summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/security
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/security')
-rw-r--r--docs-xml/smbdotconf/security/createmask.xml5
-rw-r--r--docs-xml/smbdotconf/security/directorymask.xml8
-rw-r--r--docs-xml/smbdotconf/security/directorysecuritymask.xml32
-rw-r--r--docs-xml/smbdotconf/security/forcecreatemode.xml6
-rw-r--r--docs-xml/smbdotconf/security/forcedirectorymode.xml6
-rw-r--r--docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml38
-rw-r--r--docs-xml/smbdotconf/security/forcesecuritymode.xml38
-rw-r--r--docs-xml/smbdotconf/security/securitymask.xml33
8 files changed, 33 insertions, 133 deletions
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml
index cf6864c78e..59e208dccd 100644
--- a/docs-xml/smbdotconf/security/createmask.xml
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -28,9 +28,8 @@
</para>
<para>
- Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
- administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
- name="security mask"/>.
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control
+ over permission changes it should be set to 0777.
</para>
</description>
diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml
index 7b67f79214..2ebfc16d14 100644
--- a/docs-xml/smbdotconf/security/directorymask.xml
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -24,14 +24,14 @@
created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
+ <para>
+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control
+ over permission changes it should be set to 0777.
+ </para>
</description>
<related>force directory mode</related>
<related>create mask</related>
-<related>directory security mask</related>
<related>inherit permissions</related>
<value type="default">0755</value>
<value type="example">0775</value>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml
index 5ed85ae3f8..0bd5d9327d 100644
--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -3,37 +3,11 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission bits
- will be set when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog
- box.</para>
-
<para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
- Essentially, zero bits in this mask are a set of bits that will always be set to zero.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="directory mask"/> is now used instead to mask
+ any permission bit changes on directories.
<para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>If not set explicitly this parameter is set to 0777
- meaning a user is allowed to set all the user/group/world
- permissions on a directory.</para>
-
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- it as the default of <constant>0777</constant>.</para>
</description>
-<related>force directory security mode</related>
-<related>security mask</related>
-<related>force security mode</related>
-<value type="default">0777</value>
-<value type="example">0700</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml
index a3f1c2c105..5a57a294af 100644
--- a/docs-xml/smbdotconf/security/forcecreatemode.xml
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -10,6 +10,12 @@
mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
parameter is applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a file, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force security mode</parameter>.
+ </para>
+
<para>The example below would force all newly created files to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml
index 7effc0e399..e5b37ea611 100644
--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -12,6 +12,12 @@
mask in the parameter <parameter moreinfo="none">directory mask</parameter> is
applied.</para>
+ <para>
+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
+ permissions are changed on a directory, not just when the file is created.
+ This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>.
+ </para>
+
<para>The example below would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
index 2c15ec2753..01e5fe9a2a 100644
--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -4,40 +4,10 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a directory using the native NT security dialog box.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force directory mode"/> is now used instead to
+ force any permission changes on directories to include specific UNIX
+ permission bits.
<para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
- of an OR.
- </para>
-
- <para>
- Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
- to will enable (1) any flags that are off (0) but which the mask has set to on (1).
- </para>
-
- <para>
- If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
- permissions on a directory without restrictions.
- </para>
-
- <note><para>
- Users who can access the Samba server through other means can easily bypass this restriction, so it is
- primarily useful for standalone &quot;appliance&quot; systems. Administrators of most normal systems will
- probably want to leave it set as 0000.
- </para></note>
-
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>directory security mask</related>
-<related>security mask</related>
-<related>force security mode</related>
-
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml
index 7451ef91ae..b6713b10b0 100644
--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -4,38 +4,10 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
- name="security mask"/>, which works similar like this one but uses logical AND instead of OR.
- </para>
-
- <para>
- Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
- the user has always set to be on.
- </para>
-
- <para>
- If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
- permissions on a file, with no restrictions.
- </para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
- normal systems will probably want to leave this set to 0000.
- </para>
-
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="force create mode"/> is now used instead to
+ force any permission changes on files to include specific UNIX
+ permission bits.
+ </para>
</description>
-
-<value type="default">0</value>
-<value type="example">700</value>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>security mask</related>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
index 23bc2808db..d1e78bedfd 100644
--- a/docs-xml/smbdotconf/security/securitymask.xml
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -4,36 +4,9 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the
- UNIX permission on a file using the native NT security dialog box.
- </para>
-
- <para>
- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting
- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force
- security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND.
- </para>
-
- <para>
- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the
- file permissions regardless of the previous status of this bits on the file.
- </para>
-
- <para>
- If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file.
+ This parameter has been removed for Samba 4.0.0. The parameter
+ <smbconfoption name="create mask"/> is now used instead to mask
+ any permission bit changes on files.
</para>
-
- <para><emphasis>
- Note</emphasis> that users who can access the Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of
- most normal systems will probably want to leave it set to <constant>0777</constant>.
- </para>
</description>
-
-<related>force directory security mode</related>
-<related>directory security mask</related>
-<related>force security mode</related>
-
-<value type="default">0777</value>
-<value type="example">0770</value>
</samba:parameter>