summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/smbdotconf/security/aclgroupcontrol.xml47
1 files changed, 47 insertions, 0 deletions
diff --git a/docs/smbdotconf/security/aclgroupcontrol.xml b/docs/smbdotconf/security/aclgroupcontrol.xml
new file mode 100644
index 0000000000..9def482061
--- /dev/null
+++ b/docs/smbdotconf/security/aclgroupcontrol.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="acl group control"
+ context="S"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
+ and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
+ <emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs
+ on that file.
+ </para>
+ <para>
+ On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in
+ that group to modify the permissions on it. This allows the delegation of security controls
+ on a point in the filesystem to the group owner of a directory and anything below it also owned
+ by that group. This means there are multiple people with permissions to modify ACLs on a file
+ or directory, easing managability.
+ </para>
+ <para>
+ This parameter allows Samba to also permit delegation of the control over a point in the exported
+ directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to
+ control the permissions on a file or directory they have group ownership on.
+ </para>
+
+ <para>
+ This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
+ on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> bit set
+ on them, which causes new files and directories created within it to inherit the group
+ ownership from the containing directory.
+ </para>
+
+ <para>
+ This is a new parameter introduced in Samba 3.0.20.
+ </para>
+
+ <para>
+ This can be particularly useful to allow groups to manage their own security on a part
+ of the filesystem they have group ownership of, removing the bottleneck of having only
+ the user owner or superuser able to reset permissions.
+ </para>
+</description>
+
+<related>inherit owner</related>
+<related>inherit permissions</related>
+
+<value type="default">no</value>
+</samba:parameter>