diff options
Diffstat (limited to 'docs/htmldocs/unix-permissions.html')
| -rw-r--r-- | docs/htmldocs/unix-permissions.html | 409 |
1 files changed, 244 insertions, 165 deletions
diff --git a/docs/htmldocs/unix-permissions.html b/docs/htmldocs/unix-permissions.html index 65c3f5352e..f29d450e6d 100644 --- a/docs/htmldocs/unix-permissions.html +++ b/docs/htmldocs/unix-permissions.html @@ -5,19 +5,21 @@ >UNIX Permission Bits and Windows NT Access Control Lists</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK REL="UP" -TITLE="Advanced Configuration" +TITLE="Optional configuration" HREF="optional.html"><LINK REL="PREVIOUS" -TITLE="Advanced Configuration" -HREF="optional.html"><LINK +TITLE="Integrating MS Windows networks with Samba" +HREF="integrate-ms-networks.html"><LINK REL="NEXT" -TITLE="Configuring Group Mapping" -HREF="groupmapping.html"></HEAD +TITLE="Configuring PAM for distributed but centrally +managed authentication" +HREF="pam.html"></HEAD ><BODY CLASS="CHAPTER" BGCOLOR="#FFFFFF" @@ -45,7 +47,7 @@ WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A -HREF="optional.html" +HREF="integrate-ms-networks.html" ACCESSKEY="P" >Prev</A ></TD @@ -59,7 +61,7 @@ WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A -HREF="groupmapping.html" +HREF="pam.html" ACCESSKEY="N" >Next</A ></TD @@ -72,69 +74,52 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="UNIX-PERMISSIONS" -></A ->Chapter 10. UNIX Permission Bits and Windows NT Access Control Lists</H1 +NAME="UNIX-PERMISSIONS">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1525" ->10.1. Viewing and changing UNIX permissions using the NT - security dialogs</A -></H1 +NAME="AEN1605">11.1. Viewing and changing UNIX permissions using the NT + security dialogs</H1 ><P ->Windows NT clients can use their native security settings - dialog box to view and modify the underlying UNIX permissions.</P +>New in the Samba 2.0.4 release is the ability for Windows + NT clients to use their native security settings dialog box to + view and modify the underlying UNIX permissions.</P ><P >Note that this ability is careful not to compromise the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</P -><DIV -CLASS="NOTE" ><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> All access to Unix/Linux system file via Samba is controlled at - the operating system file access control level. When trying to - figure out file access problems it is vitally important to identify - the identity of the Windows user as it is presented by Samba at - the point of file access. This can best be determined from the - Samba log files. - </P -></TD -></TR -></TABLE -></DIV +>In Samba 2.0.4 and above the default value of the + parameter <A +HREF="smb.conf.5.html#NTACLSUPPORT" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> nt acl support</I +></TT +></A +> has been changed from + <TT +CLASS="CONSTANT" +>false</TT +> to <TT +CLASS="CONSTANT" +>true</TT +>, so + manipulation of permissions is turned on by default.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1531" ->10.2. How to view file security on a Samba share</A -></H1 +NAME="AEN1614">11.2. How to view file security on a Samba share</H1 ><P ->From an NT4/2000/XP client, single-click with the right +>From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted drive letter or UNC path. When the menu pops-up, click on the <SPAN @@ -144,14 +129,15 @@ CLASS="EMPHASIS" >Properties</I ></SPAN > entry at the bottom of - the menu. This brings up the file properties dialog - box. Click on the tab <SPAN + the menu. This brings up the normal file properties dialog + box, but with Samba 2.0.4 this will have a new tab along the top + marked <SPAN CLASS="emphasis" ><I CLASS="EMPHASIS" >Security</I ></SPAN -> and you +>. Click on this tab and you will see three buttons, <SPAN CLASS="emphasis" ><I @@ -199,9 +185,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1542" ->10.3. Viewing file ownership</A -></H1 +NAME="AEN1625">11.3. Viewing file ownership</H1 ><P >Clicking on the <B CLASS="COMMAND" @@ -215,17 +199,23 @@ CLASS="COMMAND" >"SERVER\user (Long name)"</B ></P ><P ->Where <VAR +>Where <TT CLASS="REPLACEABLE" ->SERVER</VAR +><I +>SERVER</I +></TT > is the NetBIOS name of - the Samba server, <VAR + the Samba server, <TT CLASS="REPLACEABLE" ->user</VAR +><I +>user</I +></TT > is the user name of - the UNIX user who owns the file, and <VAR + the UNIX user who owns the file, and <TT CLASS="REPLACEABLE" ->(Long name)</VAR +><I +>(Long name)</I +></TT > is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). Click on the <B @@ -234,13 +224,15 @@ CLASS="COMMAND" </B > button to remove this dialog.</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then the file owner will be shown as the NT user <B CLASS="COMMAND" @@ -268,7 +260,7 @@ CLASS="EMPHASIS" ><P >There is an NT chown command that will work with Samba and allow a user with Administrator privilege connected - to a Samba server as root to change the ownership of + to a Samba 2.0.4 server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS or Samba drive. This is available as part of the <SPAN CLASS="emphasis" @@ -285,9 +277,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1562" ->10.4. Viewing file or directory permissions</A -></H1 +NAME="AEN1645">11.4. Viewing file or directory permissions</H1 ><P >The third button is the <B CLASS="COMMAND" @@ -302,28 +292,36 @@ CLASS="COMMAND" >"SERVER\user (Long name)"</B ></P ><P ->Where <VAR +>Where <TT CLASS="REPLACEABLE" ->SERVER</VAR +><I +>SERVER</I +></TT > is the NetBIOS name of - the Samba server, <VAR + the Samba server, <TT CLASS="REPLACEABLE" ->user</VAR +><I +>user</I +></TT > is the user name of - the UNIX user who owns the file, and <VAR + the UNIX user who owns the file, and <TT CLASS="REPLACEABLE" ->(Long name)</VAR +><I +>(Long name)</I +></TT > is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then the file owner will be shown as the NT user <B CLASS="COMMAND" @@ -339,9 +337,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1577" ->10.4.1. File Permissions</A -></H2 +NAME="AEN1660">11.4.1. File Permissions</H2 ><P >The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -401,9 +397,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1591" ->10.4.2. Directory Permissions</A -></H2 +NAME="AEN1674">11.4.2. Directory Permissions</H2 ><P >Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -433,9 +427,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1598" ->10.5. Modifying file or directory permissions</A -></H1 +NAME="AEN1681">11.5. Modifying file or directory permissions</H1 ><P >Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -447,13 +439,15 @@ CLASS="COMMAND" with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account.</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then any attempt to set security permissions will fail with an <B CLASS="COMMAND" @@ -465,7 +459,7 @@ CLASS="COMMAND" CLASS="COMMAND" >"Add"</B > - button will not return a list of users in Samba (it will give + button will not return a list of users in Samba 2.0.4 (it will give an error message of <B CLASS="COMMAND" >"The remote procedure call failed @@ -529,33 +523,38 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1620" ->10.6. Interaction with the standard Samba create mask - parameters</A -></H1 +NAME="AEN1703">11.6. Interaction with the standard Samba create mask + parameters</H1 ><P ->There are four parameters - to control interaction with the standard Samba create mask parameters. - These are :</P +>Note that with Samba 2.0.5 there are four new parameters + to control this interaction. These are :</P ><P -><VAR +><TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force security mode</VAR +><I +>force security mode</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->directory security mask</VAR +><I +>directory security mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force directory security mode</VAR +><I +>force directory security mode</I +></TT ></P ><P >Once a user clicks <B @@ -568,17 +567,21 @@ CLASS="COMMAND" HREF="smb.conf.5.html#SECURITYMASK" TARGET="_top" > - <VAR + <TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT ></A > parameter. Any bits that were changed that are not set to '1' in this parameter are left alone in the file permissions.</P ><P ->Essentially, zero bits in the <VAR +>Essentially, zero bits in the <TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT > mask may be treated as a set of bits the user is <SPAN CLASS="emphasis" @@ -594,31 +597,38 @@ CLASS="EMPHASIS" the <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" +><I >create mask - </VAR + </I +></TT ></A -> parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter +> parameter to provide compatibility with Samba 2.0.4 + where this permission change facility was introduced. To allow a user to + modify all the user/group/world permissions on a file, set this parameter to 0777.</P ><P >Next Samba checks the changed permissions for a file against the bits set in the <A HREF="smb.conf.5.html#FORCESECURITYMODE" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->force security mode</VAR +><I +>force security mode</I +></TT ></A > parameter. Any bits that were changed that correspond to bits set to '1' in this parameter are forced to be set.</P ><P ->Essentially, bits set in the <VAR +>Essentially, bits set in the <TT CLASS="PARAMETER" +><I >force security mode - </VAR + </I +></TT > parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.</P ><P @@ -626,60 +636,85 @@ CLASS="PARAMETER" as the <A HREF="smb.conf.5.html#FORCECREATEMODE" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" +><I >force - create mode</VAR + create mode</I +></TT ></A -> parameter. +> parameter to provide compatibility + with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000.</P ><P ->The <VAR +>The <TT CLASS="PARAMETER" ->security mask</VAR -> and <VAR +><I +>security mask</I +></TT +> and <TT CLASS="PARAMETER" +><I >force - security mode</VAR + security mode</I +></TT > parameters are applied to the change request in that order.</P ><P >For a directory Samba will perform the same operations as - described above for a file except using the parameter <VAR + described above for a file except using the parameter <TT CLASS="PARAMETER" -> directory security mask</VAR -> instead of <VAR +><I +> directory security mask</I +></TT +> instead of <TT CLASS="PARAMETER" +><I >security - mask</VAR ->, and <VAR + mask</I +></TT +>, and <TT CLASS="PARAMETER" +><I >force directory security mode - </VAR -> parameter instead of <VAR + </I +></TT +> parameter instead of <TT CLASS="PARAMETER" +><I >force security mode - </VAR + </I +></TT >.</P ><P ->The <VAR +>The <TT CLASS="PARAMETER" ->directory security mask</VAR +><I +>directory security mask</I +></TT > parameter - by default is set to the same value as the <VAR + by default is set to the same value as the <TT CLASS="PARAMETER" +><I >directory mask - </VAR -> parameter and the <VAR + </I +></TT +> parameter and the <TT CLASS="PARAMETER" +><I >force directory security - mode</VAR + mode</I +></TT > parameter by default is set to the same value as - the <VAR + the <TT CLASS="PARAMETER" ->force directory mode</VAR -> parameter. </P +><I +>force directory mode</I +></TT +> parameter to provide + compatibility with Samba 2.0.4 where the permission change facility + was introduced.</P ><P >In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, whilst still allowing users @@ -688,40 +723,83 @@ CLASS="PARAMETER" >If you want to set up a share that allows users full control in modifying the permission bits on their files and directories and doesn't force any particular bits to be set 'on', then set the following - parameters in the <TT + parameters in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT CLASS="FILENAME" ->smb.conf</TT +>smb.conf(5) + </TT +></A > file in that share specific section :</P ><P -><VAR +><TT CLASS="PARAMETER" ->security mask = 0777</VAR +><I +>security mask = 0777</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force security mode = 0</VAR +><I +>force security mode = 0</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->directory security mask = 0777</VAR +><I +>directory security mask = 0777</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force directory security mode = 0</VAR +><I +>force directory security mode = 0</I +></TT +></P +><P +>As described, in Samba 2.0.4 the parameters :</P +><P +><TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT ></P +><P +><TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +></P +><P +>were used instead of the parameters discussed here.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1673" ->10.7. Interaction with the standard Samba file attribute - mapping</A -></H1 +NAME="AEN1767">11.7. Interaction with the standard Samba file attribute + mapping</H1 ><P >Samba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can @@ -777,7 +855,7 @@ WIDTH="33%" ALIGN="left" VALIGN="top" ><A -HREF="optional.html" +HREF="integrate-ms-networks.html" ACCESSKEY="P" >Prev</A ></TD @@ -795,7 +873,7 @@ WIDTH="33%" ALIGN="right" VALIGN="top" ><A -HREF="groupmapping.html" +HREF="pam.html" ACCESSKEY="N" >Next</A ></TD @@ -805,7 +883,7 @@ ACCESSKEY="N" WIDTH="33%" ALIGN="left" VALIGN="top" ->Advanced Configuration</TD +>Integrating MS Windows networks with Samba</TD ><TD WIDTH="34%" ALIGN="center" @@ -819,7 +897,8 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Configuring Group Mapping</TD +>Configuring PAM for distributed but centrally +managed authentication</TD ></TR ></TABLE ></DIV |