry
refers to a user or group, and grants or denies a set of permissions. In
cases where a user and a group exist with the same name, the user/group
name can be prefixed with "user:" or "group:" in order to specify the
type of name.
The following permissions are applicable to all filesystem objects:
delete Delete the item. Deletion may be granted by either this
permission on an object or the delete_child right on the
containing directory.
readattr
Read an objects basic attributes. This is implicitly
granted if the object can be looked up and not explicitly
denied.
writeattr
Write an object's basic attributes.
readextattr
Read extended attributes.
writeextattr
Write extended attributes.
readsecurity
Read an object's extended security information (ACL).
writesecurity
Write an object's security information (ownership, mode,
ACL).
chown Change an object's ownership.
The following permissions are applicable to directories:
list List entries.
search Look up files by name.
add_file
Add a file.
add_subdirectory
Add a subdirectory.
delete_child
Delete a contained object. See the file delete permission
above.
The following permissions are applicable to non-directory filesystem
objects:
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes
into areas of the file not previously written.
execute
Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which
may only be applied to directories:
file_inherit
Inherit to files.
directory_inherit
Inherit to directories.
limit_inherit
This flag is only relevant to entries inherited by subdi-
rectories; it causes the directory_inherit flag to be
cleared in the entry that is inherited, preventing further
nested subdirectories from also inheriting the entry.
only_inherit
The entry is inherited by created items but not considered
when processing the ACL.
The ACL manipulation options are as follows:
++aa The +a mode parses a new ACL entry from the next argument on the
commandline and inserts it into the canonical location in the
ACL. If the supplied entry refers to an identity already listed,
the two entries are combined.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
The +a mode strives to maintain correct canonical form for the
ACL.
local deny
local allow
inherited deny
inherited allow
By default, chmod adds entries to the top of the local deny and
local allow lists. Inherited entries are added by using the +ai
mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
++aa## When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
The +ai# mode may be used to insert inherited entries at a spe-
cific location. Note that these modes allow non-canonical ACL
ordering to be constructed.
--aa The -a mode is used to delete ACL entries. All entries exactly
matching the supplied entry will be deleted. If the entry lists a
subset of rights granted by an entry, only the rights listed are
removed. Entries may also be deleted by index using the -a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
Inheritance is not considered when processing the -a mode; rights
and entries will be removed regardless of their inherited state.
==aa## Individual entries are rewritten using the =a# mode.
EExxaammpplleess
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
This mode may not be used to add new entries.
--EE Reads the ACL information from stdin, as a sequential list of
ACEs, separated by newlines. If the information parses cor-
rectly, the existing information is replaced.
--CC Returns false if any of the named files have ACLs in non-canoni-
cal order.
--ii Removes the 'inherited' bit from all entries in the named file(s)
ACLs.
--II Removes all inherited entries from the named file(s) ACL(s).
--NN Removes the ACL from the named file(s).
CCOOMMPPAATTIIBBIILLIITTYY
The --vv option is non-standard and its use in scripts is not recommended.
SSEEEE AALLSSOO
chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3),
setmode(3), symlink(7), chown(8), mount(8), sticky(8)
SSTTAANNDDAARRDDSS
The cchhmmoodd utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compat-
ible with the exception of the _p_e_r_m symbol ``t'' which is not included in
that standard.
HHIISSTTOORRYY
A cchhmmoodd command appeared in Version 1 AT&T UNIX.
BSD July 08, 2004 BSD