diff options
-rw-r--r-- | docs/docbook/projdoc/AccessControls.xml | 243 |
1 files changed, 242 insertions, 1 deletions
diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index 16057411e2..9c0b52638d 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -370,9 +370,250 @@ at how Samba helps to bridge the differences. <title>Share Definition Access Controls</title> <para> -Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc. +The following parameters in the &smb.conf; file sections that define a share control or affect access controls. +Before using any of the following options please refer to the man page for &smb.conf;. </para> +<table frame='all'><title>User and Group Based Controls</title> +<tgroup cols='2'> + <thead> + <row> + <entry align="center">Control Parameter</entry> + <entry align="center">Description - Action - Notes</entry> + </row> + </thead> + <tbody> + <row> + <entry>admin users</entry> + <entry><para> + List of users who will be granted administrative privileges on the share. + They will do all file operations as the super-user (root). + Any user in this list will be able to do anything they like on the share, + irrespective of file permissions. + </para></entry> + </row> + <row> + <entry>force group</entry> + <entry><para> + Specifies a UNIX group name that will be assigned as the default primary group + for all users connecting to this service. + </para></entry> + </row> + <row> + <entry>force user</entry> + <entry><para> + Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. + This is useful for sharing files. Incorrect use can cause security problems. + </para></entry> + </row> + <row> + <entry>guest ok</entry> + <entry><para> + If this parameter is set for a service, then no password is required to connect to the service. Privileges will be + those of the guest account. + </para></entry> + </row> + <row> + <entry>invalid users</entry> + <entry><para> + List of users that should not be allowed to login to this service. + </para></entry> + </row> + <row> + <entry>only user</entry> + <entry><para> + Controls whether connections with usernames not in the user list will be allowed. + </para></entry> + </row> + <row> + <entry>read list</entry> + <entry><para> + List of users that are given read-only access to a service. Users in this list + will not be given write access, no matter what the read only option is set to. + </para></entry> + </row> + <row> + <entry>username</entry> + <entry><para> + Refer to the &smb.conf; man page for more information - this is a complex and potentially misused parameter. + </para></entry> + </row> + <row> + <entry>valid users</entry> + <entry><para> + List of users that should be allowed to login to this service. + </para></entry> + </row> + <row> + <entry>write list</entry> + <entry><para> + List of users that are given read-write access to a service. + </para></entry> + </row> + </tbody> +</tgroup> +</table> + +<para> +The following file and directory permission based controls, if misused, can result in considerable difficulty to +diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one +undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually +re-instroduce them in a controlled fashion. +</para> + +<table frame='all'><title>File and Directory Permission Based Controls</title> +<tgroup cols='2'> + <thead> + <row> + <entry align="center">Control Parameter</entry> + <entry align="center">Description - Action - Notes</entry> + </row> + </thead> + <tbody> + <row> + <entry>create mask</entry> + <entry><para> + Refer to the &smb.conf; man page. + </para></entry> + </row> + <row> + <entry>directory mask</entry> + <entry><para> + The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. + See also: directory security mask. + </para></entry></row> + <row> + <entry>dos filemode</entry> + <entry><para> + Enabling this parameter allows a user who has write access to the file to modify the permissions on it. + </para></entry> + </row> + <row> + <entry>force create mode</entry> + <entry><para> + This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. + </para></entry> + </row> + <row> + <entry>force directory mode</entry> + <entry><para> + This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. + </para></entry> + </row> + <row> + <entry>force directory security mode</entry> + <entry><para> + Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory + </para></entry> + </row> + <row> + <entry>force security mode</entry> + <entry><para> + Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. + </para></entry> + </row> + <row> + <entry>hide unreadable</entry> + <entry><para> + Prevents clients from seeing the existance of files that cannot be read. + </para></entry> + </row> + <row> + <entry>hide unwriteable files</entry> + <entry><para> + Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual. + </para></entry> + </row> + <row> + <entry>nt acl support</entry> + <entry><para> + This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists. + </para></entry> + </row> + <row> + <entry>security mask</entry> + <entry><para> + Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. + </para></entry> + </row> + </tbody> +</tgroup> +</table> + +<table frame='all'><title>Other Controls</title> +<tgroup cols='2'> + <thead> + <row> + <entry align="center">Control Parameter</entry> + <entry align="center">Description - Action - Notes</entry> + </row> + </thead> + <tbody> + <row> + <entry>case sensitive</entry> + <entry><para> + This means that all file name lookup will be done in a case sensitive manner. + Files will be created with the precise filename Samba received from the MS Windows client. + See also: default case, short preserve case. + </para></entry> + </row> + <row> + <entry>csc policy</entry> + <entry><para> + Client Side Caching Policy - parallels MS Windows client side file caching capabilities. + </para></entry> + </row> + <row> + <entry>dont descend</entry> + <entry><para> + Allows to specify a comma-delimited list of directories that the server should always show as empty. + </para></entry> + </row> + <row> + <entry>dos filetime resolution</entry> + <entry><para> + This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. + </para></entry> + </row> + <row> + <entry>dos filetimes</entry> + <entry><para> + Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the + owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting on behalf of is not the file owner. Setting this option to yes allows DOS + semantics and smbd(8) will change the file timestamp as DOS requires. + </para></entry> + </row> + <row> + <entry>fake oplocks</entry> + <entry><para> + Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an + oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will + aggressively cache file data. With some oplock types the client may even cache file open/close operations. + </para></entry> + </row> + <row> + <entry>hide dot files, hide files, veto files</entry> + <entry><para> + Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible. + </para></entry> + </row> + <row> + <entry>read only</entry> + <entry><para> + If this parameter is yes, then users of a service may not create or modify files in the service's directory. + </para></entry> + </row> + <row> + <entry>veto files</entry> + <entry><para> + List of files and directories that are neither visible nor accessible. + </para></entry> + </row> + </tbody> +</tgroup> +</table> + </sect1> <sect1> |