diff options
Diffstat (limited to 'docs-xml/smbdotconf/security')
-rw-r--r-- | docs-xml/smbdotconf/security/createmask.xml | 5 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/directorymask.xml | 8 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/directorysecuritymask.xml | 32 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcecreatemode.xml | 6 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcedirectorymode.xml | 6 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml | 38 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/securitymask.xml | 33 |
8 files changed, 33 insertions, 133 deletions
diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c78e..59e208dccd 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ </para> <para> - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption - name="security mask"/>. + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. </para> </description> diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79214..2ebfc16d14 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para> + <para> + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + </para> </description> <related>force directory mode</related> <related>create mask</related> -<related>directory security mask</related> <related>inherit permissions</related> <value type="default">0755</value> <value type="example">0775</value> diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml index 5ed85ae3f8..0bd5d9327d 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -3,37 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box.</para> - <para> - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force - directory security mode"/>, which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="directory mask"/> is now used instead to mask + any permission bit changes on directories. <para> - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - </para> - - <para>If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory.</para> - - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of <constant>0777</constant>.</para> </description> -<related>force directory security mode</related> -<related>security mask</related> -<related>force security mode</related> -<value type="default">0777</value> -<value type="example">0700</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c105..5a57a294af 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the <parameter moreinfo="none">create mask</parameter> parameter is applied.</para> + <para> + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed <parameter moreinfo="none">force security mode</parameter>. + </para> + <para>The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.</para> diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e399..e5b37ea611 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter <parameter moreinfo="none">directory mask</parameter> is applied.</para> + <para> + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>. + </para> + <para>The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.</para> diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml index 2c15ec2753..01e5fe9a2a 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -4,40 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="force directory mode"/> is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. <para> - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption - name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead - of an OR. - </para> - - <para> - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - </para> - - <para> - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - </para> - - <note><para> - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - </para></note> - </description> - -<value type="default">0</value> -<value type="example">700</value> - -<related>directory security mask</related> -<related>security mask</related> -<related>force security mode</related> - </samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml index 7451ef91ae..b6713b10b0 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -4,38 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - </para> - - <para> - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption - name="security mask"/>, which works similar like this one but uses logical AND instead of OR. - </para> - - <para> - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - </para> - - <para> - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - </para> - - <para><emphasis> - Note</emphasis> that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - </para> - + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="force create mode"/> is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + </para> </description> - -<value type="default">0</value> -<value type="example">700</value> - -<related>force directory security mode</related> -<related>directory security mask</related> -<related>security mask</related> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml index 23bc2808db..d1e78bedfd 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -4,36 +4,9 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - </para> - - <para> - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force - security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. - </para> - - <para> - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - </para> - - <para> - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + This parameter has been removed for Samba 4.0.0. The parameter + <smbconfoption name="create mask"/> is now used instead to mask + any permission bit changes on files. </para> - - <para><emphasis> - Note</emphasis> that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to <constant>0777</constant>. - </para> </description> - -<related>force directory security mode</related> -<related>directory security mask</related> -<related>force security mode</related> - -<value type="default">0777</value> -<value type="example">0770</value> </samba:parameter> |