diff options
Diffstat (limited to 'docs/smbdotconf/security/forcedirectorysecuritymode.xml')
| -rw-r--r-- | docs/smbdotconf/security/forcedirectorysecuritymode.xml | 46 |
1 files changed, 27 insertions, 19 deletions
diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml index 184337ba69..2c15ec2753 100644 --- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -3,25 +3,33 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions.</para> - - <note><para>Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000.</para></note> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </para> + + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </para> + + <para> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </para> + + <para> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </para> + + <note><para> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </para></note> </description> |