summaryrefslogtreecommitdiff
path: root/docs/htmldocs/unix-permissions.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/unix-permissions.html')
-rw-r--r--docs/htmldocs/unix-permissions.html917
1 files changed, 917 insertions, 0 deletions
diff --git a/docs/htmldocs/unix-permissions.html b/docs/htmldocs/unix-permissions.html
new file mode 100644
index 0000000000..9faf0eba28
--- /dev/null
+++ b/docs/htmldocs/unix-permissions.html
@@ -0,0 +1,917 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>UNIX Permission Bits and Windows NT Access Control Lists</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="PREVIOUS"
+TITLE="Hosting a Microsoft Distributed File System tree on Samba"
+HREF="msdfs.html"><LINK
+REL="NEXT"
+TITLE="Printing Support in Samba 2.2.x"
+HREF="printing.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="msdfs.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="printing.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="UNIX-PERMISSIONS"
+></A
+>Chapter 5. UNIX Permission Bits and Windows NT Access Control Lists</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN580"
+></A
+>5.1. Viewing and changing UNIX permissions using the NT
+ security dialogs</H1
+><P
+>New in the Samba 2.0.4 release is the ability for Windows
+ NT clients to use their native security settings dialog box to
+ view and modify the underlying UNIX permissions.</P
+><P
+>Note that this ability is careful not to compromise
+ the security of the UNIX host Samba is running on, and
+ still obeys all the file permission rules that a Samba
+ administrator can set.</P
+><P
+>In Samba 2.0.4 and above the default value of the
+ parameter <A
+HREF="smb.conf.5.html#NTACLSUPPORT"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> nt acl support</I
+></TT
+></A
+> has been changed from
+ <TT
+CLASS="CONSTANT"
+>false</TT
+> to <TT
+CLASS="CONSTANT"
+>true</TT
+>, so
+ manipulation of permissions is turned on by default.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN589"
+></A
+>5.2. How to view file security on a Samba share</H1
+><P
+>From an NT 4.0 client, single-click with the right
+ mouse button on any file or directory in a Samba mounted
+ drive letter or UNC path. When the menu pops-up, click
+ on the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Properties</I
+></SPAN
+> entry at the bottom of
+ the menu. This brings up the normal file properties dialog
+ box, but with Samba 2.0.4 this will have a new tab along the top
+ marked <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Security</I
+></SPAN
+>. Click on this tab and you
+ will see three buttons, <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Permissions</I
+></SPAN
+>,
+ <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Auditing</I
+></SPAN
+>, and <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Ownership</I
+></SPAN
+>.
+ The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Auditing</I
+></SPAN
+> button will cause either
+ an error message <SPAN
+CLASS="ERRORNAME"
+>A requested privilege is not held
+ by the client</SPAN
+> to appear if the user is not the
+ NT Administrator, or a dialog which is intended to allow an
+ Administrator to add auditing requirements to a file if the
+ user is logged on as the NT Administrator. This dialog is
+ non-functional with a Samba share at this time, as the only
+ useful button, the <B
+CLASS="COMMAND"
+>Add</B
+> button will not currently
+ allow a list of users to be seen.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN600"
+></A
+>5.3. Viewing file ownership</H1
+><P
+>Clicking on the <B
+CLASS="COMMAND"
+>"Ownership"</B
+> button
+ brings up a dialog box telling you who owns the given file. The
+ owner name will be of the form :</P
+><P
+><B
+CLASS="COMMAND"
+>"SERVER\user (Long name)"</B
+></P
+><P
+>Where <TT
+CLASS="REPLACEABLE"
+><I
+>SERVER</I
+></TT
+> is the NetBIOS name of
+ the Samba server, <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> is the user name of
+ the UNIX user who owns the file, and <TT
+CLASS="REPLACEABLE"
+><I
+>(Long name)</I
+></TT
+>
+ is the descriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database). Click on the <B
+CLASS="COMMAND"
+>Close
+ </B
+> button to remove this dialog.</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then the file owner will
+ be shown as the NT user <B
+CLASS="COMMAND"
+>"Everyone"</B
+>.</P
+><P
+>The <B
+CLASS="COMMAND"
+>Take Ownership</B
+> button will not allow
+ you to change the ownership of this file to yourself (clicking on
+ it will display a dialog box complaining that the user you are
+ currently logged onto the NT client cannot be found). The reason
+ for this is that changing the ownership of a file is a privileged
+ operation in UNIX, available only to the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>root</I
+></SPAN
+>
+ user. As clicking on this button causes NT to attempt to change
+ the ownership of a file to the current user logged into the NT
+ client this will not work with Samba at this time.</P
+><P
+>There is an NT chown command that will work with Samba
+ and allow a user with Administrator privilege connected
+ to a Samba 2.0.4 server as root to change the ownership of
+ files on both a local NTFS filesystem or remote mounted NTFS
+ or Samba drive. This is available as part of the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Seclib
+ </I
+></SPAN
+> NT security library written by Jeremy Allison of
+ the Samba Team, available from the main Samba ftp site.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN620"
+></A
+>5.4. Viewing file or directory permissions</H1
+><P
+>The third button is the <B
+CLASS="COMMAND"
+>"Permissions"</B
+>
+ button. Clicking on this brings up a dialog box that shows both
+ the permissions and the UNIX owner of the file or directory.
+ The owner is displayed in the form :</P
+><P
+><B
+CLASS="COMMAND"
+>"SERVER\user (Long name)"</B
+></P
+><P
+>Where <TT
+CLASS="REPLACEABLE"
+><I
+>SERVER</I
+></TT
+> is the NetBIOS name of
+ the Samba server, <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> is the user name of
+ the UNIX user who owns the file, and <TT
+CLASS="REPLACEABLE"
+><I
+>(Long name)</I
+></TT
+>
+ is the descriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database).</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then the file owner will
+ be shown as the NT user <B
+CLASS="COMMAND"
+>"Everyone"</B
+> and the
+ permissions will be shown as NT "Full Control".</P
+><P
+>The permissions field is displayed differently for files
+ and directories, so I'll describe the way file permissions
+ are displayed first.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN635"
+></A
+>5.4.1. File Permissions</H2
+><P
+>The standard UNIX user/group/world triple and
+ the corresponding "read", "write", "execute" permissions
+ triples are mapped by Samba into a three element NT ACL
+ with the 'r', 'w', and 'x' bits mapped into the corresponding
+ NT permissions. The UNIX world permissions are mapped into
+ the global NT group <B
+CLASS="COMMAND"
+>Everyone</B
+>, followed
+ by the list of permissions allowed for UNIX world. The UNIX
+ owner and group permissions are displayed as an NT
+ <B
+CLASS="COMMAND"
+>user</B
+> icon and an NT <B
+CLASS="COMMAND"
+>local
+ group</B
+> icon respectively followed by the list
+ of permissions allowed for the UNIX user and group.</P
+><P
+>As many UNIX permission sets don't map into common
+ NT names such as <B
+CLASS="COMMAND"
+>"read"</B
+>, <B
+CLASS="COMMAND"
+> "change"</B
+> or <B
+CLASS="COMMAND"
+>"full control"</B
+> then
+ usually the permissions will be prefixed by the words <B
+CLASS="COMMAND"
+> "Special Access"</B
+> in the NT display list.</P
+><P
+>But what happens if the file has no permissions allowed
+ for a particular UNIX user group or world component ? In order
+ to allow "no permissions" to be seen and modified then Samba
+ overloads the NT <B
+CLASS="COMMAND"
+>"Take Ownership"</B
+> ACL attribute
+ (which has no meaning in UNIX) and reports a component with
+ no permissions as having the NT <B
+CLASS="COMMAND"
+>"O"</B
+> bit set.
+ This was chosen of course to make it look like a zero, meaning
+ zero permissions. More details on the decision behind this will
+ be given below.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN649"
+></A
+>5.4.2. Directory Permissions</H2
+><P
+>Directories on an NT NTFS file system have two
+ different sets of permissions. The first set of permissions
+ is the ACL set on the directory itself, this is usually displayed
+ in the first set of parentheses in the normal <B
+CLASS="COMMAND"
+>"RW"</B
+>
+ NT style. This first set of permissions is created by Samba in
+ exactly the same way as normal file permissions are, described
+ above, and is displayed in the same way.</P
+><P
+>The second set of directory permissions has no real meaning
+ in the UNIX permissions world and represents the <B
+CLASS="COMMAND"
+> "inherited"</B
+> permissions that any file created within
+ this directory would inherit.</P
+><P
+>Samba synthesises these inherited permissions for NT by
+ returning as an NT ACL the UNIX permission mode that a new file
+ created by Samba on this share would receive.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN656"
+></A
+>5.5. Modifying file or directory permissions</H1
+><P
+>Modifying file and directory permissions is as simple
+ as changing the displayed permissions in the dialog box, and
+ clicking the <B
+CLASS="COMMAND"
+>OK</B
+> button. However, there are
+ limitations that a user needs to be aware of, and also interactions
+ with the standard Samba permission masks and mapping of DOS
+ attributes that need to also be taken into account.</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then any attempt to set
+ security permissions will fail with an <B
+CLASS="COMMAND"
+>"Access Denied"
+ </B
+> message.</P
+><P
+>The first thing to note is that the <B
+CLASS="COMMAND"
+>"Add"</B
+>
+ button will not return a list of users in Samba 2.0.4 (it will give
+ an error message of <B
+CLASS="COMMAND"
+>"The remote procedure call failed
+ and did not execute"</B
+>). This means that you can only
+ manipulate the current user/group/world permissions listed in
+ the dialog box. This actually works quite well as these are the
+ only permissions that UNIX actually has.</P
+><P
+>If a permission triple (either user, group, or world)
+ is removed from the list of permissions in the NT dialog box,
+ then when the <B
+CLASS="COMMAND"
+>"OK"</B
+> button is pressed it will
+ be applied as "no permissions" on the UNIX side. If you then
+ view the permissions again the "no permissions" entry will appear
+ as the NT <B
+CLASS="COMMAND"
+>"O"</B
+> flag, as described above. This
+ allows you to add permissions back to a file or directory once
+ you have removed them from a triple component.</P
+><P
+>As UNIX supports only the "r", "w" and "x" bits of
+ an NT ACL then if other NT security attributes such as "Delete
+ access" are selected then they will be ignored when applied on
+ the Samba server.</P
+><P
+>When setting permissions on a directory the second
+ set of permissions (in the second set of parentheses) is
+ by default applied to all files within that directory. If this
+ is not what you want you must uncheck the <B
+CLASS="COMMAND"
+>"Replace
+ permissions on existing files"</B
+> checkbox in the NT
+ dialog before clicking <B
+CLASS="COMMAND"
+>"OK"</B
+>.</P
+><P
+>If you wish to remove all permissions from a
+ user/group/world component then you may either highlight the
+ component and click the <B
+CLASS="COMMAND"
+>"Remove"</B
+> button,
+ or set the component to only have the special <B
+CLASS="COMMAND"
+>"Take
+ Ownership"</B
+> permission (displayed as <B
+CLASS="COMMAND"
+>"O"
+ </B
+>) highlighted.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN678"
+></A
+>5.6. Interaction with the standard Samba create mask
+ parameters</H1
+><P
+>Note that with Samba 2.0.5 there are four new parameters
+ to control this interaction. These are :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+></P
+><P
+>Once a user clicks <B
+CLASS="COMMAND"
+>"OK"</B
+> to apply the
+ permissions Samba maps the given permissions into a user/group/world
+ r/w/x triple set, and then will check the changed permissions for a
+ file against the bits set in the <A
+HREF="smb.conf.5.html#SECURITYMASK"
+TARGET="_top"
+>
+ <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+> parameter. Any bits that
+ were changed that are not set to '1' in this parameter are left alone
+ in the file permissions.</P
+><P
+>Essentially, zero bits in the <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+>
+ mask may be treated as a set of bits the user is <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>not</I
+></SPAN
+>
+ allowed to change, and one bits are those the user is allowed to change.
+ </P
+><P
+>If not set explicitly this parameter is set to the same value as
+ the <A
+HREF="smb.conf.5.html#CREATEMASK"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask
+ </I
+></TT
+></A
+> parameter to provide compatibility with Samba 2.0.4
+ where this permission change facility was introduced. To allow a user to
+ modify all the user/group/world permissions on a file, set this parameter
+ to 0777.</P
+><P
+>Next Samba checks the changed permissions for a file against
+ the bits set in the <A
+HREF="smb.conf.5.html#FORCESECURITYMODE"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></A
+> parameter. Any bits
+ that were changed that correspond to bits set to '1' in this parameter
+ are forced to be set.</P
+><P
+>Essentially, bits set in the <TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+> parameter may be treated as a set of bits that, when
+ modifying security on a file, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is set to the same value
+ as the <A
+HREF="smb.conf.5.html#FORCECREATEMODE"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ create mode</I
+></TT
+></A
+> parameter to provide compatibility
+ with Samba 2.0.4 where the permission change facility was introduced.
+ To allow a user to modify all the user/group/world permissions on a file
+ with no restrictions set this parameter to 000.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>force
+ security mode</I
+></TT
+> parameters are applied to the change
+ request in that order.</P
+><P
+>For a directory Samba will perform the same operations as
+ described above for a file except using the parameter <TT
+CLASS="PARAMETER"
+><I
+> directory security mask</I
+></TT
+> instead of <TT
+CLASS="PARAMETER"
+><I
+>security
+ mask</I
+></TT
+>, and <TT
+CLASS="PARAMETER"
+><I
+>force directory security mode
+ </I
+></TT
+> parameter instead of <TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+>.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+> parameter
+ by default is set to the same value as the <TT
+CLASS="PARAMETER"
+><I
+>directory mask
+ </I
+></TT
+> parameter and the <TT
+CLASS="PARAMETER"
+><I
+>force directory security
+ mode</I
+></TT
+> parameter by default is set to the same value as
+ the <TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+> parameter to provide
+ compatibility with Samba 2.0.4 where the permission change facility
+ was introduced.</P
+><P
+>In this way Samba enforces the permission restrictions that
+ an administrator can set on a Samba share, whilst still allowing users
+ to modify the permission bits within that restriction.</P
+><P
+>If you want to set up a share that allows users full control
+ in modifying the permission bits on their files and directories and
+ doesn't force any particular bits to be set 'on', then set the following
+ parameters in the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)
+ </TT
+></A
+> file in that share specific section :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security mask = 0777</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode = 0</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask = 0777</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode = 0</I
+></TT
+></P
+><P
+>As described, in Samba 2.0.4 the parameters :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+></P
+><P
+>were used instead of the parameters discussed here.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN742"
+></A
+>5.7. Interaction with the standard Samba file attribute
+ mapping</H1
+><P
+>Samba maps some of the DOS attribute bits (such as "read
+ only") into the UNIX permissions of a file. This means there can
+ be a conflict between the permission bits set via the security
+ dialog and the permission bits set by the file attribute mapping.
+ </P
+><P
+>One way this can show up is if a file has no UNIX read access
+ for the owner it will show up as "read only" in the standard
+ file attributes tabbed dialog. Unfortunately this dialog is
+ the same one that contains the security info in another tab.</P
+><P
+>What this can mean is that if the owner changes the permissions
+ to allow themselves read access using the security dialog, clicks
+ <B
+CLASS="COMMAND"
+>"OK"</B
+> to get back to the standard attributes tab
+ dialog, and then clicks <B
+CLASS="COMMAND"
+>"OK"</B
+> on that dialog, then
+ NT will set the file permissions back to read-only (as that is what
+ the attributes still say in the dialog). This means that after setting
+ permissions and clicking <B
+CLASS="COMMAND"
+>"OK"</B
+> to get back to the
+ attributes dialog you should always hit <B
+CLASS="COMMAND"
+>"Cancel"</B
+>
+ rather than <B
+CLASS="COMMAND"
+>"OK"</B
+> to ensure that your changes
+ are not overridden.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="msdfs.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="printing.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Hosting a Microsoft Distributed File System tree on Samba</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Printing Support in Samba 2.2.x</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file