diff options
-rw-r--r-- | docs/smbdotconf/security/aclgroupcontrol.xml | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/docs/smbdotconf/security/aclgroupcontrol.xml b/docs/smbdotconf/security/aclgroupcontrol.xml new file mode 100644 index 0000000000..9def482061 --- /dev/null +++ b/docs/smbdotconf/security/aclgroupcontrol.xml @@ -0,0 +1,47 @@ +<samba:parameter name="acl group control" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + <emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs + on that file. + </para> + <para> + On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing managability. + </para> + <para> + This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. + </para> + + <para> + This parameter is best used with the <smbconfoption name="inherit owner"/> option and also + on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + </para> + + <para> + This is a new parameter introduced in Samba 3.0.20. + </para> + + <para> + This can be particularly useful to allow groups to manage their own security on a part + of the filesystem they have group ownership of, removing the bottleneck of having only + the user owner or superuser able to reset permissions. + </para> +</description> + +<related>inherit owner</related> +<related>inherit permissions</related> + +<value type="default">no</value> +</samba:parameter> |