More updates.

(This used to be commit b546de20f793aeec7739ef32451d72582175ae58)
author: John Terpstra <jht@samba.org> 2005-07-08 10:16:53 +0000
committer: Gerald W. Carter <jerry@samba.org> 2008-04-23 08:47:04 -0500
commit: 97e3e540f72021d81b34f7597506da6cdc552b8a (patch)
tree: 0fbf5ca9ee58fead3c6ac25d60d27ffe25aeebf6 /docs/smbdotconf/security
parent: 9953c886c64bd94778d8b78aea4699748a15abac (diff)
download: samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.gz
samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.bz2
samba-97e3e540f72021d81b34f7597506da6cdc552b8a.zip
6 files changed, 100 insertions, 75 deletions
diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml
index 7f9f93caaa..cf6864c78e 100644
--- a/docs/smbdotconf/security/createmask.xml
+++ b/docs/smbdotconf/security/createmask.xml
@@ -5,27 +5,33 @@
 
 <synonym>create mode</synonym>
 <description>
-    <para>When a file is created, the necessary permissions are 
-    calculated according to the mapping from DOS modes to UNIX 
-    permissions, and the resulting UNIX mode is then bit-wise 'AND'ed 
-    with this parameter. This parameter may be thought of as a bit-wise 
-    MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> 
-    set here will be removed from the modes set on a file when it is 
-    created.</para>
+    <para>
+	When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to
+	UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may
+	be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will
+	be removed from the modes set on a file when it is created.
+	</para>
 
-    <para>The default value of this parameter removes the 
-    'group' and 'other' write and execute bits from the UNIX modes.</para>
+    <para>
+	The default value of this parameter removes the <literal>group</literal> and <literal>other</literal>
+	write and execute bits from the UNIX modes.
+	</para>
 
-    <para>Following this Samba will bit-wise 'OR' the UNIX mode created 
-    from this parameter with the value of the <smbconfoption name="force create mode"/>
-    parameter which is set to 000 by default.</para>
+    <para>
+	Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
+	<smbconfoption name="force create mode"/> parameter which is set to 000 by default.
+	</para>
 
-    <para>This parameter does not affect directory modes. See the 
-    parameter <smbconfoption name="directory mode"/> for details.</para>
+    <para>
+	This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
+	for details.
+	</para>
 
-    <para>Note that this parameter does not apply to permissions
-    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
-    a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para>
+    <para>
+	Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
+	administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
+	name="security mask"/>.
+	</para>
 </description>
 
 <related>force create mode</related>
diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml
index 414239bcff..7b67f79214 100644
--- a/docs/smbdotconf/security/directorymask.xml
+++ b/docs/smbdotconf/security/directorymask.xml
@@ -30,7 +30,7 @@
 </description>
 
 <related>force directory mode</related>
-<related>create mode</related>
+<related>create mask</related>
 <related>directory security mask</related>
 <related>inherit permissions</related>
 <value type="default">0755</value>
diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml
index 5511cd1700..a16f275698 100644
--- a/docs/smbdotconf/security/directorysecuritymask.xml
+++ b/docs/smbdotconf/security/directorysecuritymask.xml
@@ -8,11 +8,12 @@
     permission on a directory using the native NT security dialog 
     box.</para>
 
-    <para>This parameter is applied as a mask (AND'ed with) to 
-    the changed permission bits, thus preventing any bits not in 
-    this mask from being modified. Essentially, zero bits in this 
-    mask may be treated as a set of bits the user is not allowed 
-    to change.</para>
+    <para>
+	This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+	in this mask from being modified.  Make sure not to mix up this parameter with <smbconfoption name="force
+	directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
+	Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+	</para>
 
     <para>If not set explicitly this parameter is set to 0777
     meaning a user is allowed to modify all the user/group/world
diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml
index 184337ba69..2c15ec2753 100644
--- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -3,25 +3,33 @@
 				 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter controls what UNIX permission bits 
-    can be modified when a Windows NT client is manipulating the UNIX 
-    permission on a directory using the native NT security dialog box.</para>
-
-    <para>This parameter is applied as a mask (OR'ed with) to the 
-    changed permission bits, thus forcing any bits in this mask that 
-    the user may have modified to be on. Essentially, one bits in this 
-    mask may be treated as a set of bits that, when modifying security 
-    on a directory, the user has always set to be 'on'.</para>
-
-    <para>If not set explicitly this parameter is 000, which 
-    allows a user to modify all the user/group/world permissions on a 
-    directory without restrictions.</para>
-
-    <note><para>Users who can access the 
-    Samba server through other means can easily bypass this restriction, 
-    so it is primarily useful for standalone &quot;appliance&quot; systems.  
-    Administrators of most normal systems will probably want to leave
-	it set as 0000.</para></note>
+    <para>
+	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+	the UNIX permission on a directory using the native NT security dialog box.
+	</para>
+
+    <para>
+	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
+	name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
+	of an OR. 
+	</para>
+
+	<para>
+	Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 
+	to will enable (1) any flags that are off (0) but which the mask has set to on (1).
+	</para>
+
+    <para>
+	If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
+	permissions on a directory without restrictions.
+	</para>
+
+    <note><para>
+	Users who can access the Samba server through other means can easily bypass this restriction, so it is
+	primarily useful for standalone &quot;appliance&quot; systems.  Administrators of most normal systems will
+	probably want to leave it set as 0000.
+	</para></note>
 
 </description>
 
diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml
index 98de6fa401..7451ef91ae 100644
--- a/docs/smbdotconf/security/forcesecuritymode.xml
+++ b/docs/smbdotconf/security/forcesecuritymode.xml
@@ -3,26 +3,32 @@
 				 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter controls what UNIX permission 
-    bits can be modified when a Windows NT client is manipulating 
-    the UNIX permission on a file using the native NT security dialog 
-    box.</para>
+    <para>
+	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 
+    the UNIX permission on a file using the native NT security dialog box.
+	</para>
 		
-    <para>This parameter is applied as a mask (OR'ed with) to the 
-    changed permission bits, thus forcing any bits in this mask that 
-    the user may have modified to be on. Essentially, one bits in this 
-    mask may be treated as a set of bits that, when modifying security 
-    on a file, the user has always set to be 'on'.</para>
+    <para>
+	This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+	mask that the user may have modified to be on.  Make sure not to mix up this parameter with <smbconfoption
+	name="security mask"/>, which works similar like this one but uses logical AND instead of OR. 
+	</para>
 
-    <para>If not set explicitly this parameter is set to 0,
-    and allows a user to modify all the user/group/world permissions on a file,
-    with no restrictions.</para>
+	<para>
+	Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
+	the user has always set to be on.
+	</para>
+
+    <para>
+	If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
+	permissions on a file, with no restrictions.
+	</para>
 		
-    <para><emphasis>Note</emphasis> that users who can access 
-    the Samba server through other means can easily bypass this restriction, 
-    so it is primarily useful for standalone &quot;appliance&quot; systems.  
-    Administrators of most normal systems will probably want to leave
-    this set to 0000.</para>
+    <para><emphasis>
+	Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+	restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
+	normal systems will probably want to leave this set to 0000.
+	</para>
 
 </description>
 
diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml
index de3dd29753..d41d6bddae 100644
--- a/docs/smbdotconf/security/securitymask.xml
+++ b/docs/smbdotconf/security/securitymask.xml
@@ -3,26 +3,30 @@
 				 type="string"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This parameter controls what UNIX permission 
-    bits can be modified when a Windows NT client is manipulating 
-    the UNIX permission on a file using the native NT security 
-    dialog box.</para>
+    <para>
+	This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
+	UNIX permission on a file using the native NT security dialog box.
+	</para>
 
-    <para>This parameter is applied as a mask (AND'ed with) to 
-    the changed permission bits, thus preventing any bits not in 
-    this mask from being modified. Essentially, zero bits in this 
-    mask may be treated as a set of bits the user is not allowed 
-    to change.</para>
+    <para>
+	This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+	in this mask from being modified.  Make sure not to mix up this parameter with <smbconfoption name="force
+	security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
+	</para>
 
-    <para>If not set explicitly this parameter is 0777, allowing
-    a user to modify all the user/group/world permissions on a file.
+	<para>
+	Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+	</para>
+
+    <para>
+	If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
     </para>
 
-    <para><emphasis>Note</emphasis> that users who can access the 
-    Samba server through other means can easily bypass this 
-    restriction, so it is primarily useful for standalone 
-    &quot;appliance&quot; systems.  Administrators of most normal systems will 
-	probably want to leave it set to <constant>0777</constant>.</para>
+    <para><emphasis>
+	Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
+    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
+	most normal systems will probably want to leave it set to <constant>0777</constant>.
+	</para>
 </description>
 
 <related>force directory security mode</related>
author	John Terpstra <jht@samba.org>	2005-07-08 10:16:53 +0000
committer	Gerald W. Carter <jerry@samba.org>	2008-04-23 08:47:04 -0500
commit	97e3e540f72021d81b34f7597506da6cdc552b8a (patch)
tree	0fbf5ca9ee58fead3c6ac25d60d27ffe25aeebf6 /docs/smbdotconf/security
parent	9953c886c64bd94778d8b78aea4699748a15abac (diff)
download	samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.gz samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.bz2 samba-97e3e540f72021d81b34f7597506da6cdc552b8a.zip