1 files changed, 39 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
new file mode 100644
index 0000000000..23bc2808db
--- /dev/null
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="security mask"
+                 context="S"
+				 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+	This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
+	UNIX permission on a file using the native NT security dialog box.
+	</para>
+
+    <para>
+	This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
+	any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
+	security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. 
+	</para>
+
+    <para>
+	Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
+	file permissions regardless of the previous status of this bits on the file.
+    </para>
+
+    <para>
+	If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
+    </para>
+
+    <para><emphasis>
+	Note</emphasis> that users who can access the Samba server through other means can easily bypass this 
+    restriction, so it is primarily useful for standalone &quot;appliance&quot; systems.  Administrators of
+	most normal systems will probably want to leave it set to <constant>0777</constant>.
+	</para>
+</description>
+
+<related>force directory security mode</related>
+<related>directory security mask</related>
+<related>force security mode</related>
+
+<value type="default">0777</value>
+<value type="example">0770</value>
+</samba:parameter>