diff options
Diffstat (limited to 'docs/docbook/manpages/smbcacls.1.sgml')
-rw-r--r-- | docs/docbook/manpages/smbcacls.1.sgml | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml new file mode 100644 index 0000000000..aaddf5c09c --- /dev/null +++ b/docs/docbook/manpages/smbcacls.1.sgml @@ -0,0 +1,105 @@ + +Namesmbcacls - Set or get ACLs on an NT file or directory +Synopsis +smbcacls +//server/share filename [-U username] [-A acls] [-M acls] [-D acls] [-S acls] + [-C name] [-G name] [-n] [-h] +Description +The smbcacls program manipulates +NT Access Control Lists (ACLs) on SMB file shares. +Options +The following +options are available to the smbcacls program. The format of ACLs is described +in the section ACL FORMAT +-A aclsAdd the ACLs specified to the ACL list. + Existing access control entries are unchanged. -M aclsModify the mask value +(permissions) for the ACLs specified on the command line. An error will +be printed for each ACL specified that was not already present in the ACL +list. -D aclsDelete any ACLs specfied on the command line. An error will +be printed for each ACL specified that was not already present in the ACL +list. -S aclsThis command sets the ACLs on the file with only the ones specified +on the command line. All other ACLs are erased. Note that the ACL specified +must contain at least a revision, type, owner and group for the call to +succeed. -U usernameSpecifies a username used to connect to the specified +service. The username may be of the form CWusername in which case the user +is prompted to enter in a password and the workgroup specified in the smb.conf +file is used, or CWusername%password or CWDOMAIN\username%password and the +password and workgroup names are used as provided. -C nameThe owner of a +file or directory can be changed to the name given using the -C option. +The name can be a sid in the form CWS-1-x-y-z or a name resolved against the +server specified in the first argument. This command is a shortcut for CW-M +OWNER:name. -G nameThe group owner of a file or directory can be changed +to the name given using the -G option. The name can be a sid in the form +CWS-1-x-y-z or a name resolved against the server specified in the first argument. +This command is a shortcut for CW-M GROUP:name. -nThis option displays all +ACL information in numeric format. The default is to convert SIDs to names +and ACE types and masks to a readable string format. -hPrint usage information +on the smbcacls program +Acl Format +The format of an ACL is one or more ACL +entries separated by either commas or newlines. An ACL entry is one of +the following: + + + +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> + + + +The revision of the ACL specifies the internal Windows NT ACL revision +for the security descriptor. If not specified it defaults to 1. Using values +other than 1 may cause strange behaviour. +The owner and group specify the +owner and group sids for the object. If a SID in the format CWS-1-x-y-z is +specified this is used, otherwise the name specified is resolved using +the server on which the file or directory resides. +ACLs specify permissions +granted to the SID. This SID again can be specified in CWS-1-x-y-z format or +as a name in which case it is resolved against the server on which the +file or directory resides. The type, flags and mask values determine the +type of access granted to the SID. +The type can be either 0 or 1 corresponding +to ALLOWED or DENIED access to the SID. The flags values are generally +zero for file ACLs and either 9 or 2 for directory ACLs. Some common flags +are: + + + +#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 +#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 +#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 +#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 + + + +At present flags can only be specified as decimal or hexadecimal values. + +The mask is a value which expresses the access right granted to the SID. +It can be given as a decimal or hexadecimal value, or by using one of the +following text strings which map to the NT file permissions of the same +name. +CWR Allow read access CWW Allow write access CWX Execute permission +on the object CWD Delete the object CWP Change permissions CWO Take ownership + +The following combined permissions can be specified: +CWREAD Equivalent +to CWRX permissions CWCHANGE Equivalent to CWRXWD permissions CWFULL + Equivalent to CWRWXDPO permissions +Exit Status +The smbcacls program sets +the exit status depending on the success or otherwise of the operations +performed. The exit status may be one of the following values. +If the operation +succeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect +to the specified server, or there was an error getting or setting the ACLs, +an exit status of 1 is returned. If there was an error parsing any command +line arguments, an exit status of 2 is returned. +Author +The original Samba +software and related utilities were created by Andrew Tridgell. Samba is +now developed by the Samba Team as an Open Source project. +smbcacls was +written by Andrew Tridgell and Tim Potter.
\ No newline at end of file |