Updated smbcacls documentation.

(This used to be commit bd87398b5a9421add8db8b455d02ccd6b2624f58)

3 files changed, 237 insertions, 28 deletions

diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html
index a48330c5b6..b7a048a1f3 100644
--- a/docs/htmldocs/smbcacls.1.html
+++ b/docs/htmldocs/smbcacls.1.html
@@ -17,7 +17,7 @@
     
 <p><a name="NAME"></a>
 <h2>NAME</h2>
-    smbcacls - Set or get ACLs on an NT file
+    smbcacls - Set or get ACLs on an NT file or directory 
 <p><a name="SYNOPSIS"></a>
 <h2>SYNOPSIS</h2>
      
@@ -33,24 +33,27 @@ SMB file shares.
 <p><a name="OPTIONS"></a>
 <h2>OPTIONS</h2>
     
-<p>The following options are available to the <strong>smbcacls</strong> program:
+<p>The following options are available to the <strong>smbcacls</strong> program.  The
+format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a>
 <p><dl>
 <p><a name="minusA"></a>
 <p></p><dt><strong><strong>-A acls</strong></strong><dd>
-<p>Add the ACLs specified to the ACL list.
+<p>Add the ACLs specified to the ACL list.  Existing access control entries
+are unchanged.
 <p><a name="minusM"></a>
 <p></p><dt><strong><strong>-M acls</strong></strong><dd>
 <p>Modify the mask value (permissions) for the ACLs specified on the command
-line.  An error will be printed if the ACL specified is not already present
-in the ACL list
+line.  An error will be printed for each ACL specified that was not already
+present in the ACL list.
 <p><a name="minusD"></a>
 <p></p><dt><strong><strong>-D acls</strong></strong><dd>
-<p>Delete any ACLs specfied on the command line.  An error is printed if any
-of the ACLs specified are not present in the ACL list.
+<p>Delete any ACLs specfied on the command line.  An error will be printed for
+each ACL specified that was not already present in the ACL list.
 <p><a name="minusS"></a>
 <p></p><dt><strong><strong>-S acls</strong></strong><dd>
-<p>This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+<p>This command sets the ACLs on the file with only the ones specified on the
+command line.  All other ACLs are erased.  Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
 <p><a name="minusU"></a>
 <p></p><dt><strong><strong>-U username</strong></strong><dd>
 <p>Specifies a username used to connect to the specified service.  The
@@ -68,6 +71,58 @@ format.
 <p></p><dt><strong><strong>-h</strong></strong><dd>
 <p>Print usage information on the <strong>smbcacls</strong> program
 <p></dl>
+<p><a name="ACLFORMAT"></a>
+<h2>ACL FORMAT</h2>
+    
+<p>The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines.  An ACL entry is one of the following:
+<p><pre>
+
+REVISION:&lt;revision number&gt;
+OWNER:&lt;sid or name&gt;
+GROUP:&lt;sid or name&gt;
+ACL:&lt;sid or name&gt;:&lt;type&gt;/&lt;flags&gt;/&lt;mask&gt;
+</pre>
+
+<p>The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor.  If not specified it defaults to 1.
+<p>The owner and group specify the owner and group sids for the object.  If a
+SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides. 
+<p>ACLs specify permissions granted to the SID.  This SID again can be
+specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved
+against the server on which the file or directory resides.  The type, flags
+and mask values determine the type of access granted to the SID.
+<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID.  The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs.  Some common flags are:
+<p><pre>
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT     	0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT  	0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY       	0x8
+</pre>
+
+<p>The mask is a value which expresses the access right granted to
+the SID.  It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name. 
+<p><dl>
+<p><p></p><dt><strong></strong><dd> <code>R</code> 	Allow read access
+<p><p></p><dt><strong></strong><dd> <code>W</code> 	Allow write access
+<p><p></p><dt><strong></strong><dd> <code>X</code> 	Execute permission on the object
+<p><p></p><dt><strong></strong><dd> <code>D</code> 	Delete the object
+<p><p></p><dt><strong></strong><dd> <code>P</code> 	Change permissions
+<p><p></p><dt><strong></strong><dd> <code>O</code>	Take ownership
+<p></dl>
+<p>The following combined permissions can be specified:
+<p><dl>
+<p><p></p><dt><strong></strong><dd> <code>READ</code>	 Equivalent to <code>RX</code> permissions
+<p></p><dt><strong></strong><dd> <code>CHANGE</code> Equivalent to <code>RXWD</code> permissions
+<p></p><dt><strong></strong><dd> <code>FULL</code>   Equivalent to <code>RWXDPO</code> permissions
+<p></dl>
 <p><a name="EXITSTATUS"></a>
 <h2>EXIT STATUS</h2>
     
diff --git a/docs/manpages/smbcacls.1 b/docs/manpages/smbcacls.1
index 69e9a92ef4..52b6a6ce3f 100644
--- a/docs/manpages/smbcacls.1
+++ b/docs/manpages/smbcacls.1
@@ -1,7 +1,7 @@
 .TH "smbcacls " "1" "3 Dec 2000" "Samba" "SAMBA" 
 .PP 
 .SH "NAME" 
-smbcacls \- Set or get ACLs on an NT file
+smbcacls \- Set or get ACLs on an NT file or directory 
 .PP 
 .SH "SYNOPSIS" 
 .PP 
@@ -17,28 +17,31 @@ SMB file shares\&.
 .PP 
 .SH "OPTIONS" 
 .PP 
-The following options are available to the \fBsmbcacls\fP program:
+The following options are available to the \fBsmbcacls\fP program\&.  The
+format of ACLs is described in the section ACL FORMAT
 .PP 
 .IP 
 .IP "\fB-A acls\fP" 
 .IP 
-Add the ACLs specified to the ACL list\&.
+Add the ACLs specified to the ACL list\&.  Existing access control entries
+are unchanged\&.
 .IP 
 .IP "\fB-M acls\fP" 
 .IP 
 Modify the mask value (permissions) for the ACLs specified on the command
-line\&.  An error will be printed if the ACL specified is not already present
-in the ACL list
+line\&.  An error will be printed for each ACL specified that was not already
+present in the ACL list\&.
 .IP 
 .IP "\fB-D acls\fP" 
 .IP 
-Delete any ACLs specfied on the command line\&.  An error is printed if any
-of the ACLs specified are not present in the ACL list\&.
+Delete any ACLs specfied on the command line\&.  An error will be printed for
+each ACL specified that was not already present in the ACL list\&.
 .IP 
 .IP "\fB-S acls\fP" 
 .IP 
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line\&.
+This command sets the ACLs on the file with only the ones specified on the
+command line\&.  All other ACLs are erased\&.  Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed\&.
 .IP 
 .IP "\fB-U username\fP" 
 .IP 
@@ -60,6 +63,88 @@ format\&.
 Print usage information on the \fBsmbcacls\fP program
 .IP 
 .PP 
+.SH "ACL FORMAT" 
+.PP 
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines\&.  An ACL entry is one of the following:
+.PP 
+
+.nf 
+ 
+
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+.fi 
+ 
+
+.PP 
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor\&.  If not specified it defaults to 1\&.
+.PP 
+The owner and group specify the owner and group sids for the object\&.  If a
+SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides\&. 
+.PP 
+ACLs specify permissions granted to the SID\&.  This SID again can be
+specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved
+against the server on which the file or directory resides\&.  The type, flags
+and mask values determine the type of access granted to the SID\&.
+.PP 
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID\&.  The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs\&.  Some common flags are:
+.PP 
+
+.nf 
+ 
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT     	0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT  	0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY       	0x8
+.fi 
+ 
+
+.PP 
+The mask is a value which expresses the access right granted to
+the SID\&.  It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name\&. 
+.PP 
+.IP 
+.IP "" 
+\f(CWR\fP 	Allow read access
+.IP 
+.IP "" 
+\f(CWW\fP 	Allow write access
+.IP 
+.IP "" 
+\f(CWX\fP 	Execute permission on the object
+.IP 
+.IP "" 
+\f(CWD\fP 	Delete the object
+.IP 
+.IP "" 
+\f(CWP\fP 	Change permissions
+.IP 
+.IP "" 
+\f(CWO\fP	Take ownership
+.IP 
+.PP 
+The following combined permissions can be specified:
+.PP 
+.IP 
+.IP "" 
+\f(CWREAD\fP	 Equivalent to \f(CWRX\fP permissions
+.IP "" 
+\f(CWCHANGE\fP Equivalent to \f(CWRXWD\fP permissions
+.IP "" 
+\f(CWFULL\fP   Equivalent to \f(CWRWXDPO\fP permissions
+.IP 
+.PP 
 .SH "EXIT STATUS" 
 .PP 
 .SH "AUTHOR" 
diff --git a/docs/yodldocs/smbcacls.1.yo b/docs/yodldocs/smbcacls.1.yo
index d95ca6d387..249042ce2c 100644
--- a/docs/yodldocs/smbcacls.1.yo
+++ b/docs/yodldocs/smbcacls.1.yo
@@ -1,7 +1,7 @@
 manpage(smbcacls htmlcommand((1)))(1)(3 Dec 2000)(Samba)(SAMBA)
 
 label(NAME)
-manpagename(smbcacls)(Set or get ACLs on an NT file)
+manpagename(smbcacls)(Set or get ACLs on an NT file or directory )
 
 label(SYNOPSIS)
 manpagesynopsis() 
@@ -20,33 +20,36 @@ SMB file shares.
 label(OPTIONS)
 manpageoptions()
 
-The following options are available to the bf(smbcacls) program:
+The following options are available to the bf(smbcacls) program.  The
+format of ACLs is described in the section link(ACL FORMAT)(ACLFORMAT)
 
 startdit()
 
 label(minusA)
 dit(bf(-A acls))
 
-Add the ACLs specified to the ACL list.
+Add the ACLs specified to the ACL list.  Existing access control entries
+are unchanged.
 
 label(minusM)
 dit(bf(-M acls))
 
 Modify the mask value (permissions) for the ACLs specified on the command
-line.  An error will be printed if the ACL specified is not already present
-in the ACL list
+line.  An error will be printed for each ACL specified that was not already
+present in the ACL list.
 
 label(minusD)
 dit(bf(-D acls))
 
-Delete any ACLs specfied on the command line.  An error is printed if any
-of the ACLs specified are not present in the ACL list.
+Delete any ACLs specfied on the command line.  An error will be printed for
+each ACL specified that was not already present in the ACL list.
 
 label(minusS)
 dit(bf(-S acls))
 
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+This command sets the ACLs on the file with only the ones specified on the
+command line.  All other ACLs are erased.  Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
 
 label(minusU)
 dit(bf(-U username))
@@ -72,7 +75,73 @@ Print usage information on the bf(smbcacls) program
 
 enddit()
 
-label(EXIT STATUS)
+label(ACLFORMAT)
+manpagesection(ACL FORMAT)
+
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines.  An ACL entry is one of the following:
+
+verb(
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>)
+
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor.  If not specified it defaults to 1.
+
+The owner and group specify the owner and group sids for the object.  If a
+SID in the format tt(S-1-x-y-z) is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides. 
+
+ACLs specify permissions granted to the SID.  This SID again can be
+specified in tt(S-1-x-y-z) format or as a name in which case it is resolved
+against the server on which the file or directory resides.  The type, flags
+and mask values determine the type of access granted to the SID.
+
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID.  The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs.  Some common flags are:
+
+verb(
+#define SEC_ACE_FLAG_OBJECT_INHERIT     	0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT  	0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT       0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY       	0x8)
+
+The mask is a value which expresses the access right granted to
+the SID.  It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name. 
+
+startdit()
+
+dit() tt(R) 	Allow read access
+
+dit() tt(W) 	Allow write access
+
+dit() tt(X) 	Execute permission on the object
+
+dit() tt(D) 	Delete the object
+
+dit() tt(P) 	Change permissions
+
+dit() tt(O)	Take ownership
+
+enddit()
+
+The following combined permissions can be specified:
+
+startdit()
+
+dit() tt(READ)	 Equivalent to tt(RX) permissions
+dit() tt(CHANGE) Equivalent to tt(RXWD) permissions
+dit() tt(FULL)   Equivalent to tt(RWXDPO) permissions
+
+enddit()
+
+label(EXITSTATUS)
 manpagesection(EXIT STATUS)
 
 label(AUTHOR)