diff options
-rw-r--r-- | docs-xml/smbdotconf/security/createmask.xml | 5 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/directorymask.xml | 8 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/directorysecuritymask.xml | 32 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcecreatemode.xml | 6 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcedirectorymode.xml | 6 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml | 38 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/securitymask.xml | 33 | ||||
-rw-r--r-- | examples/scripts/shares/python/smbparm.py | 4 | ||||
-rw-r--r-- | lib/param/param_functions.c | 4 | ||||
-rw-r--r-- | lib/param/param_table.c | 36 | ||||
-rw-r--r-- | source3/include/proto.h | 4 | ||||
-rw-r--r-- | source3/param/loadparm.c | 4 |
13 files changed, 33 insertions, 185 deletions
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c78e..59e208dccd 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ </para> <para> - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption - name="security mask"/>. + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. </para> </description> diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79214..2ebfc16d14 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para> + <para> + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + </para> </description> <related>force directory mode</related> <related>create mask</related> -<related>directory security mask</related> <related>inherit permissions</related> <value type="default">0755</value> <value type="example">0775</value> diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml index 5ed85ae3f8..0bd5d9327d 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -3,37 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box.</para> - <para> - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force - directory security mode"/>, which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="directory mask"/> is now used instead to mask + any permission bit changes on directories. <para> - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - </para> - - <para>If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory.</para> - - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of <constant>0777</constant>.</para> </description> -<related>force directory security mode</related> -<related>security mask</related> -<related>force security mode</related> -<value type="default">0777</value> -<value type="example">0700</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c105..5a57a294af 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the <parameter moreinfo="none">create mask</parameter> parameter is applied.</para> + <para> + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed <parameter moreinfo="none">force security mode</parameter>. + </para> + <para>The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.</para> diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e399..e5b37ea611 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter <parameter moreinfo="none">directory mask</parameter> is applied.</para> + <para> + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>. + </para> + <para>The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.</para> diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml index 2c15ec2753..01e5fe9a2a 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -4,40 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="force directory mode"/> is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. <para> - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption - name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead - of an OR. - </para> - - <para> - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - </para> - - <para> - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - </para> - - <note><para> - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - </para></note> - </description> - -<value type="default">0</value> -<value type="example">700</value> - -<related>directory security mask</related> -<related>security mask</related> -<related>force security mode</related> - </samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml index 7451ef91ae..b6713b10b0 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -4,38 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - </para> - - <para> - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption - name="security mask"/>, which works similar like this one but uses logical AND instead of OR. - </para> - - <para> - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - </para> - - <para> - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - </para> - - <para><emphasis> - Note</emphasis> that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="force create mode"/> is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + </para> </description> - -<value type="default">0</value> -<value type="example">700</value> - -<related>force directory security mode</related> -<related>directory security mask</related> -<related>security mask</related> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml index 23bc2808db..d1e78bedfd 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -4,36 +4,9 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - </para> - - <para> - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force - security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. - </para> - - <para> - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - </para> - - <para> - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="create mask"/> is now used instead to mask + any permission bit changes on files. </para> - - <para><emphasis> - Note</emphasis> that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to <constant>0777</constant>. - </para> </description> - -<related>force directory security mode</related> -<related>directory security mask</related> -<related>force security mode</related> - -<value type="default">0777</value> -<value type="example">0770</value> </samba:parameter> diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py index 8dca781ffc..f0bc1ecb89 100644 --- a/examples/scripts/shares/python/smbparm.py +++ b/examples/scripts/shares/python/smbparm.py @@ -89,7 +89,6 @@ parm_table = { "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""), "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"), - "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"), "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""), "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""), "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""), @@ -102,7 +101,6 @@ parm_table = { "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"), "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""), "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"), - "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"), "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"), "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"), "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"), @@ -147,7 +145,6 @@ parm_table = { "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"), "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"), "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"), - "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"), "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""), "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"), "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"), @@ -184,7 +181,6 @@ parm_table = { "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"), "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""), "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"), - "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"), "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"), "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""), "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"), diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index ce2f671d73..d5cd0181c5 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share) FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions) FN_LOCAL_BOOL(acl_group_control, bAclGroupControl) FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl) -FN_LOCAL_INTEGER(security_mask, iSecurity_mask) -FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode) -FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask) -FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode) FN_LOCAL_INTEGER(defaultcase, iDefaultCase) FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace) FN_LOCAL_INTEGER(printing, iPrinting) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 325f295342..01f65fef97 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -957,24 +957,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "directory mask", .type = P_OCTAL, .p_class = P_LOCAL, @@ -1002,24 +984,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "directory security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force directory security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "force unknown acl user", .type = P_BOOL, .p_class = P_LOCAL, diff --git a/source3/include/proto.h b/source3/include/proto.h index b3fa55a914..ac3d205100 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int ); bool lp_durable_handles(int); int lp_create_mask(int ); int lp_force_create_mode(int ); -int lp_security_mask(int ); -int lp_force_security_mode(int ); int lp_dir_mask(int ); int lp_force_dir_mode(int ); -int lp_dir_security_mask(int ); -int lp_force_dir_security_mode(int ); int lp_max_connections(int ); int lp_defaultcase(int ); int lp_minprintspace(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 61606ce9d2..42bf11d4bc 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -191,12 +191,8 @@ static struct loadparm_service sDefault = .iWriteCacheSize = 0, .iCreate_mask = 0744, .iCreate_force_mode = 0, - .iSecurity_mask = 0777, - .iSecurity_force_mode = 0, .iDir_mask = 0755, .iDir_force_mode = 0, - .iDir_Security_mask = 0777, - .iDir_Security_force_mode = 0, .iMaxConnections = 0, .iDefaultCase = CASE_LOWER, .iPrinting = DEFAULT_PRINTING, |