diff options
Diffstat (limited to 'docs/docbook/manpages/smbcacls.1.sgml')
| -rw-r--r-- | docs/docbook/manpages/smbcacls.1.sgml | 352 |
1 files changed, 251 insertions, 101 deletions
diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml index aaddf5c09c..9561099851 100644 --- a/docs/docbook/manpages/smbcacls.1.sgml +++ b/docs/docbook/manpages/smbcacls.1.sgml @@ -1,105 +1,255 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbcacls"> -Namesmbcacls - Set or get ACLs on an NT file or directory -Synopsis -smbcacls -//server/share filename [-U username] [-A acls] [-M acls] [-D acls] [-S acls] - [-C name] [-G name] [-n] [-h] -Description -The smbcacls program manipulates -NT Access Control Lists (ACLs) on SMB file shares. -Options -The following -options are available to the smbcacls program. The format of ACLs is described -in the section ACL FORMAT --A aclsAdd the ACLs specified to the ACL list. - Existing access control entries are unchanged. -M aclsModify the mask value -(permissions) for the ACLs specified on the command line. An error will -be printed for each ACL specified that was not already present in the ACL -list. -D aclsDelete any ACLs specfied on the command line. An error will -be printed for each ACL specified that was not already present in the ACL -list. -S aclsThis command sets the ACLs on the file with only the ones specified -on the command line. All other ACLs are erased. Note that the ACL specified -must contain at least a revision, type, owner and group for the call to -succeed. -U usernameSpecifies a username used to connect to the specified -service. The username may be of the form CWusername in which case the user -is prompted to enter in a password and the workgroup specified in the smb.conf -file is used, or CWusername%password or CWDOMAIN\username%password and the -password and workgroup names are used as provided. -C nameThe owner of a -file or directory can be changed to the name given using the -C option. -The name can be a sid in the form CWS-1-x-y-z or a name resolved against the -server specified in the first argument. This command is a shortcut for CW-M -OWNER:name. -G nameThe group owner of a file or directory can be changed -to the name given using the -G option. The name can be a sid in the form -CWS-1-x-y-z or a name resolved against the server specified in the first argument. -This command is a shortcut for CW-M GROUP:name. -nThis option displays all -ACL information in numeric format. The default is to convert SIDs to names -and ACE types and masks to a readable string format. -hPrint usage information -on the smbcacls program -Acl Format -The format of an ACL is one or more ACL -entries separated by either commas or newlines. An ACL entry is one of -the following: +<refmeta> + <refentrytitle>smbcacls</refentrytitle> + <manvolnum>1</manvolnum> +</refmeta> - - -REVISION:<revision number> -OWNER:<sid or name> -GROUP:<sid or name> -ACL:<sid or name>:<type>/<flags>/<mask> - - - -The revision of the ACL specifies the internal Windows NT ACL revision -for the security descriptor. If not specified it defaults to 1. Using values -other than 1 may cause strange behaviour. -The owner and group specify the -owner and group sids for the object. If a SID in the format CWS-1-x-y-z is -specified this is used, otherwise the name specified is resolved using -the server on which the file or directory resides. -ACLs specify permissions -granted to the SID. This SID again can be specified in CWS-1-x-y-z format or -as a name in which case it is resolved against the server on which the -file or directory resides. The type, flags and mask values determine the -type of access granted to the SID. -The type can be either 0 or 1 corresponding -to ALLOWED or DENIED access to the SID. The flags values are generally -zero for file ACLs and either 9 or 2 for directory ACLs. Some common flags -are: +<refnamediv> + <refname>smbcacls</refname> + <refpurpose>Set or get ACLs on an NT file or directory names</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>nmblookup</command> + <arg choice="req">//server/share</arg> + <arg choice="req">filename</arg> + <arg choice="opt">-U username</arg> + <arg choice="opt">-A acls</arg> + <arg choice="opt">-M acls</arg> + <arg choice="opt">-D acls</arg> + <arg choice="opt">-S acls</arg> + <arg choice="opt">-C name</arg> + <arg choice="opt">-G name</arg> + <arg choice="opt">-n</arg> + <arg choice="opt">-h</arg> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>The smbcacls program manipulates NT Access Control Lists + (ACLs) on SMB file shares. </para> +</refsect1> + + +<refsect1> + <title>OPTIONS</title> + + <para>The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT </para> + + + <variablelist> + <varlistentry> + <term>-A acls</term> + <listitem><para>Add the ACLs specified to the ACL list. Existing + access control entries are unchanged. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-M acls</term> + <listitem><para>Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-D acls</term> + <listitem><para>Delete any ACLs specfied on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-S acls</term> + <listitem><para>This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-U username</term> + <listitem><para>Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the <filename>smb.conf</filename> file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-C name</term> + <listitem><para>The owner of a file or directory can be changed + to the name given using the <parameter>-C</parameter> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </para> + + <para>This command is a shortcut for -M OWNER:name. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-G name</term> + <listitem><para>The group owner of a file or directory can + be changed to the name given using the <parameter>-G</parameter> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </para> + + <para>This command is a shortcut for -M GROUP:name.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-n</term> + <listitem><para>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-h</term> + <listitem><para>Print usage information on the <command>smbcacls + </command> program.</para></listitem> + </varlistentry> + </variablelist> +</refsect1> + + +<refsect1> + <title>ACL FORMAT</title> + + <para>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </para> + + <para><programlisting> +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> + </programlisting></para> + + + <para>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </para> + + <para>The owner and group specify the owner and group sids for the + object. If a SID in the format CWS-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </para> + + <para>ACLs specify permissions granted to the SID. This SID again + can be specified in CWS-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID. </para> + + <para>The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are: </para> + + <itemizedlist> + <listitem><para>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</para></listitem> + <listitem><para>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</para></listitem> + <listitem><para>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 + </para></listitem> + <listitem><para>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</para> + </listitem> + </itemizedlist> + + <para>At present flags can only be specified as decimal or + hexadecimal values.</para> - -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 - - - -At present flags can only be specified as decimal or hexadecimal values. - -The mask is a value which expresses the access right granted to the SID. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name. -CWR Allow read access CWW Allow write access CWX Execute permission -on the object CWD Delete the object CWP Change permissions CWO Take ownership - -The following combined permissions can be specified: -CWREAD Equivalent -to CWRX permissions CWCHANGE Equivalent to CWRXWD permissions CWFULL - Equivalent to CWRWXDPO permissions -Exit Status -The smbcacls program sets -the exit status depending on the success or otherwise of the operations -performed. The exit status may be one of the following values. -If the operation -succeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect -to the specified server, or there was an error getting or setting the ACLs, -an exit status of 1 is returned. If there was an error parsing any command -line arguments, an exit status of 2 is returned. -Author -The original Samba -software and related utilities were created by Andrew Tridgell. Samba is -now developed by the Samba Team as an Open Source project. -smbcacls was -written by Andrew Tridgell and Tim Potter.
\ No newline at end of file + <para>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </para> + + <itemizedlist> + <listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem> + <listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem> + <listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem> + <listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem> + <listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem> + <listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem> + </itemizedlist> + + + <para>The following combined permissions can be specified:</para> + + + <itemizedlist> + <listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX' + permissions</para></listitem> + <listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions + </para></listitem> + <listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO' + permissions</para></listitem> + </itemizedlist> + </refsect1> + +<refsect1> + <title>EXIT STATUS</title> + + <para>The <command>smbcacls</command> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </para> + + <para>If the operation succeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para><command>smbcacls</command> was written by Andrew Tridgell + and Tim Potter.</para> + + <para>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</para> +</refsect1> + +</refentry> |