diff options
Diffstat (limited to 'docs/htmldocs/unix-permissions.html')
| -rw-r--r-- | docs/htmldocs/unix-permissions.html | 303 |
1 files changed, 189 insertions, 114 deletions
diff --git a/docs/htmldocs/unix-permissions.html b/docs/htmldocs/unix-permissions.html index df66450be0..f29d450e6d 100644 --- a/docs/htmldocs/unix-permissions.html +++ b/docs/htmldocs/unix-permissions.html @@ -5,7 +5,8 @@ >UNIX Permission Bits and Windows NT Access Control Lists</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -73,18 +74,14 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="UNIX-PERMISSIONS" -></A ->Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 +NAME="UNIX-PERMISSIONS">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1748" ->11.1. Viewing and changing UNIX permissions using the NT - security dialogs</A -></H1 +NAME="AEN1605">11.1. Viewing and changing UNIX permissions using the NT + security dialogs</H1 ><P >New in the Samba 2.0.4 release is the ability for Windows NT clients to use their native security settings dialog box to @@ -94,15 +91,33 @@ NAME="AEN1748" the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba administrator can set.</P +><P +>In Samba 2.0.4 and above the default value of the + parameter <A +HREF="smb.conf.5.html#NTACLSUPPORT" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> nt acl support</I +></TT +></A +> has been changed from + <TT +CLASS="CONSTANT" +>false</TT +> to <TT +CLASS="CONSTANT" +>true</TT +>, so + manipulation of permissions is turned on by default.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1752" ->11.2. How to view file security on a Samba share</A -></H1 +NAME="AEN1614">11.2. How to view file security on a Samba share</H1 ><P >From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted @@ -170,9 +185,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1763" ->11.3. Viewing file ownership</A -></H1 +NAME="AEN1625">11.3. Viewing file ownership</H1 ><P >Clicking on the <B CLASS="COMMAND" @@ -186,17 +199,23 @@ CLASS="COMMAND" >"SERVER\user (Long name)"</B ></P ><P ->Where <VAR +>Where <TT CLASS="REPLACEABLE" ->SERVER</VAR +><I +>SERVER</I +></TT > is the NetBIOS name of - the Samba server, <VAR + the Samba server, <TT CLASS="REPLACEABLE" ->user</VAR +><I +>user</I +></TT > is the user name of - the UNIX user who owns the file, and <VAR + the UNIX user who owns the file, and <TT CLASS="REPLACEABLE" ->(Long name)</VAR +><I +>(Long name)</I +></TT > is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). Click on the <B @@ -205,13 +224,15 @@ CLASS="COMMAND" </B > button to remove this dialog.</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then the file owner will be shown as the NT user <B CLASS="COMMAND" @@ -256,9 +277,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1783" ->11.4. Viewing file or directory permissions</A -></H1 +NAME="AEN1645">11.4. Viewing file or directory permissions</H1 ><P >The third button is the <B CLASS="COMMAND" @@ -273,28 +292,36 @@ CLASS="COMMAND" >"SERVER\user (Long name)"</B ></P ><P ->Where <VAR +>Where <TT CLASS="REPLACEABLE" ->SERVER</VAR +><I +>SERVER</I +></TT > is the NetBIOS name of - the Samba server, <VAR + the Samba server, <TT CLASS="REPLACEABLE" ->user</VAR +><I +>user</I +></TT > is the user name of - the UNIX user who owns the file, and <VAR + the UNIX user who owns the file, and <TT CLASS="REPLACEABLE" ->(Long name)</VAR +><I +>(Long name)</I +></TT > is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then the file owner will be shown as the NT user <B CLASS="COMMAND" @@ -310,9 +337,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1798" ->11.4.1. File Permissions</A -></H2 +NAME="AEN1660">11.4.1. File Permissions</H2 ><P >The standard UNIX user/group/world triple and the corresponding "read", "write", "execute" permissions @@ -372,9 +397,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1812" ->11.4.2. Directory Permissions</A -></H2 +NAME="AEN1674">11.4.2. Directory Permissions</H2 ><P >Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions @@ -404,9 +427,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1819" ->11.5. Modifying file or directory permissions</A -></H1 +NAME="AEN1681">11.5. Modifying file or directory permissions</H1 ><P >Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and @@ -418,13 +439,15 @@ CLASS="COMMAND" with the standard Samba permission masks and mapping of DOS attributes that need to also be taken into account.</P ><P ->If the parameter <VAR +>If the parameter <TT CLASS="PARAMETER" ->nt acl support</VAR +><I +>nt acl support</I +></TT > - is set to <CODE + is set to <TT CLASS="CONSTANT" ->false</CODE +>false</TT > then any attempt to set security permissions will fail with an <B CLASS="COMMAND" @@ -500,32 +523,38 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1841" ->11.6. Interaction with the standard Samba create mask - parameters</A -></H1 +NAME="AEN1703">11.6. Interaction with the standard Samba create mask + parameters</H1 ><P >Note that with Samba 2.0.5 there are four new parameters to control this interaction. These are :</P ><P -><VAR +><TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force security mode</VAR +><I +>force security mode</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->directory security mask</VAR +><I +>directory security mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force directory security mode</VAR +><I +>force directory security mode</I +></TT ></P ><P >Once a user clicks <B @@ -538,17 +567,21 @@ CLASS="COMMAND" HREF="smb.conf.5.html#SECURITYMASK" TARGET="_top" > - <VAR + <TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT ></A > parameter. Any bits that were changed that are not set to '1' in this parameter are left alone in the file permissions.</P ><P ->Essentially, zero bits in the <VAR +>Essentially, zero bits in the <TT CLASS="PARAMETER" ->security mask</VAR +><I +>security mask</I +></TT > mask may be treated as a set of bits the user is <SPAN CLASS="emphasis" @@ -564,10 +597,12 @@ CLASS="EMPHASIS" the <A HREF="smb.conf.5.html#CREATEMASK" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" +><I >create mask - </VAR + </I +></TT ></A > parameter to provide compatibility with Samba 2.0.4 where this permission change facility was introduced. To allow a user to @@ -578,18 +613,22 @@ CLASS="PARAMETER" the bits set in the <A HREF="smb.conf.5.html#FORCESECURITYMODE" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->force security mode</VAR +><I +>force security mode</I +></TT ></A > parameter. Any bits that were changed that correspond to bits set to '1' in this parameter are forced to be set.</P ><P ->Essentially, bits set in the <VAR +>Essentially, bits set in the <TT CLASS="PARAMETER" +><I >force security mode - </VAR + </I +></TT > parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.</P ><P @@ -597,60 +636,82 @@ CLASS="PARAMETER" as the <A HREF="smb.conf.5.html#FORCECREATEMODE" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" +><I >force - create mode</VAR + create mode</I +></TT ></A > parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file with no restrictions set this parameter to 000.</P ><P ->The <VAR +>The <TT CLASS="PARAMETER" ->security mask</VAR -> and <VAR +><I +>security mask</I +></TT +> and <TT CLASS="PARAMETER" +><I >force - security mode</VAR + security mode</I +></TT > parameters are applied to the change request in that order.</P ><P >For a directory Samba will perform the same operations as - described above for a file except using the parameter <VAR + described above for a file except using the parameter <TT CLASS="PARAMETER" -> directory security mask</VAR -> instead of <VAR +><I +> directory security mask</I +></TT +> instead of <TT CLASS="PARAMETER" +><I >security - mask</VAR ->, and <VAR + mask</I +></TT +>, and <TT CLASS="PARAMETER" +><I >force directory security mode - </VAR -> parameter instead of <VAR + </I +></TT +> parameter instead of <TT CLASS="PARAMETER" +><I >force security mode - </VAR + </I +></TT >.</P ><P ->The <VAR +>The <TT CLASS="PARAMETER" ->directory security mask</VAR +><I +>directory security mask</I +></TT > parameter - by default is set to the same value as the <VAR + by default is set to the same value as the <TT CLASS="PARAMETER" +><I >directory mask - </VAR -> parameter and the <VAR + </I +></TT +> parameter and the <TT CLASS="PARAMETER" +><I >force directory security - mode</VAR + mode</I +></TT > parameter by default is set to the same value as - the <VAR + the <TT CLASS="PARAMETER" ->force directory mode</VAR +><I +>force directory mode</I +></TT > parameter to provide compatibility with Samba 2.0.4 where the permission change facility was introduced.</P @@ -672,46 +733,62 @@ CLASS="FILENAME" ></A > file in that share specific section :</P ><P -><VAR +><TT CLASS="PARAMETER" ->security mask = 0777</VAR +><I +>security mask = 0777</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force security mode = 0</VAR +><I +>force security mode = 0</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->directory security mask = 0777</VAR +><I +>directory security mask = 0777</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force directory security mode = 0</VAR +><I +>force directory security mode = 0</I +></TT ></P ><P >As described, in Samba 2.0.4 the parameters :</P ><P -><VAR +><TT CLASS="PARAMETER" ->create mask</VAR +><I +>create mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force create mode</VAR +><I +>force create mode</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->directory mask</VAR +><I +>directory mask</I +></TT ></P ><P -><VAR +><TT CLASS="PARAMETER" ->force directory mode</VAR +><I +>force directory mode</I +></TT ></P ><P >were used instead of the parameters discussed here.</P @@ -721,10 +798,8 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1905" ->11.7. Interaction with the standard Samba file attribute - mapping</A -></H1 +NAME="AEN1767">11.7. Interaction with the standard Samba file attribute + mapping</H1 ><P >Samba maps some of the DOS attribute bits (such as "read only") into the UNIX permissions of a file. This means there can |