chmod <octal-mode> files... 

 chmod <references><operator><modes> files.. 

references is a combination of the letters ugoa, which specify which user's access to the files will be modified:

• u the user who owns it
• g other users in the file's group
• o other users not in the file's group
• a all users

If the omitted, it defaults to all users, but only permissions allowed by the umask are modified.

operator is one of the characters +-=:

• + add the specified file mode bits to the existing file mode bits of each file
• - removes the specified file mode bits to the existing file mode bits of each file
• = adds the specified bits and removes unspecified bits, except the setuid and setgid bits set for directories, unless explicitly specified.

mode consists of a combination of the letters rwxXst, which specify which permission bit is to be modified:

• r read
• w write
• x execute (or search for directories)
• X execute/search only if the file is a directory or already has execute bit set for some user
• s setuid or setgid (depending on the specified references)
• t restricted deletion flag or sticky bit

Alternatively, the mode can consist of one of the letters ugo, in which case case the mode corresponds to the permissions currently granted to the owner (u), member's of the file's group (g) or permissions of users in neither of the preceding categories (o).

• Access control (see also setfacl)
  • rwx — read (r), write (w), and execute/cross (x) permissions.
    • Read (r) affects if a file can be read, or if a directory can be listed.
    • Write (w) affects if a file can be written to, or if a directory can be edited (files added, deleted, renamed).
    • Execute (x) affects if a file can be run, use for scripts (see #!), and other executable files.
    • Cross (x) affects if a directory can be traversed.
  • s and t — sticky bit (t), and setgid (s) on directories
    • The sticky bit only affects directories. Will prevent any one except file owner, and root, from deleting files in the directory.
    • the setgid bit on directories, will cause new files and directories to have the group set to the same group, and new directories to have there setgid bit set  (see also defaults in setfacl).
  • s — setuid, setgid, on executable files.
    • This can affect security in a bad way, if you don't know what you are doing.
    • When an executable is run, if one of these bits is set, then the effective user/group of the executable will become that of the file. Thus the program runs as that user. see setcap for a more modern way to do this.

 chattr <operator><attribute> files... 

operator is one of the characters +-=:

• + adds the selected attributes to be to the existing attributes of the files
• - removes the selected attributes
• = overwrites the current set of attributes the files have with the specified attributes.

attribute is a combination of the letters acdeijstuADST, which correspond the attributes:

• a append only
• c compressed
• d no dump
• e extent format
• i immutable
• j data journalling
• s secure deletion
• t no tail-merging
• u undeletable
• A no atime updates
• D synchronous directory updates
• S synchronous updates
• T top of directory hierarchy

 setfattr -n <name> -v <value> files... 

 setfattr -x <name> files... 

name is the name of the extended attribute to set or remove

value is the new value of the extended attribute

 setfacl <option> [default:][<target>:][<param>][:<perms>] files... 

option must include one of the following:

target is one of the letters ugmo (or the longer form shown below):

• u, users permission of a named user identified by param, defaults to file owner uid if omitted
• g, group permission of a named group identified by param, default to owning group uid if omitted
• m, mask effective rights mask
• o, other permissions of others

perms is a combination of the letters rwxX, which correspond to the permissions:

Alternatively, perms may be an octal digit (0-7) indicating the set of permissions.

 setcap <capability-clause> file 

A capability-clause consists of a comma-separated list of capability names followed by a list of operator-flag pairs.

 chcon [-u <user>] [-r <role>] [-t <type>] files... 

user is the SELinux user, such as user_u, system_u or root.

role is the SELinux role (always object_r for files)

type is the SELinux subject type

 chsmack -a <value> file 

value is the SMACK label to be set for the SMACK64 extended file attribute

setrichacl: change rich access control list.

chmod octal-mode files...

chmod [references][[operator][modes]] files...

references is a combination of the letters ugoa, which specify which user's access to the files will be modified:

• u the user who owns it
• g other users in the file's group
• o other users not in the file's group
• a all users

If omitted, it defaults to all users, but only permissions allowed by the umask are modified.

operator is one of the characters +-=:

• + add the specified file mode bits to the existing file mode bits of each file
• - removes the specified file mode bits from the existing file mode bits of each file
• = adds the specified bits and removes unspecified bits, except the setuid and setgid bits set for directories, unless explicitly specified.

mode consists of a combination of the letters rwxXst, which specify which permission bits are to be modified:

• r read
• w write
• x (lower case X) execute (or search for directories)
• X (capital) execute/traverse only if the file is a directory or already has an execute bit set for some user category
• s setuid or setgid (depending on the specified references)
• t restricted deletion flag or sticky bit

Alternatively, the mode can consist of one of the letters ugo, in which case case the mode corresponds to the permissions currently granted to the owner (u), members of the file's group (g) or users in neither of the preceding categories (o).

• Access control (see also setfacl)
  • rwx — read (r), write (w), and execute/traverse (x) permissions
    • Read (r) affects if a file can be read, or if a directory can be listed.
    • Write (w) affects if a file can be written to, or if a directory can be modified (files added, deleted, renamed).
    • Execute (x) affects if a file can be run, use for scripts and other executable files.
    • Traverse (x), also known as "search", affects whether a directory can be traversed; i.e., whether a process can access (or try to access) file system objects through entries in this directory.
  • s and t — sticky bit (t), and setgid (s) on directories
    • The sticky bit only affects directories. Will prevent anyone except file owner, and root, from deleting files in the directory.
    • The setgid bit on directories will cause new files and directories to have the group set to the same group, and new directories to have their setgid bit set  (see also defaults in setfacl).
  • s — setuid, setgid, on executable files
    • This can affect security in a bad way, if you don't know what you are doing.
    • When an executable is run, if one of these bits is set, then the user/group of the executable will become the effective user/group of the process.  Thus the program runs as that user.  See setcap for a more modern way to do this.

chattr operator[attribute] files...

operator is one of the characters +-=:

• + adds the selected attributes to be to the existing attributes of the files
• - removes the selected attributes
• = overwrites the current set of attributes the files have with the specified attributes.

attribute is a combination of the letters acdeijmstuxACDFPST, which correspond to the attributes:

• a append only
• c compressed
• d no dump
• e extent format
• i immutable
• j data journaling
• m don't compress
• s secure deletion
• t no tail-merging
• u undeletable
• x direct access for files
• A no atime updates
• C no copy on write
• D synchronous directory updates
• F case-insensitive directory lookups
• P project hierarchy
• S synchronous updates
• T top of directory hierarchy

There are restrictions on the use of many of these attributes.  For example, many of them can be set or cleared only by the superuser (i.e., root) or an otherwise privileged process.

setfattr -n name -v value files...

setfattr -x name files...

name is the name of the extended attribute to set or remove

value is the new value of the extended attribute

setfacl option [default:][target:][param][:perms] files...

option must include one of the following:

target is one of the letters ugmo (or the longer forms shown below):

• u, users permission of a named user identified by param, defaults to file owner UID if omitted
• g, group permission of a named group identified by param, default to owning group GID if omitted
• m, mask effective rights mask
• o, other permissions of others

perms is a combination of the letters rwxX, which correspond to the permissions:

Alternatively, perms may be an octal digit (0-7) indicating the set of permissions.

setcap capability-clause file

A capability-clause consists of a comma-separated list of capability names followed by a list of operator-flag pairs.

chcon [-u user] [-r role] [-t type] files...

user is the SELinux user, such as user_u, system_u or root.

role is the SELinux role (always object_r for files)

type is the SELinux subject type

SMACK is Simplified Mandatory Access Control Kernel.

chsmack -a value file

value is the SMACK label to be set for the SMACK64 extended file attribute

setrichacl: change rich access control list

chattr: change file attributes

chown chgrp:

chattr: change file attributes

• chmod: change file mode bits

• chattr: change file attributes

  Usage:

   chattr <operator><attribute> files... 

operator is one of the characters +-=:

• setfattr: change extended file attributes

• setfacl: change file access control lists

• setcap: change file capabilities

• chcon: change file SELinux security context

• chsmack: change SMACK extended attributes

• setrichacl: change rich access control list.

  richacls are a feature that will add more advanced ACLs.

  Currently a work in progress, so I can not tell you much about them. I have not used them.

  See also this question Are there more advanced filesystem ACLs beyond traditional 'rwx' and POSIX ACL? and man page

chmod: change file mode bits

The various bits of chmod explained:

• Access control (see also setfacl)
  • rwx — read (r), write (w), and execute/cross (x) permissions.
    • Read (r) affects if a file can be read, or if a directory can be listed.
    • Write (w) affects if a file can be written to, or if a directory can be edited (files added, deleted, renamed).
    • Execute (x) affects if a file can be run, use for scripts (see #!), and other executable files.
    • Cross (x) affects if a directory can be traversed.
  • s and t — sticky bit (t), and setgid (s) on directories
    • The sticky bit only affects directories. Will prevent any one except file owner, and root, from deleting files in the directory.
    • the setgid bit on directories, will cause new files and directories to have the group set to the same group, and new directories to have there setgid bit set (see also defaults in setfacl).
  • s — setuid, setgid, on executable files.
    • This can affect security in a bad way, if you don't know what you are doing.
    • When an executable is run, if one of these bits is set, then the effective user/group of the executable will become that of the file. Thus the program runs as that user. see setcap for a more modern way to do this.

chattr: change file attributes

Usage:

 chattr <operator><attribute> files... 

operator is one of the characters +-=:

setfattr: change extended file attributes

setfacl: change file access control lists

setcap: change file capabilities

chcon: change file SELinux security context

chsmack: change SMACK extended attributes

setrichacl: change rich access control list.

richacls are a feature that will add more advanced ACLs.

Currently a work in progress, so I can not tell you much about them. I have not used them.

See also this question Are there more advanced filesystem ACLs beyond traditional 'rwx' and POSIX ACL? and man page