diff options
Diffstat (limited to 'docs/htmldocs/unix-permissions.html')
| -rw-r--r-- | docs/htmldocs/unix-permissions.html | 979 |
1 files changed, 846 insertions, 133 deletions
diff --git a/docs/htmldocs/unix-permissions.html b/docs/htmldocs/unix-permissions.html index e9a3b5e671..f29d450e6d 100644 --- a/docs/htmldocs/unix-permissions.html +++ b/docs/htmldocs/unix-permissions.html @@ -1,194 +1,907 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 10. User information database"><link rel="next" href="groupmapping.html" title="Chapter 12. Configuring Group Mapping"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="unix-permissions"></a>Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</h2></div><div><div class="author"><h3 class="author">Jeremy Allison</h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">12 Apr 1999</p></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="unix-permissions.html#id2881950">Viewing and changing UNIX permissions using the NT - security dialogs</a></dt><dt><a href="unix-permissions.html#id2881832">How to view file security on a Samba share</a></dt><dt><a href="unix-permissions.html#id2885176">Viewing file ownership</a></dt><dt><a href="unix-permissions.html#id2885297">Viewing file or directory permissions</a></dt><dd><dl><dt><a href="unix-permissions.html#id2885379">File Permissions</a></dt><dt><a href="unix-permissions.html#id2885483">Directory Permissions</a></dt></dl></dd><dt><a href="unix-permissions.html#id2885533">Modifying file or directory permissions</a></dt><dt><a href="unix-permissions.html#id2885693">Interaction with the standard Samba create mask - parameters</a></dt><dt><a href="unix-permissions.html#id2886008">Interaction with the standard Samba file attribute - mapping</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2881950"></a>Viewing and changing UNIX permissions using the NT - security dialogs</h2></div></div><p>Windows NT clients can use their native security settings - dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>UNIX Permission Bits and Windows NT Access Control Lists</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Optional configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Integrating MS Windows networks with Samba" +HREF="integrate-ms-networks.html"><LINK +REL="NEXT" +TITLE="Configuring PAM for distributed but centrally +managed authentication" +HREF="pam.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="integrate-ms-networks.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="UNIX-PERMISSIONS">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1 +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1605">11.1. Viewing and changing UNIX permissions using the NT + security dialogs</H1 +><P +>New in the Samba 2.0.4 release is the ability for Windows + NT clients to use their native security settings dialog box to + view and modify the underlying UNIX permissions.</P +><P +>Note that this ability is careful not to compromise the security of the UNIX host Samba is running on, and still obeys all the file permission rules that a Samba - administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - All access to Unix/Linux system file via Samba is controlled at - the operating system file access control level. When trying to - figure out file access problems it is vitally important to identify - the identity of the Windows user as it is presented by Samba at - the point of file access. This can best be determined from the - Samba log files. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2881832"></a>How to view file security on a Samba share</h2></div></div><p>From an NT4/2000/XP client, single-click with the right + administrator can set.</P +><P +>In Samba 2.0.4 and above the default value of the + parameter <A +HREF="smb.conf.5.html#NTACLSUPPORT" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> nt acl support</I +></TT +></A +> has been changed from + <TT +CLASS="CONSTANT" +>false</TT +> to <TT +CLASS="CONSTANT" +>true</TT +>, so + manipulation of permissions is turned on by default.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1614">11.2. How to view file security on a Samba share</H1 +><P +>From an NT 4.0 client, single-click with the right mouse button on any file or directory in a Samba mounted drive letter or UNC path. When the menu pops-up, click - on the <span class="emphasis"><em>Properties</em></span> entry at the bottom of - the menu. This brings up the file properties dialog - box. Click on the tab <span class="emphasis"><em>Security</em></span> and you - will see three buttons, <span class="emphasis"><em>Permissions</em></span>, - <span class="emphasis"><em>Auditing</em></span>, and <span class="emphasis"><em>Ownership</em></span>. - The <span class="emphasis"><em>Auditing</em></span> button will cause either - an error message A requested privilege is not held - by the client to appear if the user is not the + on the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Properties</I +></SPAN +> entry at the bottom of + the menu. This brings up the normal file properties dialog + box, but with Samba 2.0.4 this will have a new tab along the top + marked <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Security</I +></SPAN +>. Click on this tab and you + will see three buttons, <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Permissions</I +></SPAN +>, + <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Auditing</I +></SPAN +>, and <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Ownership</I +></SPAN +>. + The <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Auditing</I +></SPAN +> button will cause either + an error message <SPAN +CLASS="ERRORNAME" +>A requested privilege is not held + by the client</SPAN +> to appear if the user is not the NT Administrator, or a dialog which is intended to allow an Administrator to add auditing requirements to a file if the user is logged on as the NT Administrator. This dialog is non-functional with a Samba share at this time, as the only - useful button, the <b>Add</b> button will not currently - allow a list of users to be seen.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2885176"></a>Viewing file ownership</h2></div></div><p>Clicking on the <b>"Ownership"</b> button + useful button, the <B +CLASS="COMMAND" +>Add</B +> button will not currently + allow a list of users to be seen.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1625">11.3. Viewing file ownership</H1 +><P +>Clicking on the <B +CLASS="COMMAND" +>"Ownership"</B +> button brings up a dialog box telling you who owns the given file. The - owner name will be of the form :</p><p><b>"SERVER\user (Long name)"</b></p><p>Where <i><tt>SERVER</tt></i> is the NetBIOS name of - the Samba server, <i><tt>user</tt></i> is the user name of - the UNIX user who owns the file, and <i><tt>(Long name)</tt></i> + owner name will be of the form :</P +><P +><B +CLASS="COMMAND" +>"SERVER\user (Long name)"</B +></P +><P +>Where <TT +CLASS="REPLACEABLE" +><I +>SERVER</I +></TT +> is the NetBIOS name of + the Samba server, <TT +CLASS="REPLACEABLE" +><I +>user</I +></TT +> is the user name of + the UNIX user who owns the file, and <TT +CLASS="REPLACEABLE" +><I +>(Long name)</I +></TT +> is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the <b>Close - </b> button to remove this dialog.</p><p>If the parameter <i><tt>nt acl support</tt></i> - is set to <tt>false</tt> then the file owner will - be shown as the NT user <b>"Everyone"</b>.</p><p>The <b>Take Ownership</b> button will not allow + GECOS field of the UNIX password database). Click on the <B +CLASS="COMMAND" +>Close + </B +> button to remove this dialog.</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then the file owner will + be shown as the NT user <B +CLASS="COMMAND" +>"Everyone"</B +>.</P +><P +>The <B +CLASS="COMMAND" +>Take Ownership</B +> button will not allow you to change the ownership of this file to yourself (clicking on it will display a dialog box complaining that the user you are currently logged onto the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged - operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> + operation in UNIX, available only to the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>root</I +></SPAN +> user. As clicking on this button causes NT to attempt to change the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba + client this will not work with Samba at this time.</P +><P +>There is an NT chown command that will work with Samba and allow a user with Administrator privilege connected - to a Samba server as root to change the ownership of + to a Samba 2.0.4 server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the <span class="emphasis"><em>Seclib - </em></span> NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2885297"></a>Viewing file or directory permissions</h2></div></div><p>The third button is the <b>"Permissions"</b> + or Samba drive. This is available as part of the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Seclib + </I +></SPAN +> NT security library written by Jeremy Allison of + the Samba Team, available from the main Samba ftp site.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1645">11.4. Viewing file or directory permissions</H1 +><P +>The third button is the <B +CLASS="COMMAND" +>"Permissions"</B +> button. Clicking on this brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form :</p><p><b>"SERVER\user (Long name)"</b></p><p>Where <i><tt>SERVER</tt></i> is the NetBIOS name of - the Samba server, <i><tt>user</tt></i> is the user name of - the UNIX user who owns the file, and <i><tt>(Long name)</tt></i> + The owner is displayed in the form :</P +><P +><B +CLASS="COMMAND" +>"SERVER\user (Long name)"</B +></P +><P +>Where <TT +CLASS="REPLACEABLE" +><I +>SERVER</I +></TT +> is the NetBIOS name of + the Samba server, <TT +CLASS="REPLACEABLE" +><I +>user</I +></TT +> is the user name of + the UNIX user who owns the file, and <TT +CLASS="REPLACEABLE" +><I +>(Long name)</I +></TT +> is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database).</p><p>If the parameter <i><tt>nt acl support</tt></i> - is set to <tt>false</tt> then the file owner will - be shown as the NT user <b>"Everyone"</b> and the - permissions will be shown as NT "Full Control".</p><p>The permissions field is displayed differently for files + GECOS field of the UNIX password database).</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then the file owner will + be shown as the NT user <B +CLASS="COMMAND" +>"Everyone"</B +> and the + permissions will be shown as NT "Full Control".</P +><P +>The permissions field is displayed differently for files and directories, so I'll describe the way file permissions - are displayed first.</p><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2885379"></a>File Permissions</h3></div></div><p>The standard UNIX user/group/world triple and - the corresponding "read", "write", "execute" permissions + are displayed first.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN1660">11.4.1. File Permissions</H2 +><P +>The standard UNIX user/group/world triple and + the corresponding "read", "write", "execute" permissions triples are mapped by Samba into a three element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding NT permissions. The UNIX world permissions are mapped into - the global NT group <b>Everyone</b>, followed + the global NT group <B +CLASS="COMMAND" +>Everyone</B +>, followed by the list of permissions allowed for UNIX world. The UNIX owner and group permissions are displayed as an NT - <b>user</b> icon and an NT <b>local - group</b> icon respectively followed by the list - of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common - NT names such as <b>"read"</b>, <b> - "change"</b> or <b>"full control"</b> then - usually the permissions will be prefixed by the words <b> - "Special Access"</b> in the NT display list.</p><p>But what happens if the file has no permissions allowed + <B +CLASS="COMMAND" +>user</B +> icon and an NT <B +CLASS="COMMAND" +>local + group</B +> icon respectively followed by the list + of permissions allowed for the UNIX user and group.</P +><P +>As many UNIX permission sets don't map into common + NT names such as <B +CLASS="COMMAND" +>"read"</B +>, <B +CLASS="COMMAND" +> "change"</B +> or <B +CLASS="COMMAND" +>"full control"</B +> then + usually the permissions will be prefixed by the words <B +CLASS="COMMAND" +> "Special Access"</B +> in the NT display list.</P +><P +>But what happens if the file has no permissions allowed for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT <b>"Take Ownership"</b> ACL attribute + to allow "no permissions" to be seen and modified then Samba + overloads the NT <B +CLASS="COMMAND" +>"Take Ownership"</B +> ACL attribute (which has no meaning in UNIX) and reports a component with - no permissions as having the NT <b>"O"</b> bit set. + no permissions as having the NT <B +CLASS="COMMAND" +>"O"</B +> bit set. This was chosen of course to make it look like a zero, meaning zero permissions. More details on the decision behind this will - be given below.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2885483"></a>Directory Permissions</h3></div></div><p>Directories on an NT NTFS file system have two + be given below.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN1674">11.4.2. Directory Permissions</H2 +><P +>Directories on an NT NTFS file system have two different sets of permissions. The first set of permissions is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal <b>"RW"</b> + in the first set of parentheses in the normal <B +CLASS="COMMAND" +>"RW"</B +> NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described - above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the <b> - "inherited"</b> permissions that any file created within - this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by + above, and is displayed in the same way.</P +><P +>The second set of directory permissions has no real meaning + in the UNIX permissions world and represents the <B +CLASS="COMMAND" +> "inherited"</B +> permissions that any file created within + this directory would inherit.</P +><P +>Samba synthesises these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2885533"></a>Modifying file or directory permissions</h2></div></div><p>Modifying file and directory permissions is as simple + created by Samba on this share would receive.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1681">11.5. Modifying file or directory permissions</H1 +><P +>Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box, and - clicking the <b>OK</b> button. However, there are + clicking the <B +CLASS="COMMAND" +>OK</B +> button. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account.</p><p>If the parameter <i><tt>nt acl support</tt></i> - is set to <tt>false</tt> then any attempt to set - security permissions will fail with an <b>"Access Denied" - </b> message.</p><p>The first thing to note is that the <b>"Add"</b> - button will not return a list of users in Samba (it will give - an error message of <b>"The remote procedure call failed - and did not execute"</b>). This means that you can only + attributes that need to also be taken into account.</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then any attempt to set + security permissions will fail with an <B +CLASS="COMMAND" +>"Access Denied" + </B +> message.</P +><P +>The first thing to note is that the <B +CLASS="COMMAND" +>"Add"</B +> + button will not return a list of users in Samba 2.0.4 (it will give + an error message of <B +CLASS="COMMAND" +>"The remote procedure call failed + and did not execute"</B +>). This means that you can only manipulate the current user/group/world permissions listed in the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has.</p><p>If a permission triple (either user, group, or world) + only permissions that UNIX actually has.</P +><P +>If a permission triple (either user, group, or world) is removed from the list of permissions in the NT dialog box, - then when the <b>"OK"</b> button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT <b>"O"</b> flag, as described above. This + then when the <B +CLASS="COMMAND" +>"OK"</B +> button is pressed it will + be applied as "no permissions" on the UNIX side. If you then + view the permissions again the "no permissions" entry will appear + as the NT <B +CLASS="COMMAND" +>"O"</B +> flag, as described above. This allows you to add permissions back to a file or directory once - you have removed them from a triple component.</p><p>As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server.</p><p>When setting permissions on a directory the second + you have removed them from a triple component.</P +><P +>As UNIX supports only the "r", "w" and "x" bits of + an NT ACL then if other NT security attributes such as "Delete + access" are selected then they will be ignored when applied on + the Samba server.</P +><P +>When setting permissions on a directory the second set of permissions (in the second set of parentheses) is by default applied to all files within that directory. If this - is not what you want you must uncheck the <b>"Replace - permissions on existing files"</b> checkbox in the NT - dialog before clicking <b>"OK"</b>.</p><p>If you wish to remove all permissions from a + is not what you want you must uncheck the <B +CLASS="COMMAND" +>"Replace + permissions on existing files"</B +> checkbox in the NT + dialog before clicking <B +CLASS="COMMAND" +>"OK"</B +>.</P +><P +>If you wish to remove all permissions from a user/group/world component then you may either highlight the - component and click the <b>"Remove"</b> button, - or set the component to only have the special <b>"Take - Ownership"</b> permission (displayed as <b>"O" - </b>) highlighted.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2885693"></a>Interaction with the standard Samba create mask - parameters</h2></div></div><p>There are four parameters - to control interaction with the standard Samba create mask parameters. - These are :</p><p><i><tt>security mask</tt></i></p><p><i><tt>force security mode</tt></i></p><p><i><tt>directory security mask</tt></i></p><p><i><tt>force directory security mode</tt></i></p><p>Once a user clicks <b>"OK"</b> to apply the + component and click the <B +CLASS="COMMAND" +>"Remove"</B +> button, + or set the component to only have the special <B +CLASS="COMMAND" +>"Take + Ownership"</B +> permission (displayed as <B +CLASS="COMMAND" +>"O" + </B +>) highlighted.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1703">11.6. Interaction with the standard Samba create mask + parameters</H1 +><P +>Note that with Samba 2.0.5 there are four new parameters + to control this interaction. These are :</P +><P +><TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory security mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory security mode</I +></TT +></P +><P +>Once a user clicks <B +CLASS="COMMAND" +>"OK"</B +> to apply the permissions Samba maps the given permissions into a user/group/world r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top"> - <i><tt>security mask</tt></i></a> parameter. Any bits that + file against the bits set in the <A +HREF="smb.conf.5.html#SECURITYMASK" +TARGET="_top" +> + <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></A +> parameter. Any bits that were changed that are not set to '1' in this parameter are left alone - in the file permissions.</p><p>Essentially, zero bits in the <i><tt>security mask</tt></i> - mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span> + in the file permissions.</P +><P +>Essentially, zero bits in the <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +> + mask may be treated as a set of bits the user is <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>not</I +></SPAN +> allowed to change, and one bits are those the user is allowed to change. - </p><p>If not set explicitly this parameter is set to the same value as - the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i><tt>create mask - </tt></i></a> parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter - to 0777.</p><p>Next Samba checks the changed permissions for a file against - the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top"> - <i><tt>force security mode</tt></i></a> parameter. Any bits + </P +><P +>If not set explicitly this parameter is set to the same value as + the <A +HREF="smb.conf.5.html#CREATEMASK" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>create mask + </I +></TT +></A +> parameter to provide compatibility with Samba 2.0.4 + where this permission change facility was introduced. To allow a user to + modify all the user/group/world permissions on a file, set this parameter + to 0777.</P +><P +>Next Samba checks the changed permissions for a file against + the bits set in the <A +HREF="smb.conf.5.html#FORCESECURITYMODE" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +></A +> parameter. Any bits that were changed that correspond to bits set to '1' in this parameter - are forced to be set.</p><p>Essentially, bits set in the <i><tt>force security mode - </tt></i> parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value - as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i><tt>force - create mode</tt></i></a> parameter. + are forced to be set.</P +><P +>Essentially, bits set in the <TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +> parameter may be treated as a set of bits that, when + modifying security on a file, the user has always set to be 'on'.</P +><P +>If not set explicitly this parameter is set to the same value + as the <A +HREF="smb.conf.5.html#FORCECREATEMODE" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>force + create mode</I +></TT +></A +> parameter to provide compatibility + with Samba 2.0.4 where the permission change facility was introduced. To allow a user to modify all the user/group/world permissions on a file - with no restrictions set this parameter to 000.</p><p>The <i><tt>security mask</tt></i> and <i><tt>force - security mode</tt></i> parameters are applied to the change - request in that order.</p><p>For a directory Samba will perform the same operations as - described above for a file except using the parameter <i><tt> - directory security mask</tt></i> instead of <i><tt>security - mask</tt></i>, and <i><tt>force directory security mode - </tt></i> parameter instead of <i><tt>force security mode - </tt></i>.</p><p>The <i><tt>directory security mask</tt></i> parameter - by default is set to the same value as the <i><tt>directory mask - </tt></i> parameter and the <i><tt>force directory security - mode</tt></i> parameter by default is set to the same value as - the <i><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that + with no restrictions set this parameter to 000.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>force + security mode</I +></TT +> parameters are applied to the change + request in that order.</P +><P +>For a directory Samba will perform the same operations as + described above for a file except using the parameter <TT +CLASS="PARAMETER" +><I +> directory security mask</I +></TT +> instead of <TT +CLASS="PARAMETER" +><I +>security + mask</I +></TT +>, and <TT +CLASS="PARAMETER" +><I +>force directory security mode + </I +></TT +> parameter instead of <TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +>.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>directory security mask</I +></TT +> parameter + by default is set to the same value as the <TT +CLASS="PARAMETER" +><I +>directory mask + </I +></TT +> parameter and the <TT +CLASS="PARAMETER" +><I +>force directory security + mode</I +></TT +> parameter by default is set to the same value as + the <TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +> parameter to provide + compatibility with Samba 2.0.4 where the permission change facility + was introduced.</P +><P +>In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control + to modify the permission bits within that restriction.</P +><P +>If you want to set up a share that allows users full control in modifying the permission bits on their files and directories and doesn't force any particular bits to be set 'on', then set the following - parameters in the <tt>smb.conf</tt> file in that share specific section :</p><p><i><tt>security mask = 0777</tt></i></p><p><i><tt>force security mode = 0</tt></i></p><p><i><tt>directory security mask = 0777</tt></i></p><p><i><tt>force directory security mode = 0</tt></i></p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2886008"></a>Interaction with the standard Samba file attribute - mapping</h2></div></div><p>Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can + parameters in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> file in that share specific section :</P +><P +><TT +CLASS="PARAMETER" +><I +>security mask = 0777</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force security mode = 0</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory security mask = 0777</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory security mode = 0</I +></TT +></P +><P +>As described, in Samba 2.0.4 the parameters :</P +><P +><TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +></P +><P +>were used instead of the parameters discussed here.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1767">11.7. Interaction with the standard Samba file attribute + mapping</H1 +><P +>Samba maps some of the DOS attribute bits (such as "read + only") into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security dialog and the permission bits set by the file attribute mapping. - </p><p>One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard + </P +><P +>One way this can show up is if a file has no UNIX read access + for the owner it will show up as "read only" in the standard file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions + the same one that contains the security info in another tab.</P +><P +>What this can mean is that if the owner changes the permissions to allow themselves read access using the security dialog, clicks - <b>"OK"</b> to get back to the standard attributes tab - dialog, and then clicks <b>"OK"</b> on that dialog, then + <B +CLASS="COMMAND" +>"OK"</B +> to get back to the standard attributes tab + dialog, and then clicks <B +CLASS="COMMAND" +>"OK"</B +> on that dialog, then NT will set the file permissions back to read-only (as that is what the attributes still say in the dialog). This means that after setting - permissions and clicking <b>"OK"</b> to get back to the - attributes dialog you should always hit <b>"Cancel"</b> - rather than <b>"OK"</b> to ensure that your changes - are not overridden.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. User information database </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Configuring Group Mapping</td></tr></table></div></body></html> + permissions and clicking <B +CLASS="COMMAND" +>"OK"</B +> to get back to the + attributes dialog you should always hit <B +CLASS="COMMAND" +>"Cancel"</B +> + rather than <B +CLASS="COMMAND" +>"OK"</B +> to ensure that your changes + are not overridden.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="integrate-ms-networks.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Integrating MS Windows networks with Samba</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Configuring PAM for distributed but centrally +managed authentication</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |